On October 11, 2012 the government warned that the United States will be confronted with the possibility of a "cyber-Pearl Harbor" attack by foreign computer hackers who could unleash havoc on the nation's power grid, transportation system, financial networks and government.
Such harrowing warnings should sound the bell for American businesses to follow the example of the federalgovernment and immediately take precautions from a potentially crippling cyber attack, as well protect themselves from government investigation and prosecution for insufficient protection and disclosure of such attacks. Indeed, the U.S. Department of Justice (DOJ) has recently responded to cyber dangers by providing funding to stop the importing of counterfeit goods, technology thefts and computer hacking attacks against American businesses, while at the same time, the U.S. Securities and Exchange Commission (SEC) has indicated increased review of public company reporting on cyber risks.Accordingly, this article addresses the current state of significant cyber dangers, regulatory efforts to protect intellectual property and cyber systems, and the consideration and implementation of policies and procedures for businesses designed to prevent intrusion and theft as well as create effective responses to cyber attacks and proper disclosure of such risks.
IP protection and cyber attack avoidance deserve significant resources.The government has determined that cyber crime is a matter of national security, and may overtake terrorism as the primary national concern.In fact, a PWC survey of financial services firms found cyber crime is the second most common economic crime after asset misappropriation, with reputational damage being the biggest concern. Further, a majority of those businesses surveyed did not review social media sites or have cyber crisis or response plans, while others had no cyber security training, regular or formal review of such occurrences by senior management or boards of directors.
The DOJ has responded by publishing prosecutor guidelines to investigate and commence actions against those who steal computer data through computer hacking, IP theft and product and service counterfeiting in, among other industries, pharmaceutical, financial services and defense contracting.
Cyber Crime, IP Theft Statutes
Prosecutors and businesses have used several statutes to address stealing computer data and intellectual property. In particular, the Federal Computer Fraud and Abuse Act of 1984 (CFAA),a statute originally enacted to criminallyprosecute people who hack into computer systems of the federal government and financial institutions, has been usedby prosecutors and businesses against employees. However, federal appellate courts have disagreed over its use,potentially raising the specter of U.S. Supreme Court review.
The Economic Espionage Act is also used by prosecutors to prevent "theft, unauthorized copying, or intentional receipt of a trade secret,"by criminalizing trade secret theft benefiting foreign governments, instrumentalities or its agents; or when a non-owner obtains an economic benefit. Similarly, prosecutors (and private litigants) use the Digital Millennium Copyright Act to prosecute IP theft,as well as the Federal Wiretap Act, Electronic Communications Privacy Act, Stored Communications Act and other federal and state statutes.
Federal, state and foreign regulators have also instituted reporting regulations for companies that suffer a cyber attack or data breach. The SEC published guidelines for public corporations that suffer cyber attacks or data breaches to disclose certain information if such events will materially affect the company's operations, liquidity, financial condition, viability, product or customer lines, losses and ongoing litigation, among other things. The SEC requires these disclosures to have specific content and be in "plain English."Although there has been government pressure, cyber crime disclosuresremain alarmingly infrequent, perhaps due to the advertisement to would-be criminals of entry points in IP securityinfrastructure.
Additionally, the overwhelming majority of states have instituted data breach laws, but many conflict with one other.Self regulatory organizations, such as the Financial Regulatory Authority Inc. (FINRA), are also actively involved inestablishing "firewalls" to protect confidential customer information,such as protecting customers' funds from potentialphony e-mail requests.
Cyber Danger Points
As such, companies must recognize unauthorized IP and computer system access sources and develop protocols to protect their IP and critical systems. These sources are numerous.
Initially, recognizing one's employees as a crucial link in this process is paramount as is the company's email system.
Emails are the gateway to a company's computer system, and a likely weak point.Hackers are also, most likely, thieves. A sweep conducted by the DOJ and the Internal Revenue Service (IRS) earlierthis year found more than 105 hackers in 23 states, resulting in more than 939 criminal charges relating to identity theftand other crimes. The SEC has also brought securities fraud actions in computer hacking matters.
Surprisingly, government agencies, both foreign and domestic, have also been sources for data breaches.The SEC,in fact, was criticized for failing to develop a cyber security plan to protect its confidential information.
Likewise, law firms are also not immune from cyber risks. They have been found to be weak links in certain cyber security programs because law firms are prime targets for cyber thieves given the quantity and quality of information maintained by a business' law firm.
Practices and Procedures
Despite these protections and source knowledge, companies must still engage in a critical process to protectthemselves from IP thefts and cyber breaches.
Initially, companies must identify their IP and critical data "inventory." Essentially, companies must determine the IP and information in need of protection, develop specific procedures and policies, and allocate resources to particular areas requiring more protection, such as patents and proprietary information. Once complete, companies must prepare, implement and later audit policies and procedures, including, among other things, preparing corrective measures and responses if an incident occurs.
In evaluating the types of information requiring protection, companies must identify the company's IP to determine if it is necessary to or effectively protecting its IP, and if the company is ready to respond to an intrusion or theft. Companies must also consider third-party access to this information, and if it is a potential security threat for cyber criminals.
Thus, although this list is not exhaustive, companies must review and consider all relevant potential vulnerabilities depending upon their specific systems.
There are an infinite number of mechanisms, plans and "tricks" companies may use in protecting IP and cyber systems.
Companies should implement a complete cyber security program, incorporating governance, control, threats,vulnerability and management. The program must include incident response, forensics and business continuity, tailored to the company's specific risks, and having particularized responses to these risks, paying explicit attention to the effect these risks will have on the company's financial and operational systems. As part of this plan, a self-audit practice that adapts to the ever-changing cyber landscape must be present.
However, something as simple as possessing strong computer passwords and maintaining these passwords in a safe place significantly increases computer security. Changing system defaults regularly and using disk encryption programs, including personal protections like fingerprint swipes and encryption of backup media, also may protect significant data. Implementing policies discouraging the sharing of encryption access coding with non-essential employees, avoiding "over-saving" material27 and destroying or wiping data from previously used equipment protects a company's IP.
Companies must focus on the most likely access point for the unlawful dissemination of confidential information or IP theft—their employees. Companies should educate their employees on the severe civil and criminal penalties that will follow if there is unauthorized computer access of the company's confidential information. Such threats may be a significant deterrent to potential disloyal employees.
However, education is not enough. Companies must also monitor employee e-mails to ensure compliance withcompany protocol and policies regarding the dissemination of IP and confidential information. Companies must review and update, if necessary, employee policies and manual to so as to include computer use agreements that employees must sign acknowledging they are using proprietary company information. These employees must agree that this information may be only used for legitimate company business, within the company and not to be sent to a third party without express company permission, and may not be transferred or saved from any company server to any personal computer, USB thumb drive or any other storage device. With their information technology departments, companies must restrict database access only to those employees who need it, and establish firewalls or password-protected databases. Using counsel to review these procedures is essential to this process to ensure that the review of employee information and email does not run afoul of various federal or state statutes, such as the Stored Communications Act.
Further, employees should be required to return all company computer equipment and a review to ensure all files and information remain intact upon the departure of the employee. As a result, protecting your company from employee misappropriation requires limiting employee data access, drafting specific agreements to protect confidential information and considering legal action against current and former employees for such breaches or thefts. Many policies if implemented would also protect a company's IP from outside sources, but specific procedures must be initiated to stop the unauthorized network access to the company's smart phones, PDAs and wireless hot spots. Companies should have, among other things, encryption codes, and critical security patches because software no longer supported may be a security issue. Similarly, cloud systems require appropriate security systems, and proper social media protocols prevent access to cyber criminals. Such procedures may, effectively, blunt hackers. Companies must also have special protections for boardroom communications since such discussions may contain confidential information. Further, companies must consider purchasing cyber and IP theft insurance policies and/or riders to pay for breach investigation, notification costs and remedial measures. Companies holding customer and personal information data must also have response plans to address foreign, federal and state data breach notification laws that include responding to regulators, customers and potentially insurance carriers.
In short, these concerns and others depend upon the company's particularized needs to prepare, among others, appropriate protection, incident, plan of action and social media policies. However, the retention of counsel and outside security experts can go a long way towards battening down the hatches against cyber attacks.
Closing the Door on Crime
Emphasizing the importance of understanding cyber security risk and protecting IP must be an organizational decision derived from the company's current position, an analysis of prudent preventative action and a definitive understanding of regulatory compliance obligations. This process requires knowledge of items needing protection, a clear understanding of the cyber risks threatening the company, and creating a plan to address these security assessments utilizing and prioritizing the company's resources to protect against cyber threats. Failure to do so may lead to the loss of an entire company's IP portfolio and can run the risk of government prosecution.
New York Law Journal