Duty to speak? Staying silent when you have breached the contract may be a fraud, says the Helsinki District Court
Failure to inform the contracting party of a breach of contract can be considered a fraud under the Finnish Criminal Code, confirms a ruling of the Helsinki District Court that recently became final at the Helsinki Court of Appeal.
According to the Helsinki District Court’s ruling (13/123154), if you fail to inform someone you have a contract with that you have breached the agreement, this may constitute fraud and subject company management to criminal liability.
However, this conclusion is not that straightforward, as the specific facts of the case had a lot of relevance on the outcome.
The District Court’s ruling became final after all the parties recently withdrew their respective appeals from the Helsinki Court of Appeal. Thus, the ruling is worth a closer look.
Background of the case
In 2003, an information and communication technology company agreed to provide certain Finnish authorities with electronic certificate systems.
The authorities in question must, under Finnish law, ensure rigorous data protection for the electronic certificate systems. Therefore, the contracting parties agreed on a specific contract clause obligating them to notify the other party of a breach of contract.
During the transfer of a part of its business, the company accidentally leaked a data folder – containing critical information on the certificate system of the authorities to an outside company. The company decided not to inform its contracting parties of the data leak.
Not speaking could be deception
The District Court ruled that concealing a data leak was a breach of contract. Moreover, concealing was interpreted as “deception”, as stated in the statutory definition of fraud under the Finnish Criminal Code.
Under the Finnish Criminal Code, it is criminal to deceive another into doing something or refraining from doing something in order to obtain unlawful financial benefit. The deceived party must also suffer economic loss as a result.
According to the District Court, deception means creating an incorrect impression of a matter that may influence the counterparty’s decision-making.
The court reasoned that the company’s contracting parties had been under the incorrect impression that the company was complying with the data protection requirements under the contracts. The company had not actively created the impression, but it had failed to correct it.
In its ruling, the court stated that in business, generally speaking, it is acceptable to pursue one’s own interests to a certain extent and not all unfavourable facts have to be told to counterparty. However, in this case the court seems to have taken into account the contractual obligation to notify the contracting party, as well as the reason behind the notification clause, the rigorous data protection requirements.
The court also infers that the company’s failure to notify the contracting parties of the breach was considered a fraud – not only because of the specific contract clause on notification – but also because the obligation to notify the contracting parties had been based on these authorities’ legal duties to ensure the reliability of the electronic certificate system.
Allocation of criminal liability
The ruling also sheds light on the allocation of criminal liability within a company. A total of six former and current employees of the company faced criminal charges, but only the managing director was held liable.
The District Court found relevance in who ultimately had the legal obligation to inform the company’s counterparties of the data leak and was in the best position to conceal it. According to the court’s ruling, the managing director’s liability is based on the formal status of the managing director, together with his actions.
Practical implications for all companies
For companies operating in Finland, this case teaches us that if you contractually create a duty to speak and fail to do so when you breach the contract, Finnish courts may deem this fraud and subject company management to criminal liability.
This duty to speak, at least in this case, existed because the parties had contractually obligated themselves to inform of a breach. This duty, compounded with the statutory obligation to protect data, was relevant in the court’s outcome. The court inferred that even if the parties did not contractually create a duty to speak, this may have, nevertheless, existed based on the need to protect data.
Should, on the other hand, your contract – or the facts of your particular circumstances – not give you a duty to inform a counterparty of a breach, you may potentially rest more easily should you decide to remain silent. But this is a risk company management must weigh closely, depending on the facts present.