When a company falls victim to a damaging cyber attack or suffers a theft of sensitive data or intellectual property, the incident very well may fall within the ambit of one or more criminal statutes designed to deter and punish perpetrators with the prospect of jail time, financial penalties and restitution. Under appropriate circumstances, the company should give serious consideration to making a referral to law enforcement as part of its response strategy. In this installment of our special series, A Desk Guide to Data Protection and Breach Response, we highlight three relevant federal criminal laws, and outline some practical considerations for making such a referral.
Computer Fraud and Abuse Act
Under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer” is guilty of a federal crime.1 This statute has wide-ranging application, because courts have interpreted the words “protected computer” to cover any computer that is connected to the Internet. An outsider who bypasses firewall protections and hacks into a company to steal valuable data or destroy or disrupt a company’s service is subject to the criminal penalties of CFAA which, in the case of a felony violation, can include up to five years imprisonment (or ten years for repeat offenders) in addition to a fine of up to $250,000 or two times the loss to the victim, a mandatory order of restitution and forfeiture. Conduct rises to a felony if it is committed for commercial advantage or private financial gain, or if the value of the information obtained exceeds $5,000.
A key issue in any CFAA case will be whether the alleged conduct constitutes access “without authorization” or access that “exceeds authorization.” As we discussed in prior alerts (see here and here), the federal circuits are split on whether the statute applies to situations where the perpetrator’s initial “access” to data was permitted (such as by an authorized employee with password permissions), but who then used the data for an impermissible purpose – i.e., in a disloyal manner or in violation of the employee’s contractual or fiduciary duties.2
Notably, although initially adopted as a criminal statute, CFAA was subsequently amended to incorporate a civil private right of action. A company may bring suit under CFAA for damage or loss stemming from violations of the Act if the harm exceeds $5,000.
The Economic Espionage Act
The Economic Espionage Act (“EEA”), 18 U.S.C. § 1832, makes it a federal crime to steal trade secrets for the benefit of a corporation or an individual. Defendants violate the EEA if, with the intent to convert to their own use, and with the intent of, or knowing that their conduct will injure the owner of the trade secret, they either (i) steal a trade secret, (ii) without authorization communicate a trade secret to a third party, (iii) receive or purchase a trade secret with knowledge that the trade secret has been stolen, or appropriated without authorization, (iv) attempt to commit any of (i) through (iii), or (v) conspire with one or more persons to commit any of (i) through (iii).
Under the EEA, individuals are subject to up to 10 years imprisonment in addition to fines, restitution and forfeiture, and corporations are subject to fines of up to $5 million.
The EEA adopts an expansive definition of what qualifies as a trade secret. All forms of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, regardless of how they are stored, can be considered trade secrets under the statute.3 In order for such property to fall within the statute, the owner must have taken measures to protect it from being disclosed, and it must possess independent economic value.
When determining whether to prosecute under the EEA, the government will consider the protective measures a company adopted to preserve the secrecy of the information, and the extent to which keeping the information exclusively in the possession of the company (and out of the public domain) would preserve its actual or potential economic value. Protective measures such as use of confidentiality agreements with employees and non-disclosure agreements with outside entities, implementation of electronic firewalls, requiring of password-only access, and designating documents “confidential” can all be considered sufficient to warrant trade secret protection under the EEA.4
Importantly, it is not enough to prove that the defendant took some valuable data or idea to use for their own benefit. The EEA further requires the government to prove that a defendant intended by his conduct to injure the trade secret’s holder, and this is often the issue upon which the viability of such a charge turns. The statute seeks to prevent employees (and their future employers) from taking advantage of confidential information gained and taken from one employer and transferred elsewhere, to the detriment of its original owner.
The National Stolen Property Act
The National Stolen Property Act (“NSPA”), 18 U.S.C. § 2314, makes it a criminal offense for a person to “transport[ ], transmit[ ], or transfer[ ] in interstate or foreign commerce any goods, wares, merchandise, securities or money, of the value of $5,000 or more, knowing the same to have been stolen, converted or taken by fraud.”5 Federal courts interpret the words “goods, wares, or merchandise” to require proof that the property in question came in some tangible form. As a result, a primary inquiry in NSPA cases involving electronic data theft is whether the stolen property can be considered “tangible” in some respect.
Courts have held that the theft of purely intangible property embodied in a purely intangible format – such as the unauthorized uploading of proprietary trade data onto a third-party server – does not violate the NSPA. Accordingly, indictments lacking an allegation that the stolen property was taken in some physical form will be dismissed.6 By contrast, individuals charged with stealing electronic data through a physical manifestation – such as by printing computer code onto sheets of paper, or saving data to a CD-Rom or thumb drive which is then carried out of the building – are subject to criminal liability under the NSPA.7
An NSPA conviction carries with it the prospect of up to 10 years imprisonment, fines, restitution and forfeiture.
A successful referral of a data security intrusion to law enforcement carries the prospect of obtaining a swift resolution and potential court-ordered and government-enforced restitution, as well as potential favorable collateral effects on any related civil litigation. However, when contemplating the prospect of making a criminal referral, a company must consider a host of complex and sensitive issues including, among other things, whether the conduct rises to a level warranting criminal punishment; whether a referral might unduly delay or hinder pursuit of civil remedies; how (if at all) the lack of control over the pace and scope of a government investigation would impact the company’s own internal investigation efforts; and whether the company will be waiving privilege over investigative findings for purposes of future litigation if it turns information over to law enforcement.
Knowledge of the criminal standards in advance, however, can help a company improve the likelihood of a successful referral should it ultimately decide to employ such a strategy in the wake of an attack. Implementing effective access restrictions over sensitive or valuable electronic data on a need-to-know-only basis can be important to establishing a CFAA violation in an employee data breach scenario. Similarly, taking various measures to protect trade secret information, such as the use of confidentiality and non-disclosure agreements, the appropriate labeling of sensitive materials with the words “confidential” or “secret,” and the regular enforcement of employment rules respecting proprietary information, can help the government establish the elements of an EEA infraction. Instituting such safeguards demonstrates not only the secret nature of the information in question, but can also help prove its value.
For purposes of satisfying jurisdictional or sentencing thresholds relating to the amount of loss incurred, expenses relating to remediating the damage caused by a cyber attack are counted, so companies should take care to keep records of those expenses as they work through their recovery.
Finally, nothing helps speed the process of making a successful criminal referral as much as strong, irrefutable proof of the electronic theft or intrusion conduct. In cyber attack situations, the best proof will often be found in technological computer evidence stored in a company’s servers – logs of activity such as log-in times, transaction trails and keystroke recordings – information typically mined and analyzed by computer forensics teams. This evidence, if not immediately preserved in the wake of the discovery of a cyber incident, is susceptible to loss through normal system operations. Thus, companies should take care to know and understand how their systems work, and when responding to an attack, take immediate steps to prevent loss of data, including metadata and other system information not typically accessed by the business in the normal course.