Protecting Companies' Intellectual Property From Cyber Crime
On Oct. 11, 2012, the government warned that the United States will be confronted with the possibility of a "cyber-Pearl Harbor" attack by foreign computer hackers who could unleash havoc on the nation's power grid, transportation system, financial networks and government.1
Such harrowing warnings should sound the bell for American businesses to follow the example of the federal government and immediately take precautions from a potentially crippling cyber attack, as well protect themselves from government investigation and prosecution for insufficient protection and disclosure of such attacks. Indeed, the U.S. Department of Justice (DOJ) has recently responded to cyber dangers by providing funding to stop the importing of counterfeit goods, technology thefts and computer hacking attacks against American businesses, while at the same time, the U.S. Securities and Exchange Commission (SEC) has indicated increased review of public company reporting on cyber risks.2 Accordingly, this article addresses the current state of significant cyber dangers, regulatory efforts to protect intellectual property and cyber systems, and the consideration and implementation of policies and procedures for businesses designed to prevent intrusion and theft as well as create effective responses to cyber attacks and proper disclosure of such risks.
IP protection and cyber attack avoidance deserve significant resources.3 The government has determined that cyber crime is a matter of national security, and may overtake terrorism as the primary national concern.4 In fact, a PWC survey of financial services firms found cyber crime is the second most common economic crime after asset misappropriation, with reputational damage being the biggest concern. 5 Further, a majority of those businesses surveyed did not review social media sites or have cyber crisis or response plans, while others had no cyber security training, regular or formal review of such occurrences by senior management or boards of directors.
The DOJ has responded by publishing prosecutor guidelines to investigate and commence actions against those who steal computer data through computer hacking, IP theft and product and service counterfeiting in, among other industries, pharmaceutical, financial services and defense contracting.6
Cyber Crime, IP Theft Statutes
Prosecutors and businesses have used several statutes to address stealing computer data and intellectual property. 7
In particular, the Federal Computer Fraud and Abuse Act of 1984 (CFAA),8 a statute originally enacted to criminally prosecute people who hack into computer systems of the federal government and financial institutions, has been used by prosecutors and businesses against employees. However, federal appellate courts have disagreed over its use, potentially raising the specter of U.S. Supreme Court review.9
The Economic Espionage Act is also used by prosecutors to prevent "theft, unauthorized copying, or intentional receipt of a trade secret,"10 by criminalizing trade secret theft benefiting foreign governments, instrumentalities or its agents; or when a non-owner obtains an economic benefit. Similarly, prosecutors (and private litigants) use the Digital Millennium Copyright Act to prosecute IP theft,11 as well as the Federal Wiretap Act, Electronic Communications Privacy Act, Stored Communications Act and other federal and state statutes.12
Federal, state and foreign regulators have also instituted reporting regulations for companies that suffer a cyber attack or data breach.13
The SEC published guidelines for public corporations that suffer cyber attacks or data breaches to disclose certain information if such events will materially affect the company's operations, liquidity, financial condition, viability, product or customer lines, losses and ongoing litigation, among other things. The SEC requires these disclosures to have specific content and be in "plain English."14 Although there has been government pressure, cyber crime disclosures remain alarmingly infrequent, perhaps due to the advertisement to would-be criminals of entry points in IP security infrastructure.15
Additionally, the overwhelming majority of states have instituted data breach laws, but many conflict with one other.16 Self regulatory organizations, such as the Financial Regulatory Authority Inc. (FINRA), are also actively involved in establishing "firewalls" to protect confidential customer information,17 such as protecting customers' funds from potential phony e-mail requests.18
Cyber Danger Points
As such, companies must recognize unauthorized IP and computer system access sources and develop protocols to protect their IP and critical systems. These sources are numerous.
Initially, recognizing one's employees as a crucial link in this process is paramount as is the company's email system.19 Emails are the gateway to a company's computer system, and a likely weak point.20
Hackers are also, most likely, thieves. A sweep conducted by the DOJ and the Internal Revenue Service (IRS) earlier this year found more than 105 hackers in 23 states, resulting in more than 939 criminal charges relating to identity theft and other crimes.21 The SEC has also brought securities fraud actions in computer hacking matters.22
Surprisingly, government agencies, both foreign and domestic, have also been sources for data breaches.23 The SEC, in fact, was criticized for failing to develop a cyber security plan to protect its confidential information.24