On Oct. 11, 2012, the government warned that the United States will be confronted with the possibility of a "cyber-Pearl Harbor" attack by foreign computer hackers who could unleash havoc on the nation's power grid, transportation system, financial networks and government.[FOOTNOTE 1]
Such harrowing warnings should sound the bell for American businesses to follow the example of the federal government and immediately take precautions from a potentially crippling cyber attack, as well protect themselves from government investigation and prosecution for insufficient protection and disclosure of such attacks. Indeed, the U.S. Department of Justice (DOJ) has recently responded to cyber dangers by providing funding to stop the importing of counterfeit goods, technology thefts and computer hacking attacks against American businesses, while at the same time, the U.S. Securities and Exchange Commission (SEC) has indicated increased review of public company reporting on cyber risks.[FOOTNOTE 2] Accordingly, this article addresses the current state of significant cyber dangers, regulatory efforts to protect intellectual property and cyber systems, and the consideration and implementation of policies and procedures for businesses designed to prevent intrusion and theft as well as create effective responses to cyber attacks and proper disclosure of such risks.
IP protection and cyber attack avoidance deserve significant resources.[FOOTNOTE 3] The government has determined that cyber crime is a matter of national security, and may overtake terrorism as the primary national concern.[FOOTNOTE 4] In fact, a PWC survey of financial services firms found cyber crime is the second most common economic crime after asset misappropriation, with reputational damage being the biggest concern.[FOOTNOTE 5] Further, a majority of those businesses surveyed did not review social media sites or have cyber crisis or response plans, while others had no cyber security training, regular or formal review of such occurrences by senior management or boards of directors.
The DOJ has responded by publishing prosecutor guidelines to investigate and commence actions against those who steal computer data through computer hacking, IP theft and product and service counterfeiting in, among other industries, pharmaceutical, financial services and defense contracting.[FOOTNOTE 6]
CYBER CRIME, IP THEFT STATUTES
Prosecutors and businesses have used several statutes to address stealing computer data and intellectual property.[FOOTNOTE 7]
In particular, the Federal Computer Fraud and Abuse Act of 1984 (CFAA),[FOOTNOTE 8] a statute originally enacted to criminally prosecute people who hack into computer systems of the federal government and financial institutions, has been used by prosecutors and businesses against employees. However, federal appellate courts have disagreed over its use, potentially raising the specter of U.S. Supreme Court review.[FOOTNOTE 9]
The Economic Espionage Act is also used by prosecutors to prevent "theft, unauthorized copying, or intentional receipt of a trade secret,"[FOOTNOTE 10] by criminalizing trade secret theft benefiting foreign governments, instrumentalities or its agents; or when a non-owner obtains an economic benefit. Similarly, prosecutors (and private litigants) use the Digital Millennium Copyright Act to prosecute IP theft,[FOOTNOTE 11] as well as the Federal Wiretap Act, Electronic Communications Privacy Act, Stored Communications Act and other federal and state statutes.[FOOTNOTE 12]
Federal, state and foreign regulators have also instituted reporting regulations for companies that suffer a cyber attack or data breach.[FOOTNOTE 14]
The SEC published guidelines for public corporations that suffer cyber attacks or data breaches to disclose certain information if such events will materially affect the company's operations, liquidity, financial condition, viability, product or customer lines, losses and ongoing litigation, among other things. The SEC requires these disclosures to have specific content and be in "plain English."[FOOTNOTE 14] Although there has been government pressure, cyber crime disclosures remain alarmingly infrequent, perhaps due to the advertisement to would-be criminals of entry points in IP security infrastructure.[FOOTNOTE 15]
Additionally, the overwhelming majority of states have instituted data breach laws, but many conflict with one other.[FOOTNOTE 16] Self regulatory organizations, such as the Financial Regulatory Authority Inc. (FINRA), are also actively involved in establishing "firewalls" to protect confidential customer information,[FOOTNOTE 17] such as protecting customers' funds from potential phony e-mail requests.[FOOTNOTE 18]
CYBER DANGER POINTS
As such, companies must recognize unauthorized IP and computer system access sources and develop protocols to protect their IP and critical systems. These sources are numerous.
Initially, recognizing one's employees as a crucial link in this process is paramount as is the company's email system.[FOOTNOTE 19] Emails are the gateway to a company's computer system, and a likely weak point.[FOOTNOTE 20]
Hackers are also, most likely, thieves. A sweep conducted by the DOJ and the Internal Revenue Service (IRS) earlier this year found more than 105 hackers in 23 states, resulting in more than 939 criminal charges relating to identity theft and other crimes.[FOOTNOTE 21] The SEC has also brought securities fraud actions in computer hacking matters.[FOOTNOTE 22]
Surprisingly, government agencies, both foreign and domestic, have also been sources for data breaches.[FOOTNOTE 23] The SEC, in fact, was criticized for failing to develop a cyber security plan to protect its confidential information.[FOOTNOTE 24]
Likewise, law firms are also not immune from cyber risks. They have been found to be weak links in certain cyber security programs because law firms are prime targets for cyber thieves given the quantity and quality of information maintained by a business' law firm.[FOOTNOTE 25]
PRACTICES AND PROCEDURES
Despite these protections and source knowledge, companies must still engage in a critical process to protect themselves from IP thefts and cyber breaches.
Initially, companies must identify their IP and critical data "inventory." Essentially, companies must determine the IP and information in need of protection, develop specific procedures and policies, and allocate resources to particular areas requiring more protection, such as patents and proprietary information. Once complete, companies must prepare, implement and later audit policies and procedures, including, among other things, preparing corrective measures and responses if an incident occurs.[FOOTNOTE 26]
In evaluating the types of information requiring protection, companies must identify the company's IP to determine if it is necessary to or effectively protecting its IP, and if the company is ready to respond to an intrusion or theft. Companies must also consider third-party access to this information, and if it is a potential security threat for cyber criminals.
Thus, although this list is not exhaustive, companies must review and consider all relevant potential vulnerabilities depending upon their specific systems.
There are an infinite number of mechanisms, plans and "tricks" companies may use in protecting IP and cyber systems.
Companies should implement a complete cyber security program, incorporating governance, control, threats, vulnerability and management. The program must include incident response, forensics and business continuity, tailored to the company's specific risks, and having particularized responses to these risks, paying explicit attention to the effect these risks will have on the company's financial and operational systems. As part of this plan, a self-audit practice that adapts to the ever-changing cyber landscape must be present.
However, something as simple as possessing strong computer passwords and maintaining these passwords in a safe place significantly increases computer security. Changing system defaults regularly and using disk encryption programs, including personal protections like fingerprint swipes and encryption of backup media, also may protect significant data. Implementing policies discouraging the sharing of encryption access coding with non-essential employees, avoiding "over-saving" material[FOOTNOTE 27] and destroying or wiping data from previously used equipment protects a company's IP.
Companies must focus on the most likely access point for the unlawful dissemination of confidential information or IP thefttheir employees. Companies should educate their employees on the severe civil and criminal penalties that will follow if there is unauthorized computer access of the company's confidential information. Such threats may be a significant deterrent to potential disloyal employees.
However, education is not enough. Companies must also monitor employee e-mails to ensure compliance with company protocol and policies regarding the dissemination of IP and confidential information. Companies must review and update, if necessary, employee policies and manual to so as to include computer use agreements that employees must sign acknowledging they are using proprietary company information. These employees must agree that this information may be only used for legitimate company business, within the company and not to be sent to a third party without express company permission, and may not be transferred or saved from any company server to any personal computer, USB thumb drive or any other storage device. With their information technology departments, companies must restrict database access only to those employees who need it, and establish firewalls or password-protected databases. Using counsel to review these procedures is essential to this process to ensure that the review of employee information and email does not run afoul of various federal or state statutes, such as the Stored Communications Act.
Further, employees should be required to return all company computer equipment and a review to ensure all files and information remain intact upon the departure of the employee. As a result, protecting your company from employee misappropriation requires limiting employee data access, drafting specific agreements to protect confidential information and considering legal action against current and former employees for such breaches or thefts.
Many policies if implemented would also protect a company's IP from outside sources, but specific procedures must be initiated to stop the unauthorized network access to the company's smart phones, PDAs and wireless hot spots. Companies should have, among other things, encryption codes, and critical security patches because software no longer supported may be a security issue. Similarly, cloud systems require appropriate security systems, and proper social media protocols prevent access to cyber criminals. Such procedures may, effectively, blunt hackers.
Companies must also have special protections for boardroom communications since such discussions may contain confidential information.[FOOTNOTE 28] Further, companies must consider purchasing cyber and IP theft insurance policies and/or riders to pay for breach investigation, notification costs and remedial measures. Companies holding customer and personal information data must also have response plans to address foreign, federal and state data breach notification laws that include responding to regulators, customers and potentially insurance carriers.
In short, these concerns and others depend upon the company's particularized needs to prepare, among others, appropriate protection, incident, plan of action and social media policies. However, the retention of counsel and outside security experts can go a long way towards battening down the hatches against cyber attacks.
CLOSING THE DOOR ON CRIME
Emphasizing the importance of understanding cyber security risk and protecting IP must be an organizational decision derived from the company's current position, an analysis of prudent preventative action and a definitive understanding of regulatory compliance obligations. This process requires knowledge of items needing protection, a clear understanding of the cyber risks threatening the company, and creating a plan to address these security assessments utilizing and prioritizing the company's resources to protect against cyber threats. Failure to do so may lead to the loss of an entire company's IP portfolio and can run the risk of government prosecution.
FN2 Chris Strohm and Eric Engleman, "Cyber Attacks on U.S. Banks Expose Computer Vulnerability," Bloomberg (Sept. 28, 2012); see also Lisa Shuchman, "DOJ Announces $2.4M in Grants to Fight IP Piracy and Theft," Corporate Counsel (Oct. 4, 2012).
FN3 Barack Obama, "Taking the Cyberattack Threat Seriously," Wall Street Journal (July 20, 2012), p. A11.
FN4 Stacy Cowley, "FBI Director: Cybercrime Will Eclipse Terrorism," CNN Money (March 2, 2012), http://money.cnn.com/2012/03/02/technology/fbi_cycbersecurity/index.htm.
FN5 See PWC Cybercrime: Protecting Against the Growing Threat (November 2011).
FN7 United States v. Steiger, 318 F.3d 1039 (11th Cir. 2003), cert. den., 538 U.S. 1051 (2003); see also Peter A. Crusco, "Courts Tackle Spyware Interceptions," New York Law Journal, Feb. 21, 2012, pp. 5 and 8.
FN9 Steven Kayman and Lawrence Elbaum, "Ninth Circuit Fuels Employee Misappropriation Debate," New York Law Journal, May 31, 2012, pp. 5 and 16; United States v. Nosal, 642 F.3d 781 (9th Cir. 2012).
FN11 17 U.S.C. §§1201-1205.
FN12 See Note 5.
FN13 Tarifa B. Laddon, "Navigating Between U.S. Discovery and European Data-Protection Laws," ABA Litigation (Vol. 38, No. 2), Winter 2012, p. 10-12.
FN14 Mercedes K. Tunstall, "Reporting Cyber Attacks and Data Security Breaches-- Guidance from the SEC," Corporate Counsel Weekly (March 7, 2012), pp. 79-80.
FN15 Richard Lardner, "U.S. Pressures Companies to Report Cybercrime," USA Today.com, http://www.usatoday.com/money/media/story/2012-06-29/reporting-cybercrime/55921858/1.
FN16 See, e.g., John M. O'Connor and Anna M. Piazza, "Where (Literally) Is the Deception? Analyzing the Reach of New York's Consumer Protection Statute in the Digital Age," New York Law Journal, Monday, May 7, 2012, p. S.8- S.9, and S.17.
FN17 See FINRA Regulatory Notice 12-05 (January 2012).
FN18 See FINRA Exam Priorities Letter, dated Jan. 31, 2012; and FINRA News Release, dated Jan. 26, 2012.
FN19 Tom Steinert-Threlkeld, "E-Mail Remains #1 Cyberthreat," Securities Technology Monitor (June 19, 2012).
FN20 See Lynn Brenner, "When Your E-Mail Is Hacked, Protect Investments First," Feb. 6, 2012, www.reuters.com/assets/print?and=USTRE8151UN20120206 (financial investments at particular risk).
FN21 IRS Newswire, "Identity Theft Crackdown Sweeps Across the Nation; More Than 200 Actions Taken in Past Week in 23 States," Issue Number: IR-2012-13, Jan. 31, 2012.
FN22 See SEC v. Dorozhko, F.3d (2nd Cir. 2009); and see also Stewart D. Aaron, Marcus Asner, and Yue-Han Chow, "Second Circuit Rules Computer Hacking May Be 'Deceptive' under Section 10(b) of the Securities Exchange Act of 1934," Privacy & Data Security Law Journal (October 2009).
FN23 Meghan Kelly, "UK Government Breached from the Inside, 1, Workers Disciplined," VentureBeat (May 18, 2012).
FN24 The 2011 Annual FISMA Executive Summary Report," No. 501, http://www.sec-oig.gov/Reports/AuditsInspections/2012/501.pdf; Silla Brush, "CFTC Data Breach Risks Employees' Social Security Numbers," Bloomberg (June 25, 2012).
FN25 John W. Simek and Sharon D. Nelson, "Preventing Law Firm Data Breaches," ABA Law Practice Magazine, Vol. 38, No. 1 (May 29, 2012); and see, generally, Stewart A. Baker and Charles J. Dunlap, Jr., "What Is the Role of Lawyers in Cyberwarfare?" ABA Journal (May 2012), http://www.abajournal.com/magazine/article/what_is_the_role_of_lawyers_in_cyberwarfare.html (role of lawyers in cyber attacks and cyber warfare.
FN26 Adam R. Bialek and Juan P. Rodriguez, "Website Audits: New Compliance Frontier," New York Law Journal, Thursday, Aug. 9, 2012, pp. 5 and 7 (requiring a review of myriad of issues, including, among others, disclosures, patents, trademarks, privacy and insurance).
FN28 Scott N. Schober, "Technology Risk Management: Securing the Boardroom Internally and Externally," Corporate Counsel Weekly (April 4, 2012), pp. 111-112.