The fallout from the recent cyber-attack against Sony Picture Entertainment has reinvigorated a debate about whether and when the US government should take responsibility for protecting private companies from cyber-attacks. On December 19 2014 President Obama promised a "proportional" response to the Sony cyber-attack, which he described as a "serious national security matter".(1) The administration has since imposed sanctions against 10 North Korean officials and three government agencies, and confirmed that it will use a "broad set of tools to defend U.S. businesses and citizens".(2) In 2014 the federal government sought and secured a criminal indictment to deter ongoing cyber-attacks launched by the Chinese military. The Sony hackers could face similar charges; however, it remains unclear whether the United States is willing to use its prosecutorial powers as a tool to combat these types of cyber-attack or whether its responses will be robust enough to deter future cyber-attackers from North Korea, other rogue states or stateless actors.
This places the onus on organisations to enhance their security systems and, by so doing, minimise their vulnerabilities. Because no security measures can provide absolute protection from the most sophisticated hackers, organisations should separately consider what level of data protection will minimise their own civil and enforcement liabilities in the event of a breach. Sony is already facing civil lawsuits filed by employees who allege that Sony did not adequately protect their private data; organisations would be wise to review the adequacy of their security systems, particularly given this recent breach and the evolving nature of data security.
Sony cyber-attack and associated threats
The cyber-attack against Sony in November 2014 destroyed systems and resulted in theft of large quantities of personal and commercial data. According to the Federal Bureau of Investigation (FBI), the hackers, who identified themselves as the 'guardians of peace', deployed destructive malware to steal proprietary and confidential information, including employees' personally identifiable information.(3) The attack caused Sony to take its computer network offline and rendered thousands of its computers inoperable.
Subsequently, the hackers sent emails to various news outlets and theateers, warning against the release of Sony's film, The Interview, a comedy portraying the assassination of North Korean leader Kim Jong-un, and threatening violence – "remember the 11th of September 2001" – at "the very times and places" of showings.(4) On December 19 2014 the FBI announced that it had concluded that the North Korean government was responsible for the cyber-attack.
Criminal indictment of Sony's attackers
In May 2014 the Department of Justice indicted five members of the Chinese military, the People's Liberation Army (PLA), for conspiring to hack into the computers of five US companies and a labour union and stealing proprietary trade secrets.(5) The indictment included charges under four criminal statutes: the Computer Fraud and Abuse Act, aggravated identity theft, economic espionage and theft of trade secrets.(6) The court hearing these cases issued arrest warrants for the five defendants but they remain at large and, without an extradition treaty with China or arrest during travel, there is little chance that they will ever stand trial.
The perpetrators of the cyber-attack on Sony, like the PLA hackers, are believed to have been working at the behest of a foreign government. However, unlike in the PLA case, the Sony attackers do not appear to have intended to convert Sony's trade secrets for the benefit of that government or anyone else. This distinction could prevent charges for theft of trade secrets,(7) but all of the other charges brought against the PLA defendants could apply to the Sony attackers as well.
Computer Fraud and Abuse Act
The individuals who orchestrated the cyber-attack on Sony could be charged with violating several provisions of the Computer Fraud and Abuse Act, all of which the PLA hackers also allegedly violated.
The Sony attackers likely violated the provision prohibiting access of a protected computer without authorisation. They:
- accessed a computer;
- without authorisation; and
- obtained "information from [a] protected computer", which is broadly read to include computers "used in or affecting interstate or foreign commerce or communication", and hence any computer connected to the Internet.(8)
The Sony attackers also violated the act by damaging Sony's computer systems. The statute:
- forbids knowingly causing the transmission of a program, information, code or command;
- forbids intentionally causing damage to a protected computer without authorisation;(9) and
- broadly covers "all transmissions that are capable of having an effect on a computer's operation system" and "acts that simply make information or computers unavailable".(10)
In this case, the Sony attackers deployed destructive malware that "rendered thousands of [Sony's] computers inoperable, forced [Sony] to take its entire computer network offline, and significantly disrupted the company's business operations",(11) meeting both prongs of the statute.(12)
In addition, assuming multiple actors, the Department of Justice can also charge the Sony perpetrators under the conspiracy provision of the Computer Fraud and Abuse Act.(13)
Aggravated identity theft
As in the PLA indictment, the Sony attackers may also be charged with aggravated identity theft.(14) The statute applies when a defendant "knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person" during and in relation to certain enumerated federal felony offences, including the Computer Fraud and Abuse Act, and thus is often applicable in cases of computer-related crime.(15) It has been widely reported that the Sony attackers gained access to Sony's system at least in part by stealing the computer credentials of a system administrator.(16)
The Sony attackers also likely violated the Economic Espionage Act of 1996. Economic espionage charges require:
- the knowing misappropriation of information;
- that the defendant knew such information was proprietary and had no claim to it;
- that the misappropriated information was a trade secret; and
- that the defendant knew or intended that the offence would benefit a foreign government.(17)
The Sony attackers reportedly stole information including unreleased films and information revealing concepts for films.(18) Because that information likely includes multiple trade secrets, all of these elements could likely be met.
Will criminal indictments deter future cyber-attacks?
Some believe that the decision to bring criminal charges in the PLA case had more to do with geopolitical theatrics than deterring future attacks.(19) In the case at hand, North Korea's isolationist policies would likely render criminal indictments of the Sony perpetrators even less effective as a deterrent. If the perpetrators are indeed North Koreans, identification of those individuals within North Korea's closed society may prove extremely challenging. Moreover, even if the perpetrators are indicted in absentia, as the PLA defendants were, such indictment would likely have little impact on North Korean residents. The perpetrators are unlikely ever to see the inside of a US courtroom.
Ultimately, it remains to be seen whether the United States has other effective tools – and is willing to use them – to deter state-sponsored and stateless cyber-attacks.
Duty to make system breaches harder
While the federal government continues to develop its response to the Sony attack, organisations should examine their internal policies in order to minimise their exposure to civil and enforcement liabilities that could arise from an attack. Few, if any, data systems are impenetrable. As former FBI Director Robert Mueller put it, "There are only two types of companies: those that have been hacked, and those that will be",(20) with a third category emerging to include "those that have been hacked and will be again."(21) The New York State Office of the Attorney General has also admonished that "[w]hile it may be impossible to completely prevent data loss, organizations that implement data security plans can greatly reduce the harm caused by a data security breach".(22) Data security measures in this sense are both prophylactic and therapeutic – and one cannot exist without the other. To reduce the harm is to also reduce the likelihood of data breach but, in the likely event of a breach, harm reduction efforts would mitigate the civil and enforcement fallout.
FTC and state enforcement in data breach cases
The Federal Trade Commission (FTC) has claimed authority to police data security breaches as unfair trade practices in violation of Section 5 of the FTC Act. A district court in New Jersey has upheld the FTC's authority,(23) although the Eleventh Circuit has agreed to hear a separate appeal challenging it.(24) In the meantime, the FTC continues to target mostly breaches involving consumer data, although it has also brought a couple of enforcement actions for employee data breach cases.(25) Even if it turns out that Section 5 is not as broad as the FTC claims, state attorneys general are quickly ramping up their own enforcement of data breach cases. Already, 47 states and the District of Columbia have laws requiring notification of the attorney general or the media in the event of a data breach. State attorneys general will continue to scrutinise organisations' preparedness to thwart a data breach, quickness to discover intrusions, timeliness of notifications of breach and reasonableness of response and compliance with other statutory and regulatory requirements relating to data security.
Standard of care for adequate security is reasonableness
Whether state or federal, the scope of any enforcement activity will be driven by the 'reasonableness' of the data security measures in place before the breach.(26) For example, the FTC requires organisations to implement reasonable data security measures and has brought administrative actions to enforce this requirement.(27) Similarly, California mandates "reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure".(28) However, 'reasonableness' is not subject to a precise definition. In fact, it is a moving target that must be evaluated constantly.
There is no time to despair that reasonableness cannot be reduced to a simple definition. Instead, organisations should embrace the opportunity to conduct a full analysis and determine what is reasonable given their unique situation. They can tailor an approach to address specific needs without falling into the trap of prescriptive requirements that could be both over and under-protective. To achieve the right balance, organisations should aim to adopt data security plans that are strong enough to prevent simple intrusions and reasonable enough to mitigate the fallout from sophisticated and determined cyber-attacks.(29)
Reasonable under the circumstances
Reasonableness should depend on many factors, including the size of the company, the type of industry, the type of data collected and the sensitivity within and across data. What is reasonable for a small regional retailer may be unreasonable for a national retailer, and what is reasonable for that national retailer may be inadequate for a bank. Organisations that do not collect consumer credit cards and PIN numbers may be subject to a lower standard of care, but the standard may be higher for defence companies. Whatever the case, the approach should be reasoned and justifiable well in advance of a breach.
Lastly, what is reasonable today may be unreasonable in five years or, more likely, sooner. Regular evaluation and updates are required to stay current with an evolving standard of security.
The absence of certainty is unsatisfying and costly. But as the federal government continues to develop a response that will hopefully lower the collective risks, organisations must act to minimise their own risks. Those that strengthen their data security systems will have substantially reduced the risks of breach and, in the likely event of a breach, mitigated the fallout from civil and enforcement actions. It is a much cheaper insurance than the litigation and reputational costs of being caught under-prepared, or worse, unprepared.
Sara Hallmark , Samson Asiyanbi
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.