Safeguarding company confidentiality in China presents a critical challenge in light of dynamic regulatory environment and rapidly evolving technological landscape. This article examines key strategies and legal considerations, offering insights into safeguarding confidential information against unauthorized access and disclosure.

Legal Framework

The abovementioned confidential information falls under the scope of trade secrets which are protected by Chinese laws. The legal foundation for the protection of trade secrets in China is set forth in the Anti-Unfair Competition Law (《反不正当竞争法》) (“AUCL”), which was most recently amended in 2019. 

Article 9 of AUCL stipulates that trade secrets encompass commercial data, including technical and business information, which is not publicly available, holds commercial value, and is subject to appropriate confidentiality measures by the rights holder. Misappropriation of trade secrets encompasses various activities, including:

1. obtaining trade secrets of another party through theft, bribery, fraud, coercion, hacking, or other improper means;
2. disclosing, using, or enabling others to use trade secrets of another party acquired through the abovementioned improper means;
3. (instigating, inducing, or assisting others in) disclosing, using, or enabling others to use trade secrets in breach of an agreement or a confidentiality obligation imposed by the rights owner; or
4. obtaining, using, or disclosing trade secrets by a third party, while such third party is aware or reasonably expected to be aware that such trade secrets have been misappropriated through any of the abovementioned means.

Consequently, the leakage and exploitation of trade secrets constitute misappropriation. Any party involved in divulging trade secrets or assist in divulging, obtaining, or using trade secrets, including rival companies, will be held liable for their actions. Affected companies are entitled to seek compensation from those responsible for misappropriation of trade secrets. 

In addition to implications related to the protection of trade secrets, employees that misappropriate trade secrets may also breach their employment contracts, thus incurring contractual liabilities.

Protection Strategy

Information leakage by employees, whether intentional or accidental, poses risks to companies. To safeguard against such threats, it is crucial for companies to implement comprehensive strategies to prevent potential leakage. The following protection measures outline a robust approach for mitigating the risk of information leakage and ensuring the integrity of corporate information.

Establishment and Implementation of Policies

Developing comprehensive policies will provide clear guidance to staff regarding permissible use of various types of information to safeguard confidential data. These policies will also empower employees to make informed decisions concerning the protection of confidential information or trade secrets while taking into consideration future developments.

A company’s confidentiality policy is effective only when diligently implemented and consistently enforced. To achieve this, companies should ensure that all employees receive, understand, and acknowledge the policy through signed acknowledgment forms. Additionally, companies should routinely review and update their policies to align their policies with changes in business practices, technological advancements, industry regulations, and emerging threats.

Furthermore, it is recommended to go into details with respect for confidentiality obligation in the employment agreement and employee handbook, to further clarify the information which companies consider confidential. These documents should outline in details confidential information such as personnel appointment, fee rates, client list, and business plan to articulate employees’ duty of confidentiality and specify the potential consequences of unauthorized or improper use or disclosure of confidential information, such as termination of employment, administrative and/or civil action, and/or criminal prosecution.

Identify Confidential Information and Protect Verbal Information

It is crucial for companies to identify information deemed confidential and establish written procedures for recording and handling of such information. Companies should classify and catalog confidential information according to the various departments or levels within the organization. Rather than broadly classifying all company information as confidential, companies should create and routinely update a comprehensive inventory of confidential information based on the confidential information cataloged by each department at various levels. 

A common practice is to label the carriers containing confidential information with markers such as “Confidential”, “Do Not Disclose/Copy”, etc. When stored electronically, the confidential information must be encrypted and/or be subject to restrictive access.

Moreover, verbal information exchanged at internal meetings can also be confidential. Protecting the confidentiality of verbal information can be challenging. In practice, the following measures are commonly adopted by companies to safeguard orally conveyed information:

1. Reminder and acknowledgment: Before a meeting starts, remind all attendees that the meeting is confidential and everything related thereto must be treated as such;
2. Restrict meeting attendance: Limit invitations to only those individuals with a genuine need-to-know regarding the information being discussed; and
3. Enforce a strict no-recording policy: Explicitly prohibit attendees from engaging in any form of unauthorized documentation, including recording and photography, during the meeting.

Security Measures

Implementing robust digital security measures is crucial for protecting confidential information from unauthorized access or theft. Some key practices include:

1. using strong passwords and enforcing multi-factor authentication;
2. regularly updating and patching software and systems;
3. keeping sensitive data encrypted during both storage and transmission processes; 
4. deploying firewalls, encryption, anti-hacker initiatives, anti-virus software, multi-factor authentication tools, and other technical protections;
5. disabling USB ports or other portable devices or drives on company computers/laptops; and
6. embedding blind watermark into the distributed information or images containing confidential information to enhance traceability and deter unauthorized sharing and distribution.

In the event of any litigation caused by dispute over breach of confidentiality, the presence of comprehensive security measures can support a company’s case as they can demonstrate companies have made reasonable efforts to protect trade secrets, increasing the likelihood of judicial recognition and protection.

Regular Training

It is advantageous to cultivate a company-wide culture emphasizing confidentiality and trade secret protection, treating it as an imperative with significant reputational, financial, and legal implications. To achieve this, it is vital to train employees on the importance of confidentiality. Regular reminders and updated training sessions can also help employees remain vigilant and reinforce the importance of confidentiality.

It is essential to conduct regular professional ethics education, trade secret compliance, and other specialized training sessions for managerial, technical, and operational staff who have access to sensitive information. Establishing a system of rewards and penalties can further reinforce the significance of confidentiality, ensuring that employees understand the implications of breaches and are committed to upholding established protocols, including confidentiality clauses in the employee handbook.

Actions to be Taken after Leakage

In the event of information leakage, swift and decisive action is of utmost importance to mitigating potential repercussions and safeguarding organizational integrity. This section outlines the structured approach and key steps to be taken immediately after leakage, ensuring a proactive stance to be taken in addressing and rectifying any breach of confidentiality.

Establish Immediate Response Protocol

In the event of a breach of confidentiality, it is crucial to establish an immediate response protocol. This should include activating crisis management to handling such breach. The response team should assess the severity of the breach, determine the scope of the leaked information, and initiate steps to mitigate any further damage. Prompt communication with all relevant stakeholders, including employees, clients, and partners, is also essential to prevent further leaks and maintain transparency and trust.

Track the Leakage and Identify the Person Implicated

Once a leak has been detected, it is vital to swiftly track the source of the leakage and identify the person or persons implicated in such leakage. A thorough analysis of digital records, including access logs and email trails, should be initiated and forensic techniques should be adopted to trace the origin of, and methods deployed in, such leakage.

Simultaneously, interview with employees with access to the leaked information and review of security protocols for potential weaknesses should be conducted. Once the party responsible for such leakage is identified, the following containment measures should be put in place in a timely manner: 

1. restricting access;
2. securing compromised systems; and
3. notifying stakeholders as required if applicable.

Take Legal Actions Against the Person(s) Implicated

Based on the findings of the investigation, legal actions might be taken against the person or persons found responsible for the information leakage. Such actions may include internal disciplinary action, such as termination of employment, as well as legal action, such as pursuit of civil litigation. 

Drawing from our experience, it is advisable to establish a precedent by filing a lawsuit against the employee who leaked the confidential information on purpose. This action would demonstrate the company’s unwavering commitment to the protection of confidential information and send a clear message to all stakeholders about the severe repercussions associated with breaches of confidentiality.

Concluding Remarks

Protecting a company’s confidential information is paramount to maintaining its competitive edge and safeguarding the trust of its stakeholders. It is therefore advisable for companies to contemplate and implement the aforementioned strategies, in order to reduce the risk of trade secret leakage and ensure the confidentiality of confidential information.