Europe's Weaker Laws Against Trade Secret Theft Means Corporate Espionage Often Goes Unpunished

slugworthMr. Slugworth, the chocolate maker who was out to steal Willy Wonka’s secret recipe.

Photo: Willy Wonka and the Chocolate Factory

Damage inflicted by the theft of a company’s intellectual property by a rival or former employee is one of the most devastating events a business can suffer.This powerful view has been recently reinforced by United States Attorney Preet Bharara, the top New York federal prosecutor, through a string of Wall Street-related cases.

Theft of IP damages the confidence of investors and can spark panic amongst shareholders.  It has the potential to obliterate companies.

Prosecutions and convictions in the US clearly show that big firms and prosecutors are intent on cracking down on this kind of criminal activity.

But in the UK, and across much of Europe, companies face a major problem.

Necessary laws lag well behind those which provide firms from across the Atlantic with the firepower to protect themselves. Investigative techniques are also found wanting, and various Human Rights legislation often makes it difficult to employ strategies to detect such conduct.

Take the recent conviction of one IP thief in particular. Samarth Agrawal is an Indian national who worked for French bank Société Générale in New York. 

Société Générale employed Agrawal as a trader within its high frequency trading group. 

Over a period of several months, Agrawal visited his office after hours and copied, printed, and stole hundreds of pages of source code for the bank’s proprietary high frequency trading platform. This is the very code used to generate millions of dollars in profits for the bank. 

Agrawal planned to use the stolen code to create a similar trading platform at a competing hedge fund.

Thankfully for Soc Gen, who I acted as counsel for, his plan was detected. And on the morning before he started his new job, FBI agents raided Agrawal’s home, recovered the stolen code, and arrested him. A jury later found him guilty of stealing the bank’s trade secrets, and the court sentenced him to three years in prison. 

The evidence against Agrawal at trial was overwhelming. Video surveillance recorded his off-hours activities and computerised logs documented his crime in painstaking detail. Two weeks later, in an unrelated case, Sergey Aleynikov, a $400,000 a year programmer at Goldman Sachs & Co. in New York, was also convicted of theft of trade secrets by a different Manhattan federal jury.

His crime: Stealing high frequency trading code belonging to Goldman Sachs.

But the next statement may come as a shock: Had Agrawal or Aleynikov committed their crimes against a European bank in the UK or in Europe, they could very well be free men today.

The curious absence across much of Europe—with perhaps France and Germany aside—of express criminal prohibitions against the theft of such trade secrets, coupled with a lack of resources and investigative experience in such cases, has created an environment in Europe where economic espionage of this type often goes unpunished even when detected. 

It is vital that this changes.

Trade secrets—information which is kept secret through reasonable efforts and which derives economic value by virtue of not being known to the public—are generally protected in the United States by civil and criminal laws. While almost all states provide civil remedies for misappropriation of trade secrets through their adoption and implementation of the Uniform Trade Secrets Act, the federal Economic Espionage Act—or “EEA”—makes it a crime to steal a company’s trade secrets. 

Even for first time offenders, penalties can be harsh: up to 10 years in prison per offence. Sergey Aleynikov received eight.

In passing the EEA, Congress closed a gap in criminal enforcement for thefts targeting intangible intellectual property, recognising that such thefts posed an unacceptable risk to the American economy in an era where a company’s most valuable assets are unlikely to be “corporeal.”

This point only becomes clearer every day, as trade secrets and IP continue to be digitiszed and as cyber-criminals continue to develop increasingly sophisticated and unprecedented ways for stealing these assets.

For example, a large hedge fund or e-commerce company often forms a core number of talented employees which has access to its trade secrets.  For a well-educated, well trained and  clever employee, it is easy to apply techniques to allow years of research and development, data, and an entire platform to be downloaded for use elsewhere either within the banking or hedge fund sector.  

In addition, the increased use of cloud computing services by organisations to store their intellectual property — as well as by data thieves to hide data they have stolen — only exacerbates this problem.  So too does the explosion of widespread and increasingly accessible technologies that allow criminals to hide their true location as well as cover their “electronic tracks” after committing their crimes.

In the UK, while there are copyright laws, there are currently are NO criminal laws which specifically protect trade secrets or criminalise industrial espionage.  While a proposal to create a criminal offence for the misuse of trade secrets was put forward by the English Law Commission in 1997, that proposal was subsequently abandoned.  Moreover, existing legislation, including the 2006 Fraud Act, focuses largely on the modus operandi of a theft, not its subject matter. 

As a result, it is unclear whether these pieces of legislation would reach Agrawal or Aleynikov’s crimes had their misconduct occurred in London and not New York. 

In European countries that do have laws on their books that could be used, investigators are often inexperienced or underfunded. 

In addition, crimes of this nature are often committed across borders and this creates additional challenges for victims. Accordingly, the lack of standardised laws to combat this conduct create additional challenges for European victims who often face fractured and inconsistent legal regimes and difficult  coordination between national law enforcement agencies. 

Moreover, privacy laws in Europe make it difficult and potentially contentious for corporations to monitor and gather evidence against workers who may be involved in malfeasance. 

For example, while the use of video surveillance tapes was used to prove that Agrawal copied and stole Société Générale’s code and was crucial to his conviction, such evidence may not have been available had he committed the crime in certain parts of Europe where laws significantly limit the use of video surveillance in the work-place.  As a result, taken together, enforcement shortfalls in Europe are commonplace.

Companies can and do, of course, employ more robust pre-employment screening programs.  They can and do carefully limit (and regularly audit) the number of employees who have access to critical data.  Where local law allows, they may also deploy data loss prevention software and log system activity related to employees’ data access and transfer.

In theory, forensic work on computer records could also be used to uncover these crimes.  Such work, however, is expensive and time-consuming and has to be conducted initially by the victim, in order to provide the police with evidence required to commence an investigation

But what is really needed is for the legal and regulatory gap that currently exists between the two sides of the Atlantic to quickly be closed.  Put simply, if European companies are not being given the muscle to wage war against theft of their trade secrets, Europe, including Britain, risks losing them — along with their talent and wealth.  

In Europe, trade secrets are  protected  by a regime of legal provisions which are not primarily penal in nature. European Union Directive 2009/24/EC defines that copyright protection be applied to computer programs, giving rights of exclusivity to its owner.

But in the current Internet age, criminal law which protects trade secrets — confined to the general provisions concerning professional confidences over correspondence, electronic transmissions and telecoms and oral communication –demands to be addressed in a bolder manner. In Hedge Funds and Asset Management companies protection of IP is required in order to safeguard  investor interests and not just the  profitability  of the companies themselves.  For the Investment sector of the economy, protection of IP is not simply a trade and competition matter, but the subject of  regulatory concern and control in order to monitor and promote integrityand sustainability of fair practices.

One of Europe’s top attorneys, Alexandros Lykourezos, has commented:  “The penal protection of trade secrets, in order to be effective, must be scaled in relation to the party infringing on such secrets, in a manner that would either correspond to the value that such secrets have for the company from which they have been appropriated, or the perpetrator’s intended exploitation of such secrets.

“The knowing use of trade secrets by an employee with the intent to benefit personally or with other entities,   injures the company or owner of these secrets, and should be deemed a misdemeanour offence punishable with a sentence of up to five years and a fine.

“In fact, if the value of such trade secret exceed 1,000,000 euro (around £800,000), or alternatively the pecuniary benefit the offender intends to achieve by the illicit act exceeds 500,000 euro, the offence should be deemed a criminal offence punishable by a sentence of five to 25 years in jail.

“It should be deemed a criminal offence if the offence concerns credit institutions, brokerage houses or investment companies trading securities, or if the offender was intending to sell securities as a result of them infringing trade secrets.”

One additional important point to note is that modern financial and e-commerce companies—even the large onesare exceedingly mobile and can be set up in any country.  And AIFM Directive and Basel 2 have created a pan-European environment whereby assets under management need to be protected while managing risk on behalf of investors.  

Innovative and successful companies, which through long-term investment and effort have attained an advantage, must be allowed to operate within a legal and regulatory environment which respects and encourages—not discourages through inadequate IP protections—their contribution to the greater European economic good. 

Accordingly, the legal system and the regulators must work very quickly to implement the correct framework for the development and continued success of these industries in Europe.  This is particularly important since many of these companies are regulated globally and necessary measures must be arranged so as to allow global legal and regulatory co-operation for the control of cybercrime.

As James Lewis QC, one of Britain’s most experienced international criminal lawyers, notes: “Theft of intellectual property is every bit as criminal as robbing a bank and, in my experience, prosecutors the world over are preparing to punish and to stamp out this time of offence.  I am expecting major indictments in this area within the coming year, with the US Department of Justice leading the way.”

As investors and markets continue to be increasingly harmed by a lack of robust laws and efforts in Europe to combat economic espionage, there is the risk that U.S. prosecutors, and/or regulators will choose to exercise their laws to exert jurisdiction over these crimes in an effort to fill the vacuum.  United States Attorney Bharara made it clear in announcing the conviction of Agrawal:  

Agrawal was a thief who hoped to make a small fortune by stealing and copying sophisticated computer code that was the equivalent of gold bullion to his former employers.  [This] verdict sends a clear message that this Office and the FBI will investigate and prosecute the theft of valuable trade secrets for the serious crime that it is.” 

It is a message that is being heard loud and clear by European companies and it is a message that should not be lost on European lawmakers and regulators.

NOW WATCH: Briefing videos

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.