In practice, the following types of trade secrets are distinguished:
- information about the financial situation of the company;
- information about the company's developments (know-how, industrial designs);
- data about clients, contractors and other partners of the organization;
- information about the property of the enterprise and its value;
- other commercial information.
To limit the spread of confidential information, companies take measures to protect it. For example, they appoint responsible persons, and on the basis of the Labor Code of the Russian Federation, they include in employment contracts a condition on the responsibility of employees for the illegal disclosure of confidential information about the enterprise.
The following information cannot be a trade secret:
- about the founders of the company and its management;
- about the characteristics of labor and the number of employees;
- about non-compliance with legal requirements;
- on documentation giving the right to engage in business;
- about the state of fire safety;
- about salary arrears;
- on the conditions of competitions and auctions.
When charged with disseminating confidential information, you should find out what data was transferred to third parties. Criminal liability arises only for the disclosure of information constituting a trade secret. It is advisable to seek help from an experienced lawyer. He will tell you how to prove that your actions do not constitute a crime.
Access right
The owner of the information gets access to the trade secret. In this case, the use of secret data can be provided to anyone, mainly employees of the company or contractors of the organization. I would like to note that an employee can only be given access to information that constitutes a trade secret with his consent, since this imposes certain obligations on him.
If state bodies or local government bodies want to gain access to information that constitutes a trade secret, then they must submit their motivated request to the organization. The request must be signed by an authorized official, indicate the purpose and legal basis for requesting information and the deadline for its provision.
note
If the provision on “secret” and liability for the illegal collection and dissemination of information constituting this secret is not provided for in the initially concluded employment contract, then be sure to fix this rule in an additional agreement to the employment contract.
The owner of information constituting a trade secret has the right to establish, change, cancel the trade secret regime in writing, and use the information for his own needs in a manner that does not contradict the law. The owner has the authority to allow or deny access to trade secrets.
The owner of a “trade secret” has the right to require those to whom access has been granted to comply with the duty to protect its confidentiality. In addition, if persons acquired the right to access classified information as a result of an error or accident, then they are also obliged to protect confidentiality.
Legislation on the protection of trade secrets
At the federal level, the Law on Trade Secrets dated April 29, 2007 No. 98-FZ is in force. In order to implement its requirements, the necessary documentation is accepted at the organizational level and measures are taken aimed at protecting classified data:
- a list of information that is assigned the status of a trade secret is approved;
- rules for working with confidential data are introduced;
- employees of the organization who are responsible for disclosure are determined;
- the position is approved and changes are made to job descriptions and labor contracts;
- financial liability is introduced;
- a lockable cabinet or safe is allocated;
- personal access to computers is provided.
Employees sign a written commitment to confidentiality throughout their employment with the company. Former employees remain liable after termination.
Examples of cases of improper receipt and disclosure may include:
- discovery of documentation containing confidential information from an employee outside the company;
- recording the fact of disclosure using a video surveillance camera;
- sending secret data via email or copying it to a flash drive.
It is necessary to distinguish between two types of liability: criminal and administrative. When qualifying an act as criminal, it is established that the perpetrator has direct intent and selfish goals. If the crime is aggravated by causing damage on a large scale or with grave consequences, the court will impose a more severe sentence. The Code of Administrative Offenses of the Russian Federation provides for a more lenient punishment in the form of a fine (Article 13.14 of the Code of Administrative Offenses of the Russian Federation).
Banks offer up to 20 years in prison for stealing customer data
“It is necessary to separate the concept of “banking secrecy” from other secrets, because obtaining this particular information is widespread: now in the Russian-language part of the darknet (shadow segment of the Internet. - RBC) almost 2 million buyers are registered who want to gain access to banking secrecy,” - says Voylukov.
The Central Bank and Visa warned banks about a data leak of 55 thousand cards Finance
Read on RBC Pro
No longer family: companies’ love for employees will end in 2022
Why couriers get paid more than accountants, but IT specialists cannot be found
It's Not Just Tesla: Insiders Have Dumped These 7 Stocks Over the Last Month
Why blueberry buyers in the United States have become like drug lords - Bloomberg
Credit organizations also want to define definitions for “illegal access” and “illegal collection” of bank data in the Criminal Code. But the main thing is to significantly tighten sanctions for crimes under Art. 183 of the Criminal Code of the Russian Federation.
RBC sent inquiries to the top 10 banks.
How are they punished for data theft?
The Criminal Code provides penalties even for collecting information without further disclosure if it contains commercial, tax or banking secrets. Stealing documents or obtaining data through bribery or threats is considered illegal. The minimum punishment under this part of the article is a fine of up to 500 thousand rubles. or equal to the annual income of the convicted person. Maximum - imprisonment for up to two years.
If a citizen had access to such information at work, but decided to use or disclose it, he faces a fine of up to 1 million rubles, a ban on holding certain positions for up to three years, correctional or forced labor, or imprisonment for up to three years. If the court sees “selfish interest” in the actions of such an employee, then the sentence can be increased to five years in prison. The maximum penalty under this article—seven years in prison—is applied to those whose actions in disclosing commercial, tax or banking secrets had “grave consequences.”
According to InfoWatch estimates, in January-September 2021, 79.1% of data leaks from Russian companies occurred due to internal violations. Moreover, in Russia the share of “losses” due to the fault of workers is twice as high as in the world - more than 72%. The financial sector ranks second in the frequency of data thefts, accounting for 18.9% of such incidents.
The data of Russians wishing to take out a loan was put up for sale on the Internet Finance
In the fall of 2021, the Central Bank for the first time revealed the scale of sales of personal data of Russians: in the first half of last year, experts discovered 13 thousand such advertisements, only 1.5 thousand of them turned out to be bank databases. Since then, the regulator has not published such statistics, but has repeatedly indicated that social engineering is still considered the most popular type of fraud. For this method, data related to banking secrecy is not necessary; they only clarify and supplement the necessary information, as stated in the report of FinCERT (Center for Monitoring and Response to Computer Attacks in the Credit and Financial Sphere of the Bank of Russia).
In the first half of 2021, 374 cases of illegal access of bank employees to information about customer accounts were recorded, according to Central Bank statistics. The damage from the actions of managers was estimated at 7.4 million rubles.
Will tougher punishment work?
Most often, illegal actions with client data are committed by employees of cellular retail and banks, says Andrey Zaikin, head of the Information Security department at IT. According to him, in the first half of 2021, the number of data leaks caused by staff increased by 47%, but only a third of incidents can be considered intentional, when an employee deliberately sells client data. The rest are accidental leaks, for example as a result of phishing or device hacking.
At the same time, criminal prosecution under Art. 183 of the Criminal Code of the Russian Federation is a rarity; about 100 cases are opened annually and only a few reach the court, notes senior lawyer Alexey Lezhnikov. In most cases, the defendants are bank employees who either provided information about a client-legal entity to his competitors or sold databases of client-individuals. Most often, those accused under this article get off with fines, since most crimes are classified as minor and moderate, he adds.
“The current penalties for collecting and disclosing information constituting bank secrecy do not correspond to the complexity of disclosing and identifying [such cases]. At the same time, “draining” the client database can lead to a series of crimes and multimillion-dollar damage with a large number of victims,” the lawyer admits, but believes that it is not worth radically increasing the threshold of punishment. “It seems reasonable to set the limits of punishment from five to ten years,” notes Lezhnikov.
The Central Bank proposed criminal liability for data leaks after photocopies Finance
There is no need to specifically highlight “banking secrecy” from the article or clarify the specifics of collecting financial information, according to lawyers interviewed by RBC. “There is no need to additionally specify in the Criminal Code issues related to the illegal collection and theft of bank data, since this method is covered by the disposition of the article and does not require additional mention,” notes BGP Litigation lawyer Marat Khuzhin. He also does not support tougher penalties for data theft.
According to Khuzhin, the number of sentences under Art. 183 will increase if the amendments are adopted, but the new practice “may be fraught with consequences for a significant number of people.” “We need to improve the quality of work of law enforcement agencies, raise the standards of evidence, and not strengthen sanctions, thereby waving a criminal legal cudgel. First, it is necessary to solve systemic problems in the application of Art. 183 of the Criminal Code of the Russian Federation, which are clearly visible in practice, make the existing legal mechanism work, and we will make sure that this structure can function and solve problems of protecting bank secrecy without the need to strengthen sanctions,” emphasizes RBC’s interlocutor.
If we take into account not only the sale of client databases, but also the so-called information breach (obtaining data about a specific client), then “leaks” occur almost continuously, says Ashot Oganesyan, founder of the data leak intelligence service DLBI. According to the expert, the risk of a long prison sentence will simply raise prices for such products, says Oganesyan. He considers the banks' proposals an attempt to shift responsibility for data theft to ordinary employees. “To improve the situation, it is necessary to increase the responsibility of legal entities, which will encourage them to invest in protection systems,” the expert emphasizes.