Locks, the saying goes, keep honest people honest. Good physical security will keep out the curious passer-by or casual miscreant, but no lock is perfect and the determined thief will always find a way in. In recent years, it has become obvious that the same is true of the Internet. As a practical matter, no connected computer system is impenetrable, and password surveys routinely show that most people don’t even have decent locks on their doors. Yet individuals and businesses place vast amounts of crucial, sensitive information online, assuming that it will remain secure. And when the locks fail, they turn to the law.
There are, of course, a number of legal protections against the misappropriation and misuse of personal data, identity or intellectual property. They include federal and state statutes, as well as common law claims of misappropriation, unfair competition and breach of duty, to name a few. But the great majority of those protections focus on the information that’s taken, not the act of taking it. In the electronic universe, the damage from an intrusion often includes not only the loss of data, but the costly disruption to the system itself. There is no physical analog to that harm. A burglary victim is concerned about the assets in the safe, not the damage to the safe itself. But online, the calculation may be different: The “safe” is often a computer system or network that is vital to the victim’s personal or business livelihood. When dealing with computer intrusions, the law has to address that potential loss as well.
