INTRODUCTION
Corporate espionage, also known as industrial espionage, is an act of obtaining trade information or trade secrets from competitors through illegal or unethical practice, which could involve spying on competitors to gain an undue and unfavourable business advantage.
Corporate espionage poses a grave threat to businesses whose information play significant role in their operations. A company whose information is obtained illegally could suffer devastating financial consequences arising from any such unwelcome exposure.
In the world today, this phenomenon has continued to threaten the existence and daily operations of businesses as well as the economy. With the advent of advanced technologies and the digitalization of business processes, the risk and impact of corporate espionage have also become magnified. Hence, in the United State of America, amongst other regulatory clampdowns, The Economic Espionage Act,1996 prescribes a penalty to be imposed on any person or organization that knowingly commits the offence of corporate espionage.
In Nigeria on the other hand, there appears to be no legislation that has specifically defined and addressed corporate espionage, or indicated what could be classified as a trade secret. However, by virtue of Nigeria being a signatory to the Agreement on Trade Related Aspect of Intellectual Property Rights (the “Agreement”) of 1995, which has specifically provided for information that could be regarded as a trade secret, we could refer to that Agreement in establishing the nature of information that could be regarded as a trade secret.
This article explores the impact of corporate espionage on businesses and economies, specifically from the perspective of the Nigerian Data Protection Act (NDPA), 2023 and the Nigerian Data Protection Regulations (NDPR) 2019.
UNDERSTANDING CORPORATE ESPIONAGE
Corporate espionage encompasses a variety of activities, including theft of trade secrets, intellectual property and other confidential business data. Infiltrators engaged in corporate espionage could be typically divided into the following categories:
a. Insiders
b. Outsiders
“Insiders” are usually employees of the target company, especially employees in positions that handle crucial company information, such as executives, engineers, managers and IT personnel. Insiders have been found to be primary perpetrators of corporate espionage, as they have access to enormous information of the Company, including information that is valuable to the Company. In 2022, an employee was convicted for attempting to steal ground and aviation-based turbine technology from his employers to give to interested third parties. Upon conviction, the employee was sentenced to 24 months in prison, one year of supervised post-imprisonment and a fine of $7,500[1].
“Outsiders” on the other hand are usually spies, hackers or attackers that operate from outside the company. There are several instances where this has been the case, for instance it was reported in the year 2022 that about 30 Multinational pharmaceutical and energy companies lost trillions in intellectual property caused by a cyber operation spearheaded by a hacker.[2]
IMPACT OF CORPORATE ESPIONAGE ON BUSINESSES
Corporate espionage has had a negative global impact on businesses, and it is considered to be a key factor when calculating the cost of cybercrime globally. Some of the identifiable impact of corporate espionage on businesses include:
a. Financial Losses: Several businesses have suffered significant financial losses due to corporate espionage. The news and the internet are replete with instances of events where companies have suffered huge financial losses due to corporate espionage, as already referred to above. Most losses stem from stolen intellectual property, which competitors could modify, reverse engineer, or use to develop similar products, thereby diminishing the victim company’s market share and profitability, and it could also be in form of stealing actual trade secret that could jeopardize the operation of the company from whom such secret is obtained.
b. Reputational Damage: Another way corporate espionage can impact a company is that it could create reputational damage for a company who is unfortunate to fall victim. Trust and reputation are critical assets for any business and a successful espionage could expose personal information of customers and other stakeholders in the company, which could erode customer trust, damage the company\’s reputation, and lead to a loss of business opportunities from existing or potential customers.
c. Operational Disruption: For companies whose trade secrets form the core of their operations, corporate espionage could cause material operational disruption. A breach or compromise of the critical information systems of such companies, could potentially lead to a downtime and decreased productivity.
d. Legal and Compliance Costs: Corporate espionage mostly impacts the company from a legal standpoint, as companies are exposed to diverse lawsuits, including class actions where applicable, in an event of a successful espionage. Businesses may also face other severe legal and regulatory penalties if a corporate espionage results in the breach of data protection laws, consumer protection laws or other regulatory requirements as may be applicable in any such event.
IMPACT OF CORPORATE ESPIONAGE ON THE ECONOMY
a. Economic Instability: Where a company’s secret and data are assumed or proven to be insecure or unsafe, the shareholders and investors are likely to react negatively react to situations of this nature, which could question investor’s confidence in the economy, and further undermine economic stability by eroding the competitive advantage of companies and also leading to reduced investments and economic growth.
b. Loss of Innovation: Most of the trade secrets that a company fiercely protects are innovative acts together with its intellectual property. It is generally known that innovation drives economic progress. When trade secrets and proprietary technologies are easily stolen, it discourages investment in research and development, stifling innovation and technological advancement.
c. Job Losses: Corporate espionage can potentially reduce the rate of competitiveness among companies, and it can also amount to financial losses that could lead to business closures and downsizing, ultimately resulting in job losses and increased unemployment.
d. National Security Threat: In some cases, corporate espionage could become economic espionage. Such events could pose a threat to national security, particularly when it involves critical infrastructure or strategic industries.
CORPORATE ESPIONAGE AND THE NIGERIAN DATA PROTECTION PERSPECTIVE
Data Protection in Nigeria is governed by the more recent Nigeria Data Protection Act (NDPA) 2023 and the earlier Nigerian Data Protection Regulation (NDPR), 2019. These legislations primarily provide the framework for data protection in Nigeria. The NDPA and the NDPR have some relevant provisions that could serve to prevent corporate espionage in Nigeria.
While the primary objective of the NDPA is to ensure that personal data is processed in a fair, lawful and accountable manner,[3] we will explore the relevant provisions of the NDPA and NDPR in relation to corporate espionage.
We also note that the NDPA defines personal data as:
“Information relating to an individual who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as name, an identification number, location data, an online identifier or more factor specific to the physical, psychological, genetic psychological, cultural, social or economic identity of that individual”[4]
PROVISIONS OF THE NIGERIAN DATA PROTECTION LEGISLATION RELATING TO CORPORATE ESPIONAGE.
There are provisions within the NDPA and the NDPR, which if well implemented, could effectively reduce and prevent companies’ exposure to corporate espionage.
The data protection legislation has made it mandatory for data controllers and processors to implement adequate security measures to protect personal data against unauthorized access, misuse, loss, or destruction.[5] These security measures are also required to be periodically tested and regularly updated to ensure the consistency, adequacy, reliability and integrity of these measures in a bid to optimise the security of data and the relevant information systems of data controllers and processors.
The legislation also makes it mandatory for organizations to report data breaches to the National Information Technology Development Agency within 72 hours of becoming aware of the breach. This provision ensures prompt action to mitigate the impact of data breaches resulting from corporate espionage. S. 40 (2) of the NDPA provides thus;
“A data controller shall within 72 hours of becoming aware of a breach which is likely to result to a risk to the right and freedom of individuals, notify the commission of the breach and, where feasible, describe the nature of the personal data breach including the categories and approximate numbers of data subject and personal data records concerned.[6]”
Furthermore, the legislation grants individuals rights over their personal data, including the right to access, rectify, and erase their data. These rights help in identifying and addressing unauthorized access to personal data. In addition, several penalties and a possible imprisonment are prescribed in respect of offences committed or for a breach of these legislations which will serve as a deterrent against lax data protection compliance or practices that could facilitate corporate espionage.
If adopted, the current provisions of the NDPA, particularly, will serve to minimise the incidences of and exposures to corporate espionage while it is left to be seen if it could effectively put a total end to such incidences.
CONCLUSION
Corporate espionage presents a formidable challenge to businesses and economies, particularly in a digital era where data is a critical asset. The Nigerian Data Protection Act 2023 as well as the Nigerian Data Protection Regulation 2019 collectively offer a robust framework that could be applied and explored for protecting data, thereby mitigating the risks associated with corporate espionage. However, businesses must proactively implement and adhere to these regulations to safeguard their information as well as the integrity and security of their relevant information technology systems while working towards maintaining their competitive edge. Strengthening data protection practices will not only shield businesses from espionage, financial losses, severe regulatory sanctions, loss of customer faith, and possible collapse, but it also contributes to the overall economic stability and growth of the country.
[1] https://www.investopedia.com/financial-edge/0310/corporate-espionage-fact-and-fiction.aspx
[2] https://www.cbsnews.com/amp/news/chinese-hackers-took-trillions-in-intellectual-property-from-about-30-multinational-companies/
[3] Section 1(d) of the Nigeria Data Protection Act.
[4] Section 65 of the Nigeria Data Protection Act.
[5] Section 39 of the Nigeria Data Protection Act
[6] Section 40 (2) of the Nigeria Data Protection Act.
Please do not treat the foregoing as legal advice as it only represents the public commentary views of the authors. All enquiries on this Brief should please be directed at:
![\"\"](\"https://ao2law.com/wp-content/uploads/2019/09/AXR_9843-copy-150x150.jpg\")
Ekene Ugbede
Senior Associate
ekene.ugbede@ao2law.com
![\"\"](\"https://ao2law.com/wp-content/uploads/2023/08/KEMI-BELLO-LONG-150x150.jpg\")
Oluwakemi Bello
Associate
oluwakemi.bello@ao2law.com
