National Security Act 2023 creates new specific criminal liability risk for managers of businesses in UK

The National Security Act 2023 introduces a new risk of criminal liability for the senior managers of corporates and other organisations. Those organisations can, however, take steps to reduce this risk.

Businesses in, or that work with, the defence or national security sectors should be particularly alive to compliance with the Act, due to the nature of information they possess. However, the Act will have wider implications for any business as trade secrets are also confidential information covered by it.    

What is the National Security Act 2023?

The National Security Act 2023 (the NSA), which received Royal Assent on 11 July 2023, introduces a number of new offences intended to further protect the UK against the threat of espionage and sabotage by hostile actors. Parliament has tried to create a regime which is fit for the digital age and modern methods of spying. The offences are likely to come into force in the spring once regulations are enacted and further government guidance has been published.

The espionage offences include:

• obtaining or disclosing protected information (section 1);
• obtaining or disclosing trade secrets (section 2);
• assisting a foreign intelligence service (section 3); and
• preparatory conduct that acts as a precursor to state threats offences and other harmful acts (section18).

Prospect of criminal liability

There may be liability for the corporate and relevant directors/partners/managers.

Corporate bodies can commit the espionage offences if the person committing the offence has the "directing mind and will" of the corporate body.

The government has not sought to include a "failure to prevent"-style offence. It has also not (yet) included the espionage offences in the list covered by the codified identification principle in the Economic Crime and Corporate Transparency Act – in other words, for a corporate body to be criminally liable under the NSA, it is still necessary that the person committing the offence have the "directing mind and will" of the organisation. This may change: the Criminal Justice Bill (introduced to Parliament on 14 November 2023) expands the identification doctrine (and would replace certain provisions in the Economic Crime and Corporate Transparency Act) so as to allow criminal liability to be attributed to companies and partnerships whose senior managers commit any criminal offences while acting within, or apparently in scope of, their authority (clause 14). The bill will receive its second reading on 28 November.

Currently, however, "officers" of an organisation could be liable for an espionage offence where (i) the organisation commits one of the above offences under the NSA; and (ii) that happens with the consent, connivance or due to the neglect of the officer of the organisation.   

The concept of "officer" is wide. It includes a director, member of a committee or management executive, manager, company secretary, partner, someone who is concerned in the management or control of the body, or any person that purports to act in any that capacity.

Penalties

A person who commits an offence under sections 1 – 3 of the NSA is liable to imprisonment for up to 14 years or a fine (or both).  A person who commits a section 18 offence is liable to imprisonment for life or a fine (or both).

Corporates that commit an espionage offence face fines but also, and perhaps more significantly, the commercial and reputational consequences, which may well be considerable.

Osborne Clarke comment

Section 35 NSA creates an additional potential liability, for managers of organisations, for offences in Part 1 of the Act. Businesses should take steps to understand their potential exposure to these risks and implement effective actions to mitigate and minimise those risks.

However, given the serious nature of the offences, it is interesting that the UK government has opted, at least for the time being, not to include a strict liability "failure to prevent" offence, which would make a company criminally liable where it has failed to prevent misconduct by one of its employees. It has taken that step in relation to offences under other Acts in order to drive good corporate risk management.

Consequently, organisations may currently take the view that their corporate legal exposure is less than it might be because establishing the "directing mind and will" to bring charges against a corporate has proved very challenging for prosecutors (and was part of the justification for the introduction of strict liability "failure to prevent"-style offences).

Nevertheless, businesses should include the NSA offences when assessing their exposure to potential corporate and director/officer criminal liability; and work out how best to mitigate identified risks with appropriate systems, procedures, training and controls.  

For businesses which are already "on the front foot" with governance and regulatory compliance, checking whether their existing systems and procedures give good protection against NSA liability is sensible. Where a business is uncertain on that front, it may need to implement new systems and procedures to reduce the specific NSA risks.

Finally, if the "failure to prevent" offence is extended to the Act in the future, we will issue an update to this Insight.

If you would like to discuss any issues arising from this Insight, please get in touch with your usual Osborne Clarke contact or one of our experts listed below.