You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH: www.schoenherr.eu
Business secrets are essential assets of companies, and are often the reason for a company having a competitive lead in a market. Thus, they constantly seek to develop new technologies, algorithms or software to create such intangible assets.
Due to their significant economic value, companies try to protect their business secrets from unintended disclosure, or leaks through ever increasing cyber-attacks. In this article we explain some aspects of legal protection available under Austrian law.
1. Protection under criminal law
When it comes to cyber-attacks and the protection of business secrets, most people think of "compliance" with its various facets such as internal guidelines, technical security systems, staff training or – in the aftermath of an attack – internal investigations. However, the Austrian Criminal Code ("ACC") also provides for various protective provisions:
In the case of cyber-attacks, affected companies are thus well-advised to assess possible actions under criminal law, especially since criminal proceedings provide the following advantages:
(i) Public prosecutors and courts may apply investigative measures which are not available to the company itself, such as house searches or seizure.
(ii) The public prosecutor is generally in charge of investigations and must clarify the facts and gather evidence.
(iii) The victim can participate in the criminal proceeding as a "private party" to request compensation for the damages caused by the perpetrator without any court fees (as would be the case in civil law proceedings).
(iv) Criminal proceedings may be a good starting point for further civil law actions.
Criminal proceedings can thus be a good way to limit damages and to clarify the situation.
2. Initiating criminal proceedings
Criminal proceedings are generally initiated and conducted by the public prosecutor. Therefore, victims would in practice file a statement of facts (Sachverhaltsdarstellung) with the public prosecutors' office to encourage it to start investigations. It is crucial that such a statement includes strong evidence as the initiation of criminal proceedings requires sufficient initial suspicion (Anfangsverdacht) which is the case if there is concrete evidence that an offence has been committed; mere suspicion or vague indications are not sufficient.
However, some of the relevant offences at hand are of a specific nature as they are subject to private charges, which means that the victim has to investigate the case, provide evidence and file a criminal charge with the court. Nonetheless, evidence-protection measures may be requested from the court in that case too.
3. Cyber-attack! What to do?
In the event of a cyber-attack or the leak of business secrets, the affected company should immediately consider and clarify the following:
(i) What information on the incident is currently available?
(ii) Who is the potential perpetrator? What evidence is available and was it secured? Who are potential witnesses?
(iii) Who needs to be informed? Are external experts needed to clarify the situation?
(iv) Which actions under criminal law are available?
If you have further questions on this topic or if you are affected by a cyber-attack do not hesitate to contact us.
authors: Christoph Haid and Michael Lindtner