JTLP Spring 2001 Edition
Vol 6                               Spring 2001                               Issue 1
 Return to Table of Contents
Citation Information

PROTECTING VALUABLE COMMERCIAL INFORMATION IN THE DIGITAL AGE:
LAW, POLICY AND PRACTICE

Dr Jacqueline Lipton[*]

[p1] The growing importance and value placed on information and ideas in the global information economy, coupled with the fact that these assets are now generally stored electronically, creates an increasing need to protect them through legal and other means from unauthorized use and interference. Given the somewhat chequered history of ‘market regulation’ and the availability of civil law remedies in this area, it is now arguably necessary to consider the extent to which governments should assist in the protection of these valuable intangibles. Such protection may take a variety of forms including: (1) enhancing the effectiveness of currently available civil actions; (2) development of criminal sanctions more directly targeted at theft of valuable information; (3) technological measures; and/or (4) public education. This paper examines the possibilities of governments [1] utilizing a variety of these measures to provide the types and levels of protection required by commercial parties in the modern world with respect to their valuable trade secrets. In so doing, it takes a comparative look at approaches to these issues to date in a variety of jurisdictions with particular reference to the United Kingdom, the United States and Australia. It also examines the potential impact of globalization on suggested future developments in this area.

I. Introduction: Information as a Valuable Asset and the Need to Protect it

[p2] It is now becoming trite to say that there is a growing need within societies the world over effectively to protect valuable intangibles against unauthorized interference and use. This is largely a result of moves from a product-based economy to an information and service based economy, at least throughout the developed world. Where information and services take on a central role in the activities of a business the need for that business to protect the integrity of its systems and the information contained therein increases dramatically.

In this context, the role of intellectual property law has significantly expanded with copyright and patent protection being extended to items like computer software and software-related inventions. [2] Special sui generis intellectual property rights are also developing in this area. [3] A good example is the recently implemented Database Directive in the European Union [4] to give some comfort to compilers of electronic and other databases in circumstances where it was thought that those databases might not otherwise have been appropriately protected against unauthorized copying by existing copyright laws. [5]

[p3] Easy as it is to accept the need for efficient and cost-effective protection of ‘valuable intangibles’, the term itself may connote a number of different classes of things. [6] Some of these may fall within existing classes of intellectual property and others are more amorphous. [7] Clearly the holders of information that has been reduced to some material form for the first time may assert a proprietary copyright interest in that form or record under the copyright legislation in most jurisdictions. [8] Developers of inventions who have gone to the trouble and expense of obtaining a patent may assert the statutory monopoly over it, [9] again as a personal property right, for the duration of the patent period, subject to effective challenge to the validity of the patent. [10] People and businesses who have registered certain names, marks and logos under trade mark legislation may likewise assert proprietary rights in those items to the extent permitted by the legislation in the relevant jurisdiction. [11]

However, there are a number of other valuable intangibles that do not attract a property (or “intellectual property”) label at law nor do they have specific legislation devoted to their regulation and protection. [12] These might include:

[p4] (a) aspects of computer systems that are not protected by copyright or patent legislation for lack of originality or patentability; [13]
(b) electronic forms of money and payment which may not meet statutory definitions of 'money' for regulatory purposes; [14]
(c) telecommunications services;[15]
(d) Internet domain names which are not the same as trade marks per se although particular domain names may overlap with one or more registered marks; [16] and,
(e) valuable confidential information and trade secrets. [17]

Interesting legal and regulatory issues are certainly arising in the context of all of these forms of valuable intangibles, including questions about the extent to which these items should be considered ‘property’ and protected in terms of the exclusive ownership and use concepts so familiar in property law. [18] However, this paper focuses on the final group of intangibles listed above – valuable confidential information and trade secrets, particularly when stored within a computer system. The reason for this focus is that it is perhaps the most pressing area in which development and reform is needed. [19] This is partly because of the unsatisfactory history of legal systems the world over in protecting valuable information over the course of the previous century and partly [p5] because of the need for the law specifically to address issues relating to the protection of the integrity of digital storage systems. [20]

This paper focuses on the protection of commercial information in particular because it is in that area that the law has been found wanting in most major trading jurisdictions. [21] This is evident in relation to small to medium scale businesses. [22] Such businesses are often faced with the daunting task of bringing costly and time-consuming civil actions in an attempt to protect trade secrecy and enforce obligations of confidence against employees, ex-employees and others who may have had access to their valuable commercial information. Increasingly such entities are being faced with new problems of identifying and taking proceedings against ‘hackers’ who break into their computer systems often with the aim of ‘stealing’ valuable information. [23]

The type of valuable information contemplated here falls into a number of categories, including:

1. ideas that have not been developed or reduced to material form for the purposes of patent or copyright law; [24]
2. an invention that has been kept ‘secret’ to protect its value rather than being patented and disclosed to the public; [25]
3. other technical commercial information such as details about designs, construction, operation of a machine or process, business plans, business methods etc; [26]
4. confidential information about customers and their requirements; [27] and,
5. information pertaining to the operation of computer systems and software. [28]

[p6] This list is not exhaustive but it gives some indication of the type of commercially valuable information that businesses may want to protect against unauthorized use or interference from third parties.

This paper focuses on the shortcomings of existing forms of civil action [29] and some more recent forms of criminal legislation [30] in protecting such information and ideas and examines the possibility of action by governments to assist in the protection of such valuable business assets. “Government” here refers generically to the different arms of government including the executive, the legislature and the judiciary.

The ‘action’ in question may take a number of forms including the provision of funds to assist with civil actions or the enactment of new forms of intellectual property legislation more effectively to protect such assets. [31] It might involve the enactment and active enforcement of appropriate new criminal sanctions. [32] It could also involve public education about technological and other means for better securing ‘information assets’ against outside interference. [33] Governments may also become involved in developing technological solutions to some of these problems. One example of such technical involvement would be setting up a government agency to act as a ‘trusted third party’ (‘TTP’) in a public key digital encryption program to protect the privacy and security of electronic communications. [34] Such an agency could be government guaranteed against security lapses resulting in commercial damage to a participant in the system if a government was amenable.

These options may be pursued independently or in concert by governments willing to devote resources to enhancing the privacy and security of information and ideas, particularly those stored in and [p7] communicated to others through electronic networks. This obviously raises the question as to why any government would want to devote resources to such potentially costly undertakings with so little immediate monetary reward apparent. There are a number of potential answers to this question. One of the most obvious is that part of the role of government is to act in line with society’s expectations. Without going into a general essay on jurisprudence and the functions of the law, it must certainly be accepted that it is the government’s role to set standards, restrict and punish antisocial behavior and enforce social mores. [35] There is no doubt that over the last century society has considered particular information and ideas kept confidential in a commercial context as worthy of legal protection. One only has to look at the history of civil litigation in the area in most of the major trading jurisdictions around the world. [36]

Another reason why governments perhaps should take/maintain an interest in assisting with the protection of valuable information and ideas against unlawful use and interference is the ‘chilling effect’ that is perhaps occurring even now in relation to the development of such information and ideas. Where commercial parties cannot be certain that their interests will be adequately protected by laws and governments, this may create disincentives for development in relevant areas of commerce. [37] It has always been the case that many commercial parties have relied heavily on trade secrecy laws, and more importantly even, the ability to keep information and ideas physically secure to protect their value. [38]

However, with the increasing storage of valuable information electronically, the risk of unlawful interference with the information arguably increases due to the networked nature of most computer systems. [39] It is possible for clever wrongdoers to break into the hard-drive of a remote computer, although a certain level of technical skill is required to do so. [40] Thus, arguably, information stored electronically in the modern world may be even less secure than that stored on paper in a locked filing cabinet in years gone by. It is also worth here noting that not all ‘hackers’ are interested in stealing valuable information. [41] Many are more interested [p8] in the pure technical challenge of breaching the integrity of a system. [42] Others might aim to plant ‘bombs’, ‘worms’ and/or ‘viruses’ into a system. [43] A victim of such conduct may not even have the means to ascertain whether any information has been actually accessed or perused by the intruder in the course or his or her other activities.

Thus, modern legislatures have had more to deal with than the simple question of access to valuable information. The question of trespassing in a computer environment raises a myriad of issues from electronic vandalism to privacy concerns to theft of trade secrets. [44] It may be that the laws relating to protection of trade secrets have to be moved into, or at least duplicated in a modified form within, sections of statute books dealing with “computer trespass” more generally. Protection of such information may well become but one aspect of a legislative program designed to deal with the much broader area of wrongful conduct within a computer environment. In fact, criminal sanctions emerging in a number of jurisdictions around the world do evidence such an approach. [45] That is to say, the focus of the law seems to be shifting from protection of information per se to protection of the integrity of a ‘computer environment’ in many circumstances.[46] As discussed below, only time will tell how effective this approach might be.

The remainder of this paper considers ways in which valuable information has been protected by civil and criminal laws in various jurisdictions, with particular reference to differences in approach between Anglo-Australian law and United States law. It further examines the extent to which these legal protections have been extended effectively to cover the needs of an ‘information society’. [47] It identifies the ‘gaps’ in current legal protections in the area of preventing and/or compensating [p9] commercial parties for unauthorized interference with or use of valuable commercial secrets, particularly those stored in or otherwise connected to computer systems. Finally, it considers possible approaches to remedy some of the problems here, with the particular aim of protecting smaller commercial parties who may not have the time or resources to bring prolonged and expensive civil actions. [48] Some concluding observations are also made about the impact of globalization and internationalization on this area of law and commercial practice.

II. Legal Protection of Valuable Commercial Information

A. Valuable Information as ‘Property’

As noted above, not all valuable intangibles in the modern market place are appropriately categorized as ‘property’ under present laws. [49] This means that approaches to their regulation and protection from third party interference will often be different to those that have arisen in the context of standard real and personal property law to date. [50] Confidential information and trade secrets are clearly not property in the traditional legal sense relating to physical property. [51]

However, some legal systems are more prepared to treat them as if they were ‘property’ than others. Courts and legislatures in the United Kingdom and Australia have been loathe to allow the legal idea of property to come anywhere near the legal basis for the protection of trade secrecy. [52] Attempts to label trade secrets as ‘property’ are consistently rejected by judges who have historically based any judicial protection of such secrets on notions of contract law and on ideas of good faith and fiduciary relationships. [53] The idea is to protect the secrecy of that which the plaintiff has taken all reasonable steps to keep secret, including the use of confidentiality undertakings and other measures that might ‘bind the conscience’ of the defendant in equity. [54]

[p10] It has been suggested by commentators that the better way to conceive of the English and Australian approach to the civil action to remedy breach of confidence is to accept that:

[I]t is not information per se, nor any intrinsic qualities of confidential information, which the courts are protecting. Rather, it is the intangible notion of a confidence, which is formed by the communication of confidential information for a limited purpose, and which therefore exists in relation to information. [55]

Obviously one of the shortcomings of this view is that it does not readily explain why courts in the United Kingdom and Australia have been prepared to enforce the action for breach of confidence against dishonest third parties who have shared no relationship of confidence with the plaintiff. [56] The prime example is where commercial information has been ‘stolen’ from the plaintiff by the defendant, rather than disclosed under circumstances of confidence. [57] In the United Kingdom and Australia, courts have been prepared to impute a duty of confidence in the former situation, but on a somewhat tenuous footing given the historical basis for the action. [58] As noted above, it is really these ‘third party theft’ scenarios that are likely to be of increasing concern to commercial players in the computer age. [59] In this context, there always seem to be significant practical risks in storing information in computer systems even where security measures have been carefully built into the system.

To be fair to the development of trade secrecy laws in the United Kingdom and Australia, they did develop through the court systems in line with the needs and expectations of the respective societies at particular points in time. Further, there have been sound policy reasons advanced as to why valuable confidential information should not be equated with legal property. These include:

1. The need to balance a person’s or corporation’s privacy with the need for freedom of information and freedom of expression has been suggested as a relevant consideration here. [60] If it were possible for all sensitive information to be regarded as property this could cause significant [p11] difficulty, particularly in terms of drawing lines between what level of sensitive information should be property and what level should not merit such a label. [61]
2. Attaching a ‘property’ label to sensitive information does not automatically solve all of the problems related to unfair dealings in information. For example, calling information ‘property’ will not automatically attract standard criminal sanctions against theft or wrongful misappropriation of property. [62] This is because most theft laws are formulated such that the wrongdoer must have an ‘intention to permanently deprive’ the victim of the property in question. [63] This clearly cannot be satisfied in the case of an alleged ‘theft’ of valuable information as it can exist in more than one place at a time so the wrongful taking of the information does not, as a consequence, permanently deprive the victim of the information, although (s)he may be substantially deprived of its commercial value. [64]

These concerns perhaps reflect the fact that trade secret laws have developed in the United Kingdom and Australia through the courts rather than by legislation to date. [65] Clearly the concerns can be addressed by carefully drafted legislation to a certain extent as has been the case in various jurisdictions within the United States. [66] However, courts are limited to addressing issues arising on the facts at hand and have arguably, in Australia and the United Kingdom at least, been somewhat conservative about making attempts to update the legal nature of valuable information in line with society’s expectations. [67]

In any event, and as the following discussion demonstrates, in the modern global economy the above objections to ‘propertizing’ information do not necessarily outweigh the needs of the information society in terms of protecting particularly valuable commercial information against unauthorized interference and use. [68] The first objection (above) could readily be limited to personal as opposed to commercial information, [p12] although the point is taken that it may be difficult in some cases to work out exactly where to draw the line between the two. The second objection is addressed below. The answer to date in many jurisdictions seems to have been to re-draft existing criminal laws or to enact new forms of criminal laws specifically targeted at unlawful misappropriation of valuable trade secrets. [69] The problem has been more with the effective enforcement of such sanctions than with the readiness of legislatures to take the issue on board and enact the relevant legislation. [70]

There have certainly been those who have argued that it is time for a change in approach to the protection of valuable commercial information in jurisdictions such as Australia and the United Kingdom. Professors McKeough and Stewart have suggested that:

It might … be argued that it does not matter in practice whether or not secret information is treated as property. The answer to that is twofold. In the first place, concentration on confidentiality (even in a remedial sense) rather than property can conceivably make a difference to liability – as to standing to bring suit, for instance. It certainly matters whether information is ‘property’ in the context of the law of stamp duties, to take one mundane but practically significant example. But more generally, there is the observation that the practice of clinging to an outmoded concept – and confidentiality, as the sole basis for information protection, increasingly appears to be just that – can only be harmful in the long run. If the courts are to fashion remedies to protect information against more than broken confidences and if they are to confront the important policy issues involved, an open acknowledgement of the true basis for those remedies seems indispensable. [71]

In an earlier part of their discussion they also note that United States courts have not been so limited in their characterization of valuable commercial information. [72] This assertion might, in fact, be open to debate given the analysis of the issue by some American commentators. [73] The following description of the nature of trade secrets in the United States by Professor Nimmer seems to suggest that the attributes of information protected by the laws of the United States may in fact be quite similar to [p13] those protected in the United Kingdom and Australia, despite the differences in labeling:

Trade secrets are described as property in a number of different contexts, including the many state criminal laws dealing with theft of trade secrets. Describing a secret as a form of property is particularly useful in analyzing the circumstances under which trade secrets can be conveyed through a license, assignment, or sale. Such a description is also relevant in dealing with tax issues. However, describing a trade secret as property can create misleading inferences. The idea of property is itself ambiguous. Describing something as a property right often means that the owner has a legal right to exclude all others from using or exercising control over the property. For traditional types of property, this view has numerous exceptions; for trade secrets, the exceptions also define the general rule.

In trade secrecy, the right to exclude others depends on the secrecy maintained by the owner of the secret and by the confidentiality he or she imposes on those to whom the secret is revealed. Trade secret law conveys no exclusive rights independent of these factors. Therefore, it does not preclude independent discovery and subsequent use. The proprietary rights in a trade secret are linked to the legal concepts of misappropriation and breach of confidential relationships. The property interest arises through and is defined by the legal system’s willingness to enforce such relationships.

Thus when a trade secret is described as property, that is not to say that there is a property interest in the information such as could be enforced against the world at large. Rather, the value lies in the information and the network of secrecy and confidentiality agreements created around it by its “owner.” US law is willing to protect that value. [74]

Here, Professor Nimmer is clearly describing the United States approach to the protection of trade secrets as property in terms involving confidences between individuals and as being defined by the legal system’s willingness to enforce relationships of confidence. Perhaps this is one of the many examples of laws across jurisdictions differing in terminology, but agreeing substantially in substance. In fact, this is one reason why thinking about such issues on a ‘global scale’ and ultimately seeking international harmonization of legal approaches may not be as difficult a task as it might at first seem. [75]

[p14] In fact, it may be that the main area in which United States law diverges from Anglo-Australian law is the readiness of United States legislatures to deal with trade secret protection. [76] Intellectual property and criminal statutes in the United Kingdom and Australia have by and large steered clear of defining trade secrets and providing for their protection per se against unauthorized access and interference. [77] Most of the law dealing specifically with trade secrets has been left for judicial development by courts in their common law and equitable jurisdictions. [78]

On the other hand, legislatures in the United States have been prepared to tackle some of these issues more directly. The Uniform Trade Secrets Act is an obvious example dealing with the definition of a trade secret and providing a cause of action for obtaining such information through improper means. [79] Although such legislation may be difficult to enforce due to evidentiary problems and costs, it is at least a first step by legislatures in validating the notion that there should be legal protection for valuable commercial confidences against unauthorized interference.

Regardless, then, of whether a particular legal system defines trade secrets and valuable commercial information as ‘property’, there is clearly an analogy with property. [80] Obviously there is some attraction to the commercial community inherent in equating such valuable business assets with property and in protecting it on a similar basis to other forms of property. [81]

In any event, whether or not such information is equated with ‘property’ at law or in equity, it is clearly thought to merit legal protection against unauthorized interference and use if past judicial and legislative approaches are anything to go by. The next section of this paper gives a brief survey of the specifics of existing legal avenues for the protection of such information and identifies the shortcomings of these approaches to date. The final part of the discussion then considers how law and practice [p15] could be developed in the future to better meet the needs of the global information society in this regard.

B. Current Laws Protecting ‘Information Property Rights’

A number of laws, both civil and criminal, have developed over the centuries to protect rights in real and personal property in line with the expectations of the relevant societies at particular points in time. [82] These laws arise in areas as diverse as tort, [83] equity, [84] intellectual property [85] and criminal law. [86]

Some of the first laws concerned with real and personal property were civil actions that developed in tort law such as detinue, trespass and conversion, all dealing with unauthorized interference with real and personal property. [87] This included unauthorized presence on land and unauthorized use and transfer of property. Alongside these civil laws developed criminal laws of larceny, theft and, more recently, obtaining property by deception. [88] These are criminal sanctions in relation to similar activities, usually stealing property or encouraging a victim to part with property by deceptive means.

Clearly these laws, which still exist on the statute books of most legal systems, have extremely limited application in the field of trade secrets and other confidential information. [89] The notions of unauthorized use, transfer etc of property in these laws are generally premised on detracting from the plaintiff’s or victim’s use or possession of the thing in question. [90] For example, as noted above in the context of United Kingdom law, the basic laws relating to theft in most jurisdictions require the prosecution to show that the defendant had an intention to permanently deprive the victim [p16] of the property in question and did in fact so deprive the victim. [91] This is also an issue in the United States as noted by Professor Nimmer:

Traditional theft requires the defendant to take and carry away or exercise control over the property or at least attempt to do so by illegal means. This requirement makes sense when the subject of the theft is tangible, but information cannot be “taken” and “carried away” in the same sense that a car or jewelry can be taken. Reading, copying or memorizing information appropriates value, but leaves the information exactly where it began, in the possession of the owner. The belief that information theft is a crime led early criminal law to strained attempts to extend the idea of “taking” to exclude the necessity that the owner be deprived of the property or to look closely for peripheral copies taken by the criminal to fit this requirement. In the absence of these fortuitous events, taking information or services under older criminal statutes was not theft.

Traditional theft statutes also required that the defendant intend to permanently deprive the other party of the property. Copying a [computer] program or data does not meet this standard because the original owner is not permanently deprived of the program or data, but merely loses some control of the property. [92]

Professor Nimmer goes on to note that there are other ways for victims of wrongdoing involving their trade secrets to take legal recourse against the respective wrongdoers. [93] Of these, the most prominent is the action for breach of confidence which is usually founded in contract, tort or equity depending on the jurisdiction in question. [94] However, these actions are [p17] costly and time consuming and are often not a very attractive, nor even particularly viable, option for some smaller businesses without the capital to fund them. [95] This fact, coupled with the increasing social significance of interference with valuable information, particularly when stored in a computer system, [96] has led to the enactment of new forms of criminal law to counter some of the aforementioned problems. [97] These are detailed below.

Before considering these initiatives in criminal law, however, it is worth here noting that traditional intellectual property laws relating to patent, copyright and trade marks are of little to no relevance in a discussion of the protection of trade secrets against unauthorized use and interference. [98] Copyright law protects the form of expression of information without protecting the content of that information. [99] Trade mark law does not protect information, only names, marks and logos used by a business. [100]

Patents may only be employed to protect information in the context of a patentable invention [101] and, in a number of major trading jurisdictions such as the European Union, the threshold tests for patentability are quite high. [102] The United States has been more lenient than the European Union in the context of patenting information relating to things like computer software and mathematical algorithms in recent years. [103] Additionally, there may be scenarios in which holders of valuable information prefer to protect it through trade secrecy than patent law. [104] This is because patent law involves both a broad public disclosure of the information and a loss [p18] of the monopoly over the use of the information after the expiration of the statutory protection period. [105]

Returning then to criminal law initiatives in the context of ‘information crime’. [106] There have been varying approaches across different jurisdictions. [107] Many of the relevant laws focus specifically on what has come to be termed generically as ‘computer crime’ as they deal particularly with unauthorized access to, or use or disclosure of information stored in or comprised by elements of computer systems. [108] At their most basic, these statutes redefine ‘property’ for the purposes of the laws of theft as including various intangibles, data, information and the like. [109]

More ‘specialized’ attempts at dealing with the problem in a sui generis way, particularly in relation to computer trespass, include initiatives like the recently inserted sections 76A to 76F of the Crimes Act 1914 (Cth – Australia). These sections attempt to comprehensively and specifically target activities such as gaining unauthorized access to certain computers, altering data or impeding access to computers. [110] Such activities are criminalized by the legislation but there may be practical difficulties with their effective detection and prosecution. [111] Another example of specific legislation directed at computer trespass is the Computer Misuse Act, 1990 (Eng.). Again this deals with unauthorized use and interference with a computer system and again such activities are criminalized provided that they can be effectively detected and prosecuted. [112]

This is the type of legislation referred to in the introductory section of this paper as protecting valuable information incidentally as an aspect of a broader protection of a ‘computer environment’ against unauthorized access and interference. Such legislation may well become increasingly common and increasingly significant in the future if it can be effectively [p19] enforced. [113]

However, statistics to date show that the success rate in prosecuting such offences is very disappointing which is attributable to a number of factors. [114] These factors include the difficulties inherent in detecting unauthorized access to a computer environment and/or concurrent theft of information from the system. [115] Often a wrongdoer will leave no trace of his or her invasion of the system, leaving no evidence on which to base a criminal prosecution. [116] There is the associated problem that some corporations might be loathe to admit to a breach of security as they may think it will reflect badly on them in terms of their public perception in the market. There has also been the problem that when computer trespass and hacking has caused damage to a system, often the initiatives to repair the system will destroy any traces of evidence of the wrongdoing. [117] However, the importance of getting the system up and running in a timely fashion in the fast paced commercial world must often override concerns about the collection of evidence against the wrongdoer.

C. Protecting Valuable Information: Where To From Here?

As the above survey of the present law demonstrates, there do appear to be serious shortcomings with most current legal systems in their ability to protect the integrity and secrecy of valuable commercial information. [118] In some jurisdictions these difficulties may relate to the lack of specific legislation targeted at the protection of trade secrets. However, in most jurisdictions, it would appear that the laws do exist, but there have been significant problems with enforcing them in both the civil and criminal arena. [119]

Both the cost of litigation in the civil and criminal area and the difficulty of obtaining evidence and successfully prosecuting criminal offences can act as deterrents to effective protection of trade secrecy. [120] The intellectual property legislation does not help because it is not applicable to trade secrets per se. [121] Even if it did extend this far, the cost [p20] barrier to litigation, at least for smaller businesses, may still be an issue. [122] It has certainly proved to be of concern to date in bringing actions for breach of confidence at common law and in equity and in relation to actions for breach of software copyright or software-related patents. [123]

The issue for governments around the world, then, is how best to proceed from here with initiatives to protect trade secrets in the hands of their owners. This, of course, assumes that governments are interested for the reasons set out above. It also assumes a social and economic need for government intervention. Thus, the argument for ‘non intervention’ must briefly be canvassed here as well.

There are certainly those who have argued, particularly in the context of the ‘global information age’ with the rise of the Internet as an efficient, effective and desirable means for dissemination of information around the world, that the market should be allowed to ‘regulate itself’. [124] The view has been taken by some that there is simply no need for any kind of regulation or other activity that might have a chilling effect on the free flow of information and ideas around the globe. [125]

In the context of the Internet it has certainly been argued that there is a new jurisdiction called ‘cyberspace’ which is sovereign unto itself and should be self-governed by its own inhabitants (or ‘netizens’) who will work out appropriate codes of conduct in relation to the use and dissemination of information and ideas. [126] Perhaps these comments could be extended more generally to all information used in commerce, [127] bearing in mind that the advent of computer technology and the Internet is in fact the phenomenon that has brought some of these issues into particularly sharp focus in recent years.

In response to these suggestions it has been noted that the United States Working Group on Intellectual Property Rights rejected such suggestions in the context of copyright law in 1995 on the basis that activity on the Internet is not effectively outside the ‘real world’ of commercial and other activity. [128] Most governments have taken the same view. Over the last decade there have been many judicial and legislative developments making it clear that standard intellectual property laws are intended to [p21] extend to activities taking place on the Internet and in other computer-based contexts. [129] An obvious example is the fact that most western jurisdictions have extended the definition of ‘literary work’ in copyright legislation to include computer programs. [130] As noted above, electronic and other databases are now also protected to some extent by the new sui generis database right in the European Union. [131] There has certainly been no suggestion in this debate that trade secrets should attract any less protection than has previously been the case. [132]

This leaves the question of how best to ensure effective protection of trade secrets and other confidential information in the global information age. This is an increasingly important issue given the shortcomings of current laws in this respect coupled with the greater risk of unauthorized access to information stored in computer systems in modern commerce. [133] In the future it is likely that the focus of the inquiry will move from protecting information actually disclosed by the complainant to another party in circumstances of confidence to protecting information stored in computer systems from unauthorized access by parties unconnected with the ‘owners’ of the information. Due to advances in computer technology, this access may be achieved remotely from outside the jurisdiction where the information is held, giving rise to significant private international law questions involving jurisdiction and enforcement of laws against parties outside the jurisdiction. [134]

Thus, it can be seen that the ‘new’ legal issues emerging in relation to the protection of trade secrets will revolve around:

1. security of valuable information stored in computer systems; [135]
2. availability of civil and criminal sanctions to prevent unauthorized access to such systems and information; [136] and,
[p22] 3. enforceability of those sanctions against defendants who are often situated in remote locations. [137]

In the global information age, the focus is therefore likely to move away from traditional concerns with establishing a relationship of trust and confidence between the parties for the basis of a civil action. [138] In the future, the law will be likely to focus on accepting notions of proprietary or quasi-proprietary rights in valuable commercial information and enforcing those rights through the civil and, more particularly, the criminal law.

Additional measures such as public education and technological solutions to some of the concerns will also be at the forefront of the minds of players in the information technology industry. [139] They should therefore also be a concern of relevant governments at both a domestic and international level. The remainder of this paper focuses specifically on measures that governments (including legislatures and courts) may take both in the domestic and international arenas in these respects.

III. Protection of Valuable Commercial Information: Laws, Policies and Practices

A. Legal Measures

As detailed in the preceding discussion, most developed nations already have a variety of laws which, to a greater or lesser extent, are aimed at or can be used for the protection of valuable commercial information against unauthorized interference. [140] The main problems with such legislation may be summarized as follows:

1. Some jurisdictions do not have laws that are ‘specific’ enough effectively to protect valuable commercial information from unauthorized interference. Examples would be jurisdictions that still rely on generic ‘theft’ laws and civil actions for breach of confidence based on relationships of trust and confidence between the parties. [141] These approaches are now clearly insufficient for the needs of the global information society. At the very least, there need to be criminal or civil laws within each major trading jurisdiction that are specifically targeted to unauthorized interference with valuable [p23] information, such as the Uniform Trade Secrets Act in the United States. [142] Preferably, such laws should now be augmented by criminal or civil laws aimed at protecting the integrity of a ‘computer environment’. [143]
2. In jurisdictions that have enacted (usually criminal) laws specifically targeted at the dishonest access to and misuse of valuable information, often in the context of more generally protecting the integrity of a computer environment, [144] there are practical problems of enforcement. [145] The crimes are often not reported and even when they are reported, there are difficulties in gathering sufficient evidence and running an effective and successful prosecution against an offender. [146] Indeed, it is often the case that it is difficult or impossible to identify and/or trace the offender or even in some cases to establish that an offence has occurred. [147]
3. Even where there are attempts to prosecute offenders under criminal legislation dealing with unauthorized access to computer systems etc, there may be private international law complications where a defendant is not physically located within the jurisdiction in which the offence is deemed to have occurred. [148] Indeed, there may be serious questions of private international law in identifying exactly where such an offence has occurred. Is it the place where the defendant is situated on the basis that this is where the illegal actions are emanating from and this is the ultimate destination for any information misappropriated from the victim’s system? Alternatively, is it the place where the unauthorized intrusion into the system occurs; that is, the place where the victim’s system is located? If there is a significant divergence in laws between the two jurisdictions, which law should apply? If it is the law of the place of the victim’s computer system, will it be possible effectively to serve a writ against a remote defendant? [149]

[p24] These are all clearly very difficult issues for courts and legislatures to resolve. The issues raised in item 3 (above) certainly point to the desirability of some measure of harmonization of laws across jurisdictions both within federal states and across national borders where possible. They also evidence the need for international cooperation in prosecution of offenders between jurisdictions. [150]

In terms of what governments can do and what they should arguably be thinking about doing in light of the above concerns, a number of suggestions may be made. Clearly national and international debate about measures for dealing with the unauthorized access to and use of valuable confidential information would be a desirable place to start. Such debates could extend to concerns about misappropriations of valuable commercial information not otherwise protected by intellectual property laws and to conflicts of law principles that may arise in relation to remote accessing of such information. They could also extend to the possibilities of harmonization of criminal laws to the extent that they deal with the misappropriation of trade secrets and more generally with unauthorized access to a computer environment. [151]

Some measure of international agreement on the types of valuable commercial information that might be protected and the basis on which it should be protected (property or otherwise) may also be a useful advance here. Perhaps a division between valuable personal information and valuable commercial information and some guidance as to where in practice lines can be drawn between the two would also be useful. It would certainly counter arguments such as those put by Professor Cornish (above) that there must be an appropriate balance between privacy of individuals and freedom of information. [152] Perhaps there is less of an argument that commercial information should be ‘free’ where it has been developed at the time and expense of a particular corporate entity. [153]

Governments might also review and investigate the effectiveness of particular laws enacted over the last decade or so targeted specifically at things like computer trespass. [154] It should be possible to obtain statistics [p25] on the number of successful prosecutions initiated under these laws and reasons why prosecutions were not initiated and/or why convictions were not obtained in certain cases. This may lead governments to information about ways to improve the drafting of the relevant laws and the prosecutorial practices to lead to amended criminal sanctions and practices with more ‘teeth’.

In fact, it could be a simple matter of the government devoting more financial and technical resources to prosecuting such offences that will lead to higher success rates in bringing offenders to justice. This would also reinforce a government’s message that it intends to take such conduct very seriously and to ensure that culpable parties are punished appropriately, either through fines or, perhaps in particularly grave situations, through terms of imprisonment. [155]

Technical experts should obviously be consulted in investigating the potential effectiveness of current criminal legislation in this area. After all, it appears that many of the reasons why prosecutions are not initiated or convictions are not obtained in this area relate to technical matters. [156] These include how to identify that the security of a system has been breached, how to trace the origin of the breach, how to determine the extent of the access or damage, etc. [157] Governments should not shy away from engaging technical experts on these issues in the context of law reform projects.

Certainly governments and legislatures in jurisdictions in which no such legislation has yet been enacted could learn from the experiences of governments in jurisdictions that have supported such legislation and then thoroughly reviewed its effectiveness. This again points to the desirability of cooperation between governments both nationally and internationally in developing a harmonized legal system that will protect valuable commercial information sufficiently for the needs of modern commercial communities. [158]

Given the difficulties and costs involved in the types of initiatives discussed above, other approaches should also be considered that might augment the position within a jurisdiction in relation to the protection of valuable commercial information from unauthorized access and use. Such measures are considered below.

[p26]

B. Other Measures: Technological Solutions and Public Education

In the field of new electronic money transfer systems, it has been noted that the best way to prevent crime involving electronic funds is a combination of public education and technological security measures. [159] Public education includes things like advertising campaigns about the importance of keeping access codes for cash and credit cards secure, ensuring no one observes you keying such codes into automatic teller machines, not giving credit card details out on public telephones where other people may hear you etc. [160] Such campaigns can be instituted by governments, financial institutions or a combination of the two.

Technological measures to ensure security of funds transferred and stored electronically include: (a) design of automatic teller machines as securely as possible (eg with limited to no opportunities for others to observe customers keying in personal details); [161] (b) restricting amounts of money that can be stored on stored value cards (eg Mondex system); [162] (c) use of photo identities and laser engraved signatures on plastic cards; [163] and, (d) development and installation within financial systems and home computer systems of fraud detection software. [164]

The question therefore arises as to whether there are equivalents for such measures in the context of maintaining and/or enhancing the security of valuable commercial information, particularly where it is stored electronically. Clearly there is a significant role for technological consultants within businesses to create and maintain secure computer networks. There may also be a role for governments in providing advice on technological and other solutions for smaller businesses who may not employ full time technical consultants. [165] Such businesses may not at first even realize the importance of these issues.

It is clearly possible to give government agencies a brief to deal with some of these matters. [166] Such an agency could take on the role of public education in this regard along with the development of technological solutions to common security problems. [167] Ultimately, it could also provide advice on things like: (a) the extent of a business’ legal rights in [p27] its confidential information; [168] (b) the measures the business might take to maintain confidentiality in particular types of information from employees and others; [169] (c) the effective drafting of confidentiality undertakings that may be employed when disclosing valuable commercial information to contractors, prospective joint venture partners etc. [170]

This information would obviously be available privately to most commercial entities from lawyers, information technology consultants and others. However, it may be worthwhile for governments to consider subsidizing or directly providing some such services particularly in jurisdictions where it might be an aspect of government policy to encourage and support the development of small business in the new global economy. This certainly appears to be the case in the United Kingdom at present where the government has recently sponsored web-based initiatives to supporting new businesses venturing into the electronic marketplace. [171] The relevant website is run under the auspices of the Department of Trade and Industry (‘DTI’) and its Communications and Information Industries Directorate. [172]

Along with these types of initiatives, governments interested in assisting businesses in this area could implement policies and procedures to ‘fast track’ both criminal prosecutions and civil litigation involving trade secrets. This could be particularly relevant in cases where the information in question is likely rapidly to lose its commercial value and where there is concern with the length of standard court processes.

However, as noted above, this may only be half the story. It may take significant amounts of time to establish, say, an intrusion into a computer system and to identify the individual who may have misappropriated information as well as to gather evidence of the misappropriation. [173] By the time this has been done, the wrongdoer may already have exploited the information in question for significant financial gain and departed from the [p28] jurisdiction (if he or she was ever in the jurisdiction to begin with). Cost may also be a factor in successful civil actions and/or criminal prosecutions as noted above. [174] Governments should perhaps also consider devoting additional financial resources to support such actions if costs appear to be a chilling factor here.

Another approach that might complement the above suggestions could be to establish government supported mediation services to deal with certain disputes over unauthorized access to confidential information in a less expensive, less formal and more timely manner than standard court processes. This may be better suited to some fact scenarios than others; for example, simple civil disputes between businesses over access to and use of certain information where the disputants reside, and the activities in question have occurred, within the same jurisdiction.

A final suggestion for government consideration involves government assistance in maintaining the confidentiality of communications over a computer network. In this context, a government may consider involvement in setting up a public and private key cryptography system for electronic communications as noted above. [175] Governments might either fund the private development of such systems or themselves participate as developers and distributors of public and private key pairs to commercial parties. The costs charged to the users of the system might partially or fully fund its operations.

There are obviously a number of initiatives that governments may take to assist citizens in protecting their valuable commercial information against unauthorized interference. These should be designed effectively to complement appropriate legislative and judicial approaches to the problem at a domestic and, ultimately, preferably at a global level. [176]

IV. Conclusions

The initiatives discussed above both in terms of law reform and enforcement and in terms of complementary technological and other measures all raise significant considerations of cost, liability and effectiveness for governments and must be evaluated with caution. However, as noted above, modern commercial societies do seem to expect governments to do more than they have in the past in this area. [177]

[p29] Enacting civil and criminal laws that cannot be enforced effectively and in a timely manner will not meet the needs of the global information society in this regard. It may now be time for governments to re-examine past legal initiatives and to re-evaluate the modern needs of commercial parties in relation to the protection of their commercial information. [178] As noted above, these needs have significantly changed over the years since breach of confidence actions were first introduced in the courts of the common law and equity. [179] This arguably necessitates a change in approach from the point of view of governments, legislatures and the judiciary.

This change in approach should take into consideration the increasing globalization and internationalization of commercial activity and the development of the Internet and computer networks generally, allowing easier access to information both on an authorized and unauthorized basis. [180] There is clearly a need for some level of global harmonization of approach to issues of protection of valuable commercial information, as there has been a need for ongoing harmonization of approach to intellectual property laws more generally. [181]

As the above discussion has illustrated, many legal systems are now not particularly far apart in terms of what they will and will not protect in terms of valuable commercial information. [182] The main differences really appear to be in terminology employed by legislatures and the judiciary in enforcing rights in valuable information. [183] The conceptual similarity between jurisdictions could simplify the task of reaching international agreement on issues like what types of information should be protected by legal systems and the basis on which it should be protected. More problematic issues might arise in relation to the extent to which legal systems might co-operate in resolving private international law concerns [p30] relating to detection, investigation and enforcement of criminal laws in this area. [184]

There is clearly much work to be done here. There is also an obvious competing argument that this work is all too difficult and too expensive and that the market should just be allowed to ‘sort itself out’. However, there does seem to be an expectation that governments will act in some way to protect the valuable commercial information of businesses globally. [185] There might also be a potential concern that leaving the resolution of these issues to market forces will favor the larger players over the smaller and medium sized players. It is perhaps more important now than ever before to protect this latter group’s ability to compete in the market as commerce opens up on a more global scale than ever before to smaller businesses in the wake of computer and Internet technology. [186]

The conclusion of this paper must therefore be somewhat tenuous. It identifies that governments can and should do some work both at the domestic and international level to protect valuable commercial information. [187] It suggests that such information can and should be treated to some extent as a property or quasi-property right, but in any event the terminology is less important than the ways in which and extent to which the information is protected by the law against unauthorized interference. It accepts that the way forward for governments is perhaps not as clear as could be hoped and desirable strategies may well involve a combination of legal and other measures which would all be heavily reliant on good technical advice and may prove costly. However, at the very least, the above discussion should serve to open up debate on the relevant issues and suggest some future directions that may be considered by governments in this area.

[*] BA (Melb), BA (Hons) (La Trobe), LLB (Hons) (Melb), LLM (Monash), LLM (Cantab), PhD (Griffith). Barrister and Solicitor of the Supreme Court of Victoria and the High Court of Australia. Assistant Professor of Law, Case Western Reserve University School of Law. Senior Lecturer, School of Law, University of Nottingham.

[1] In this paper, the term ‘government’ is used to refer to all three arms of government - the executive, the legislature and the judiciary - except where the context requires otherwise.

[2] This has happened in most jurisdictions with a developed system of intellectual property legislation. Courts and legislatures throughout the European Union, the Asia Pacific region and the United States have accepted that computer software programs should be protected as ‘literary works’ under the law of copyright. See Copyright, Designs and Patents Act, 1988, c 3(1)(b) (Eng.) as an example. For a good summary of the position on software patenting as compared between jurisdictions such as Australia and the United States, see John Swinson & Gaye Middleton, Patents in Cyberspace: Electronic Commerce and Business Method Patents, in Going Digital 2000: Legal Issues for E-Commerce, Software and the Internet 71 (2d ed., Anne Fitzgerald et al, eds, 2000); Olujoke Akindemowo, Information Technology Law in Australia, 139-148 (1999); John Swinson, Copyright or Patent or Both: An Algorithmic Approach to Computer Software Protection, 5 Harv. J. L. & Tech 145 (1991); John Swinson, Software Patents in the United States, 4 Journal of Law and Information Sciences 116 (1993); Ian Lloyd, Legal Aspects of the Information Society 153-176 (2000).

[3] ‘Sui generis’ protection refers to the protection of something as a class of its own, rather than as part of a broader category. In the area of intellectual property law, the more ‘generic’ categories of intellectual property are copyrights, patents, trade marks and, perhaps arguably also, registered designs. However, some items such as databases, plant breeders’ rights and circuit layouts are subject to their own individual systems of sui generis intellectual property protection. In the United Kingdom see Copyright and Rights in Databases Regulations (1997) SI 1997/3032, Plant Varieties Act, 1997 (Eng.), Design Right (Semiconductor Topographies) Regulations (1989) SI 1989/1100. These statutory instruments protect particular forms of intellectual property ‘in their own right’ and not as part of the broader intellectual property protections for copyright, patents and trade marks found in legislation such as the Copyright, Designs and Patents Act, 1988 (Eng.), the Patents Act, 1977 (Eng.), the Registered Designs Act, 1949 (Eng.) and the Trade Marks Act, 1994 (Eng.).

[4] Council Directive 96/9/EC, 1996.

[5] See Ian Lloyd, Legal Aspects of the Information Society 177-191 (2000).

[6] See Raymond Nimmer, Information Age in Law: New Frontiers in Property and Contract, 68 N.Y. St. Bar J 28 (1996); Raymond Nimmer and Patricia Krauthaus, Information as a Commodity: New Imperatives of Commercial Law, 55 Law & Contemp. Probs. 103 (1992); Raymond Nimmer and Patricia Krauthaus, Information as Property: Databases and Commercial Property, 1Int’l J.L. & Info. Tech. 3 (1993).

[7] See Jacqueline Lipton, Security Over Intangible Property 7-18 (2000).

[8] See Copyright, Designs and Patents Act, 1988, c 9-11 (Eng.).

[9] As a side issue, it is worth noting that the holder of a patent does not really have a ‘monopoly’ over the invention in question in a strict sense. What the holder actually has is a right to exploit the invention commercially in the absence of any legal or other impediment; that is to say, it is not a positive right to exploit the invention, but rather a negative right to prevent others from exploiting the invention without authorization. See John Swinson, Security Interests in Intellectual Property, in Securities Over Personal Property 124 (Craig Wappett et al eds, 1999).

[10] Even after a patent has been registered, its validity may be challenged and its original registration might be found to be invalid in subsequent proceedings. See Patents Act, 1977, c 72 (Eng.). See also Patents Act, 1990, c 20(1) (Austl.) which expressly provides that nothing done under the statute guarantees the validity of a patent in Australia or anywhere else.

[11] Most trade mark legislation limits the extent of trade mark protection in cases where: (i) upholding the mark would infringe on someone else’s mark, (ii) where there was no intention to use the mark in good faith when it was registered, (iii) when a registered mark has not been used in a market for a significant period of time, (iv) when a registered mark becomes ‘generic’ in the sense of being used as the general word in the relevant trade to describe articles of the type in question etc. An obvious example of this latter situation is the trade mark ‘Hoover’ which became the generic name for a certain type of vacuum cleaner no matter who the manufacturer was. ‘Kleenex’ to describe facial tissues generically is another example of a mark that became generic in this sense. See also, Re Sony Kabushiki Kaisha AIPC 90-412 [1987] (where the registered trademark ‘Beta’ became generic.)

[12] See Lipton, supra note 7.

[13] In fact, most aspects of computer systems are now protected variously by copyright, sui generis database rights or possibly patents. See Copyright, Designs and Patents Act, 1988, c 3(1)(b) (Eng.), and Copyright and Rights in Databases Regulations (1997) SI 1997/3032 in the United Kingdom.

[14] See Olujoke Akindemowo, The Fading Rustle, Chink and Jingle: Electronic Value and the Concept of Money, 21(2) UNSWLJ 7 (1998).

[15] It is obviously an open question whether any kind of ‘services’ can be regarded as intangible ‘quasi property’ in the sense discussed in this paper. However, some commentators have treated telecommunications services as such and have written about dishonest misappropriation and/or ‘theft’ of such services. See Peter Grabosky & Russell Smith, Crime in the Digital Age: Controlling Telecommunications and Cyberspace Illegalities, 63-88 (1998).

[16] See Lipton, supra note 7, at 126-130. In fact, Internet domain names are regarded at law as forms of contractual licence between a registering authority (such as Network Solutions in the United States) and the registrant of the name. This is despite the fact that players in commercial markets do treat such names as valuable business commodities and do ‘trade’ in them. See Jacqueline Lipton, Documentary Credit Law and Practice in the Global Information Age, 22 Fordham Int’l L.J. 1972 (1999).

[17] See William Cornish, Intellectual Property: Patents, Copyright, Trade Marks and Allied Rights, 301-336 (4 ed, 1999).

[18] See Sarah Worthington, Personal Property Law: Text and Materials, 665-699 (2000); Jacqueline Lipton, A Revised ‘Property’ Concept for the New Millennium? 7(2) Int’l J.Law & Info. Tech., 171-90 (1999).

[19] See Lipton, supra note 7, at 170-174.

[20] See Grabosky & Smith, supra note 15, at 47-60.

[21] See Cornish, supra note 17, at 303.

[22] See Jacqueline Lipton, Financing E-Commerce: Legal and Practical Risks 1 J. Law & Info. Tech. 3 (2001).

[23] It must be recognized, as taken up below, that this is not always the sole or even the predominant motivation for conduct described as ‘computer hacking’. Some hackers are simply attracted to the challenges of breaching a system’s security. Others may aim to damage the system by destroying information, inserting a computer virus, etc. See Grabosky & Smith, supra note 15, at 52-53.

[24] Jill McKeough & Andrew Stewart, Intellectual Property in Australia, 60-61 (2d ed., 1997).

[25] See Cornish, supra note 17, at 302.

[26] Id., at 301; McKeough & Stewart supra note 24, at 61.

[27] Id.

[28]< Where such information appears in a computer program it will automatically be protected by the copyright laws of most jurisdictions because it will be deemed to have been reduced to a ‘material form’ for these purposes as a ‘literary work’. See Copyright, Designs and Patents Act, 1988, c 3(1)(b) (Eng.). However, such copyrights can be notoriously difficult to assert and protect against unauthorized intruders into the system for a number of commercial and legal reasons beyond the scope of this paper. See Lloyd, supra note 2, at 132-152.

[29] Such as the equitable action for breach of confidence. See Coco v Clark, 41 RPC (Eng. 1969).

[30] See Computer Misuse Act, 1990 (Eng.).

[31] See Copyright, Designs and Patents Act, 1988, c 3(1)(b) (Eng.), and Copyright and Rights in Databases Regulations (1997) SI 1997/3032 in the United Kingdom (extending copyright and similar protection to computer software and databases respectively). Arguably, recent legislation such as 17 U.S.C. § 1201 (1998) may also have the indirect effect of protecting valuable information that is not, strictly speaking, subject to copyright protection. See Jacqueline Lipton, Copyright in the Digital Age: A Comparative Survey, Rutgers Computer & Tech. L. J., (forthcoming 2001).

[32] See Grabosky & Smith, supra note 15.

[33] See Department of Trade and Industry (Eng.), Information Age, available at http://www.dti.gov.uk/infoage/index.htm (last visited at March 22, 2001).

[34] See Grabosky & Smith, supra note 15, at 12-14; Alan Tyree, Digital Cash 19-31 (1997); Akindemowo, supra note 2, at 123-126; Martin Hogg, Secrecy and Signatures – Turning the Legal Spotlight on Encryption and Electronic Signatures, in Law & the Internet: A Framework for Electronic Commerce 37-54 (2d ed., Lilian Edwards et al, eds, 2000).

[35] See Akindemowo, supra note 2, at 11-12.

[36] See Ruckelshaus v Monsanto Co, 467 US 986 (1984) and other cases discussed in Raymond Nimmer, The Law of Computer Technology, ¶ 3.02 (3d ed., 1997); Cornish, supra note 17, at 301-336.

[37] See Cornish, supra note 17, at 3-49 (on the historical development of English intellectual property laws to meet the social and economic needs of society).

[38] See McKeough & Stewart, supra note 24, at 59-74 (on the commercial need to protect valuable information as a form of ‘quasi property’).

[39] See Grabosky & Smith, supra note 15, at 47-62.

[40] Id.

[41] Id, at 52-53.

[42] Id.

[43] Id, at 49-50. A virus is a software program which attaches to a larger program and replicates itself by attaching to various files and eventually destroying data and/or taking up large amounts of space in a computer system. “Worms” are similar to viruses but are independent pieces of software that operate on their own rather than attaching to an existing program. They do not destroy data but are capable of shutting a system down by consuming network resources until the system is unable to run. “Bombs” are programmed to remain dormant and then to ‘explode’, triggering some action at a future time like the activation of a virus or worm.

[44] Id, at 47-62.

[45] Id, at 55.

[46] In the United Kingdom, see Computer Misuse Act, 1990 (Eng.).

[47] ‘Information society’ is a term that has been coined largely throughout the European Union to denote legal issues that arise in relation to commercial activity in the global information age, with particular reference to e-commerce. An obvious recent example of the usage of the term appears in the recent Council Directive SN/2696/00 (PI), 2000 (‘on certain harmonisation of certain aspects of copyright and related rights in the Information Society’). This Directive deals largely with extensions of copyright protection in the digital age to meet the needs of e-commerce businesses dealing with copyright material online.

[48] See Lipton, supra note 22.

[49] See Lipton, supra note 7, at 14-17.

[50] This is because traditional property laws have assumed some basic attributes of property such as exclusivity to one owner and transferability. See id, at 7-16. For an example of how traditional theft and ‘obtaining property by deception’ laws fail to meet the needs of various intangible forms of property see Jacqueline Lipton, Property Offences in the Electronic Age 72(10) Law Inst. J. 54 (1998); Jacqueline Lipton, Property Offences into the 21st Century 1 J. Law and Info.Tech. 1 (1999).

[51] See Cornish, supra note 17, at 330-332 (discussing various practical and policy reasons against classifying valuable information as legal ‘property).

[52] id, at 330-332; McKeough & Stewart, supra note 24, at 70.

[53] id.

[54] See Coco v Clark, 41 RPC (Eng. 1969); Faccenda Chicken v Fowler, 1 All E.R. 617 (Eng. C.A.,1986).

[55] Francis Gurry, Breach of Confidence, in Paul Finn, Essays in Equity 116 (1985).

[56] See Cornish, supra note 17, at 320-323.

[57] See Franklin v Giddins, Q. R. 72 (1978); X Ltd v Morgan-Grampian (Publishers) Ltd, 2 W.L.R. 1000 (1990).

[58] id.

[59] See Cornish, supra note 17, at 303.

[60] id, at 331.

[61] id.

[62] See Jacqueline Lipton, Property Offences in the Electronic Age 72(10) Law Inst. J. 56-58 (1998).

[63] In the United Kingdom, see Theft Act, 1968, c 15(1) (Eng.).

[64] Cornish, supra note 17, at 332.

[65]There is no equivalent in the United Kingdom or Australia to the statutory laws relating to theft of trade secrets in most jurisdictions in the United States. See Nimmer, supra note 36, at ¶ 12.09.

[66] Id.

[67] See McKeough & Stewart, supra note 24, at 73-74.

[68] See supra note 6.

[69] See Computer Misuse Act, 1990 (Eng.); Lloyd, supra note 2, at 96-113.

[70] See Grabosky & Smith, supra note 15, at 55-56, 60-61.

[71] McKeough & Stewart, supra note 24, at 73-74.

[72] Id, at 73.

[73] See Nimmer, supra note 36, at ¶3.02[1].

[74] Id.

[75] On the importance of an international approach to these issues, see Grabosky & Smith, supra note 15, at 60-61.

[76] See Nimmer, supra note 36, at ¶ 12.09.

[77] Although this is arguably changing in the United Kingdom as an indirect result of recent moves throughout the European Union to protect databases as property and thereby indirectly to protect the information contained therein, and also to protect against unauthorized access to information stored electronically and protected by a technological measure where some of the protected information is subject to copyright or database right protection. See Lipton, supra note 31; Council Directive SN/2696/00 (PI), 2000 (creating measures against unauthorized access to copyright works protected through ‘effective technological measures’); Council Directive 96/9/EC, 1996 (on the protection of electronic and other databases).

[78] See Cornish, supra note 17, at 301-336.

[79] See Nimmer, supra note 36, at ¶3.02 (noting that this legislation has now been adopted in most states within the United States).

[80] See McKeough & Stewart, supra note 24, at 59.

[81] See supra note 6.

[82] For example, laws relating to theft and obtaining property by deception. See Theft Act, 1968 (Eng.).

[83] For example, the torts of trespass, detinue and conversion which deal with intentional and unauthorized interference with another’s chattels. SeeJohn Fleming, The Law of Torts (9 ed, 1998).

[84] For example, in England and Australia there has been a substantial tradition of courts of equity protecting rights in property under remedies such as the constructive trust which arises in a variety of situations including where a person in a fiduciary relationship has made unauthorized use of trust property. See John Glover, Commercial Equity: Fiduciary Relationships (1995).

[85] See Copyright, Designs and Patents Act, 1988 (Eng.), Patents Act, 1977 (Eng.), Trade Marks Act 1994 (Eng.).

[86] See Theft Act, 1968 (Eng.).

[87] See Fleming, supra note 83.

[88] See Theft Act, 1968 (Eng.).

[89] See Lipton, supra note 62.

[90] id.

[91] Theft Act, 1968, c 15(1) (Eng.).

[92] See Nimmer, supra note 36, at ¶12.08. In the Australian context, see also Grabosky & Smith, supra note 15, at 104. The fact that theft and ‘obtaining property by deception’ laws are based on the intention to permanently deprive the victim of his or her property has also recently caused difficulties in the area of electronic funds transfers (‘EFT’) brought about by deceptive means. In the United Kingdom, the legislature found it necessary to amend the theft legislation following a decision of the House of Lords in 1996 to the effect that such an EFT did not constitute the crime of ‘obtaining property by deception’ because the property obtained (a debt owed by the defendant’s bank to the defendant) was not the same as the property lost by the victim (a debt owed by its own bank to it). The EFT was a transfer mechanism that had consequences for the parties’ property without amounting to property per se. As a result of this decision, the legislation was amended to include a new section relating to the dishonest obtaining of a money transfer by deception. See Jacqueline Lipton, Property Offences into the 21st Century 1 J. Law and Info. Tech. 1 (1999); R v Preddy A.C. 815 [House of Lords, 1996]; Theft Act, 1968, c 15A (Eng.).

[93] See Nimmer, supra note 36, at ¶12.10.

[94] In the United Kingdom, the action is usually based in the court’s equitable jurisdiction on the basis of a confidence binding on the defendant’s conscience, as noted above. See Cornish, supranote 17, at 301-336.

[95] Similar comments might be made in relation to smaller businesses bringing any kind of court action to protect ‘information property’ rights. See Lipton, supra note 22.

[96] See Cornish, supra note 17, at 303-304.

[97] See, for example, Computer Misuse Act, 1990 (Eng.).

[98] See Cornish, supra note 17, at 302-307.

[99] See Copyright, Designs and Patents Act, 1988, c 3(2) (Eng.).

[100] See Trade Marks Act, 1994, c 1(1) (Eng.).

[101] ‘Patentable invention’ is defined in the Patents Act, 1977, c 1 (Eng.) as an invention which is new, involves an inventive step, is capable of industrial application and the grant of a patent is not excluded by subsections (2) or (3). These subsections exclude from patentability subject matter which is not considered to be an ‘invention’ (eg a scientific theory, mathematical method, an aesthetic creation, a method for performing a mental act or playing a game or doing business, a program for a computer or the presentation of information). They also exclude from patentability inventions the publication or exploitation of which would be generally expected to encourage offensive, immoral or antisocial behaviour, or an invention relating to a variety of plant or animal life.

[102] Id.

[103] See Swinson & Middleton, supra note 2.

[104] SeeJacqueline Lipton, Security Over ‘Information Products’, 11(1) A.I.P.J. 36 (2000).

[105] This usually lasts for a maximum of 6 to 25 years depending on the jurisdiction and the type of invention in question. See Patents Act, 1977, c 25(1) (Eng.) (providing that the duration of a standard patent in England is generally 20 years from the date of filing the application for the patent).

[106] The term ‘information crime’ is used here to refer to the unauthorized access to, use of and/or interference with valuable commercial information developed or held by another person.

[107] See Computer Misuse Act, 1990 (Eng.), Crimes Act, 1914, c 76A-76F (Austl.).

[108] Id.

[109] See Ohio Rev, Code Ann. §2901.01(J)(1) as cited in Nimmer, supra note 36, at ¶12.09. Nimmer also notes here that a majority of state legislatures in the United States now treat the misappropriation of trade secrets as theft under similar legislation.

[110] See Grabosky & Smith, supra note 15, at 167-169.

[111] Id, 55-56.

[112] See Lloyd, supra note 2, at 96-113.

[113] See id; Grabosky & Smith, supra note 15, at 55-56.

[114] Id.

[115] Id.

[116] Id.

[117] Id.

[118] See Cornish, supra note 17, at 303-304.

[119] See Lloyd, supra note 2, at 96-113; Grabosky & Smith, supra note 15, at 47-62.

[120] Id; Lipton, supra note 22.

[121] As noted above, intellectual property statutes tend to relate to patentable inventions, forms of expression and marks and logos used in business. See Patents Act, 1977 (Eng.), Copyright, Designs and Patents Act, 1988 (Eng.) and Trade Marks Act, 1994 (Eng.), although it should be kept in mind that some inventions that may be patentable will be protected through trade secrecy at the option of the inventor for various commercial reasons relating to cost and disclosure. See Lipton, supra note 104.

[122] As noted above, similar comments might be made in relation to smaller businesses bringing any kind of court action to protect ‘information property’ rights. See Lipton, supra note 22.

[123] Id.

[124] See Grabosky & Smith, supra note 15, at 91-92.

[125] Id.

[126] Id.

[127] That is to say, not just forms of information in which copyright might be asserted under the laws of one or more jurisdiction(s).

[128] See Grabosky & Smith, supra note 15, at 92.

[129] See Lipton, supra note 31.

[130] See Copyright, Designs and Patents Act, 1988, c 3(1)(b), (Eng.).

[131] As enacted into United Kingdom domestic law under the Copyright and Rights in Databases Regulations (1997) SI 1997/3032. For a comparison with proposed moves in the United States to legislate in a similar direction see Mark Davison, Proposed U.S. Database Legislation: A Comparison with the U.K. Database Regulations 21(6) E.I.P.R. 279 (1999).

[132]In fact, it is arguable that trade secrets will indirectly gain greater protection in the digital age than ever before as a result of the recent extension of copyright law to cover unauthorized access to copyright material protected by an effective technological measure. See Lipton, supra note 31.

[133] See Cornish, supra note 17, at 303-304.

[134] See Grabosky & Smith, supra note 15, at 212.

[135] Id, at 210-237.

[136] Id, at 47-62.

[137] Id, at 210-237.

[138] See Coco v Clark, 41 RPC (Eng. 1969).

[139] See Grabosky & Smith, supra note 15, at 224-226.

[140] See Computer Misuse Act, 1990 (Eng.); Nimmer, supra note 36, at ¶12.09.

[141] See Theft Act, 1968, c 15(1) (Eng.).

[142] See Nimmer, supra note 36, at ¶12.09.

[143] Such as the Computer Misuse Act, 1990 (Eng.); Crimes Act, 1914, c 76A-76F (Austl.).

[144] Id.

[145] See Grabosky & Smith, supra note 15, at 54-56.

[146] Id.

[147] Id.

[148] Id, at 60-61, 219-223.

[149] A detailed examination of the conflicts of law issues relating to such crimes is beyond the scope of this paper. However, it should be noted that there is a body of commentary beginning to develop about the application of conflicts of law principles to breaches of law conducted remotely over computer networks. See Richard Garnett, Are Foreign Internet Infringers Beyond the Reach of the Law? 23(1) U.N.S.W.L.J. 105 (2000); Michael Whincop & Mary Keyes, Policy and Pragmatism in the Conflict of Laws (2000). Much of this work has focused on civil intellectual property laws rather than criminal sanctions for theft of confidential information. However, the time will come when the debate extends in this direction.

[150] See Grabosky & Smith, supra note 15, at 210-237.

[151] Id.

[152] See Cornish, supra note 17, at 330-332.

[153] Again, this may depend on the type of information in question. There may be policy reasons for information about advances in science, technology and medicine to be more freely available than purely ‘commercial’ information relating to things like business methods and processes.

[154] Such as the Computer Misuse Act, 1990 (Eng.). See Lloyd, supra note 2, at 96-113.

[155] See Crimes Act, 1914, c 76B (Austl.) which prescribes a maximum 2 year term of imprisonment for crimes relating to unlawful access to a computer. Crimes Act, 1914, c 76C (Austl.) further provides a maximum ten year term of imprisonment for damaging data in a computer system.

[156] See Grabosky & Smith, supra note 15, at 54-56.

[157] Id.

[158] Id, at 210-237.

[159] Id, at 223-229.

[160] Id.

[161] Id, at 172.

[162] Id.

[163] Id, at 172-173.

[164] Id, at 173.

[165] See Department of Trade and Industry (Eng.), Information Age, available at http://www.dti.gov.uk/infoage/index.htm (last visited at March 22, 2001).

[166] Id.

[167] Id.

[168] See Department of Trade and Industry (Eng.), Communications and Information Industries Directorate, Data Security, available at http://www.dti.gov.uk/cii/datasecurity/index.shtml (last visited at March 22, 2001).

[169] Id.

[170] See Department of Trade and Industry (Eng.), Communications and Information Industries Directorate, Data Security, Protecting Business Information – Keeping it Confidential, available at http://www.dti.gov.uk/cii/datasecurity/keepingitconfidential/trusted_partners.shtml (last visited at March 22, 2001).

[171] See supra note 165.

[172] The Communications and Information Industries Directorate has the following functions: (i) to sponsor the publishing, information, electronics and communications technology and service sectors, (ii) to promote the use of those technologies, and (iii) to ensure effective regulation. See Department of Trade and Industry (Eng.), About CII, available at http://www.dti.gov.uk/cii/cii/index.shtml (last visited at March 22, 2001).

[173] See Grabosky & Smith, supra note 15, at 54-56.

[174] See Lipton, supra note 22.

[175] On cryptography, see supra note 34.

[176] Although the practical difficulties with international harmonization in this area should not be underplayed. See Grabosky & Smith, supra note 15, at 219-237.

[177] Recent activities of the European Union Parliament and Council in drafting Directives to encourage and protect e-commerce activities and the recent work of the DTI’s Communications and Information Industries Directorate in the United Kingdom are good examples of the way governments are reacting to the perceived needs of commercial players in the information society. See Department of Trade and Industry (Eng.), CII – Helping the UK Lead the Information Age, available at http://www.dti.gov.uk/cii/ (last visited at March 22, 2001); Europa, Information Society, available at http://europa.eu.int/pol/infso/index_en.htm (last visited at March 22, 2001) (gives details of regulatory action at the European Union level in relation to promotion of the information society).

[178] See Cornish, supra note 17, at 303-304; McKeough & Stewart, supranote 24, at 71.

[179] Id.

[180] See Cornish, supra note 17, at 303-304.

[181] See McKeough & Stewart, supra note 24, at 473-495 (on international harmonization of intellectual property law generally); Grabosky & Smith, supra note 15, at 219-237.

[182] See Nimmer, supra note 36, at ¶3.02[1].

[183] Whereas legislatures in the United States have been prepared to attach a ‘property’ label to information, this has not been the case in the United Kingdom or Australia. See Cornish, supra note 17, at 301-336.

[184] See Grabosky & Smith, supra note 15, at 210-237.

[185] See supra note 177.

[186] See Lipton, supra note 22.

[187] As is obviously occurring in the European Union and the United Kingdom in relation to assisting businesses protect their rights in information in the global information age. See supra note 177.

Copyright 2001 by the Journal of Technology Law & Policy and Jacqueline Lipton.