Both parties in this case produce and commercialise ticket and entry systems for skiing areas, stadiums and similar establishments and have the same customer circles. The plaintiff additionally runs server installations for internet use by its customers, who use its systems to store clients' data. This data is protected by a login requiring a username and password. The data can be read in the form of reports, for example concerning names and addresses of buyers of tickets. The same is possible on a server of a larger customer on which the plaintiff runs that application for the customer. These reports were routinely stored on caches as intermediate storage media.
In 2015 an employee of the defendant began to connect to the server by circumventing the password protection. No usernames and passwords were disclosed to the plaintiff. That employee had taken a picture of the computer screen at a customer who made an analysis of competitors and therefore had invited the defendant. From that photo a certain internet address (URL) could be gathered. By trial and error and slight modification of that URL also other reports could be downloaded. Only in February 2016 had the plaintiff installed enough changes which ended the intrusion of the defendant.
The defence centered on three topics, namely, (1) there is no trade secret since the data was easily retrievable, (2) there is no trade secret of the plaintiff, therefore it has no active legitimation to sue, and (3) there is no proof of an act against law or moral since it remained open whether the respective customer had consented to the screen being photographed and the onus of proof lies with the plaintiff. But the defendant lost in all three instances. The Supreme Court found (4 Ob 165/16t):
- These data are trade secrets. The hitherto valid definition of trade secrets in Austria is: technical or commercial facts and knowledge only known to a certain limited number of persons and which should not become known to others and there is an economic interest that they remain secret. The will to keep these facts and knowledge secret need not be declared clearly. It suffices that it can be deducted from the behaviour of the entrepreneur that certain not generally available information should be kept within a restricted circle.
This prerequisite is met with data that can only be read regularly by logging into a database protected by a username and password. This protection shows that the data is restricted to a certain circle of persons. The existence of security loopholes – as apparently present in this case – does not allow the conclusion that the entrepreneur no longer has any interest in keeping the data secret. Third parties would have to guess that the entrepreneur had no knowledge about these loopholes.
The Directive (EU) 2016/943 of June 8 2016 on the protection of undisclosed know-how and business information (trade secret) against their unlawful acquisition, use and disclosure published in the official Journal of the EU No L 157/1 does not disprove that finding. The third part of the definition in Article 2 paragraph 1(c) states that trade secrets are protected if the information "has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information to keep it secret". It does not matter whether this part of the definition could eventually mean that no loopholes for easy access have to exist besides the central protection by password since member states are allowed to grant a wider protection as required by that Directive. Therefore, sensibly restricted password protection is for the time being sufficient to grant trade secret protection.
- Here, the data is (also) a trade secret of the plaintiff. The customer's data is in the custody of the plaintiff and the plaintiff has a strong own interest in the secrecy. Without it the contracts with the customer would not be renewed and severe danger claims from the customers would be threatening. These two conditions, right of disposal and own interest in secrecy, suffice for an active legitimation to sue.
- There can be no doubt in the illegality of retrieving data by intrusion into another's computer system. The defendant centres the legality of its acts on a supposed allowance of the customer to take a picture of the computer screen. But that is irrelevant. It does not follow from that allowance that there is consent to download his own data and even less to download data of other customers.
In effect all three aspects of the defence were unsuccessful.
This case shows that trade secret protection is alive in Austria. We shall see in what way the EU Directive on trade secret protection will enhance that protection.
SONN & PARTNER Patentanwälte
A-1010 Vienna, Austria
Tel: +43 1 512 84 05
Fax: +43 1 512 98 05