Recently, a US jury found Tata Consultancy Services (TCS) and Tata America International Corp guilty of stealing trade secrets and confidential information from Epic Systems, an American company. The amount of damages, awarded was a whopping $940 million, including $700 million as punitive damage.
Epic Systems is a Wisconsin based company and is a leading provider of software to the healthcare industry. Epic maintains a web portal called the “UserWeb,” which contains information regarding its products, training material and other documents detailing Epic’s software. TCS, on the other hand, has only recently entered the market for healthcare software.
As per the district court order here, the main issue that Epic raised was that the defendants (TCS and TCS America) had accessed its web portal without authorization while servicing a mutual client, and then used this information to develop their own competitive hospital management system software called “Med Mantra”.
As detailed in the order, the employees of TCS has unauthorisedly gained access to Epic’s UserWeb and had downloaded and emailed documents from this portal. The fake account that was created was shared among TCS employees, who together, downloaded around 6,000 documents and more than 1,600 unique files.Epic stated that the documents were a result of 30 thirty years of research and development.
However, TCS argued that access to the web portal and to these documents was necessary to complete the project for Kaiser (a mutual client) and therefore the information was not improperly used. Epic alleged that information has been passed on to other employees who were involved in the Med Mantra project, however, this was denied by TCS. TCS has denied stealing confidential information and plans to appeal this judgement.
In the past, as blogged about here, Satyam too was involved in a dispute regarding IP rights in relation to a US company which had outsourced software development to Satyam. While the Satyam case was more related to inadequate contractual provisions regarding transfer of IP rights, both these cases bring into perspective the lack of IP management by Indian software companies. As pointed out in our previous post, since IT firms continue to remain service providers, they should ensure that not only are their contracts clear but also ensure that they have management in place to ensure that the terms of the contract are being adhered to. In the present case, TCS had entered into a Standard Consultancy Agreement with Epic which provided for the requirement to maintain confidentiality. Though TCS had in place security safeguards at its offshore development centres, in that, they had authorised only certain employees as well as certain computers which were security enabled for use etc., they still retained certain computers that allowed access to the internet from which the employees had allegedly unauthorisedly accessed the Epic’s web portal. Epic on its part too, seems to have loosened security, because it did not deny access to the TCS employee who created the fake account on the false pretext of being an “employee” of Epic, which it could have done.
This case can also be contextualise, within the Indian legal framework dealing with misuse of confidential information and breach of confidence. Misuse of confidential information can be protected either – i) expressly through a contract or 2) even impliedly by equity.
Usually, contractual obligations bind employees/contractors not to disclose confidential information that was communicated to them during the course of their employment/project, and such contracts also usually provide for a certain duration of non-compete.
However, even in the absence of an express contractual obligation to maintain confidentiality, courts in India, have imposed an implied duty to maintain confidentiality. As followed in the case of V V Sivaram v. Foseco India Limited, 2006 133 CompCas 160 Kar -“crux of the case is that confidential information pertaining to the company is made known to employees of the company and contractors only in connection with the business of the company, and for the purpose of aiding the company in running its business. That the law imposes an obligation on the employees of the company to maintain confidentiality of all such information. This obligation is independent of any other contractual obligation that may be imposed expressly by the company”.
As stated in the case of Saltman Engineering Co. v. Cambell Engineering Co. (1948) RFC 203), a case relied on by several High Courts while deciding cases of breach of confidence, provides a simple three step test to decide when an obligation of confidentiality can be imposed. The three situations are as follows –
1. The information must be confidential in nature.
2. The information must have been communicated in circumstances importing an obligation of confidence. However, if the confidential information is communicated publicly or communicated in other such circumstances, this negates the duty of keeping the material confidential.
3. There must be unauthorised use of the information to the detriment of the person communicating it. This is based no the principle that a person who receives information in confidence shall not take unfair advantage of it.
This equitable requirement of keeping information confidential, even in the absence of an express contract, has been developed to protect the unauthorised use of the research and development of the who person who has created the information. It seeks to prevent third parties and especially competitors from “spring-boarding” from the time and money already invested, in order to gain unfair advantage over the competitor.