What legal matters must you bear in mind when a cybercrime strikes your company? Larry Jaffee reports.
Five or so years ago, the term “cybercrime” tipped off a typical executive leader's tongue far less frequently than it does today. As data thefts rose, however – often targeting the personally identifiable information (PII) of everyday consumers – concerns about the soaring numbers of criminal acts online became mainstream topics of discussion for both worried corporate managers and average home-users. As well, locating, apprehending and successfully prosecuting the increasingly cunning perpetrators committing these cybercrimes has become a chief ambition for many leading law enforcement officers and state prosecutors.
The Internet Crime Complaint Center (IC3), established in 2000 as a partnership between the FBI and the National White Collar Crime Center, offers a sobering set of numbers: In 2009, the total dollar loss from all cases of computer fraud that were referred to law enforcement by IC3 was $559.7 million. In 2008, a total loss of $264.6 million was reported. The potential financial losses go much higher. The White House's Cyberspace Policy Review estimated that in 2008 and 2009, American businesses lost $1 trillion in intellectual property due to cyberattacks.
And, while one might assume court cases related to the mounting numbers of cybercrimes would present some tangible evidence, the number of cases that actually make it to court – although increasing in the past two years or so – still lag behind the immense volume of online attacks. The main problem, concur a number of lawyers, is that oftentimes corporate victims would rather avoid calling attention to their vulnerabilities than move forward with a court case – no matter its prospects for success.
“Clients don't want to make headlines,” notes Serge Jorgensen, vice president and CTO of the Sylint Group, a computer and network security consulting firm based in Sarasota, Fla., which works with various law firms and law enforcement agencies on cybercrime cases.
Still, some cases are making it to trial and the types being litigated run the computer crime gamut. There's the disgruntled, laid-off employee seeking revenge. Break-ins to a competitor's network to steal intellectual property and customer data are becoming more and more common these days. The now ubiquitous act of PII thievery has fast become the basis for many an online cybercrime ring's successful business. There are unfriendly foreign countries seeking to wreak havoc on the federal government or steal leading enterprises' trade secrets – and everything in between. Today, even embezzlement via electronic funds transfer is a mainstay, say the lawyers.
Organized online crimes these days usually involve a significant financial aim. That might be best epitomized by last year's guilty plea in the TJX case, where potential losses may total more than $21 billion. In that case, the U.S. Secret Service uncovered the theft of more than 40 million credit and debit card numbers from numerous retailers, including TJX.
High-profile cases like this have prompted corporations to be more vigilant with incident response. “In some instances, we work with law enforcement agencies to seek restitution to tee up for criminal or civil litigation,” says Stephen Wu, a partner with Cooke, Kobrick & Wu. His firm, based in California, works with Sylint and specializes in cybercrime.
The alleged mastermind of the TJX breach was an American, with Russian accomplices. But, prosecution of these types of cybercrimes is often difficult when the perpetrators are based overseas. Attorneys point accusing fingers at Asia and Estonia as particular hotbeds of cybercrime activity. Internationally, more than half of the 600 IT executives in 14 countries surveyed for a September 2009 report by McAfee researchers thought their nation's laws were inadequate to deter cyberattacks.
In January, Google revealed that it and 20 other large businesses were victims of cyberattacks emanating from China. Google detected in mid-December a highly sophisticated and targeted attack on its corporate infrastructure originating from China that resulted in the theft of Google intellectual property. Operation Aurora, as the attack was named, also sought out the Gmail accounts of human rights activists.
“The Google example is the most publicly notorious, but it should be a cyber wake-up call for all companies with sensitive or valuable data,” says Alan Charles Raul, who heads up the privacy, data security and information law practice of the firm Sidley Austin.
Legislation and the cybercriminal
Dennis Blair, the White House's recently departed director of national intelligence, called for the public and private sectors to join forces to promote cybersecurity, says Raul, who's based in Washington, D.C. An often-repeated call to action, the notion of public/private partnering has been a long-time refrain made by leading federal government and corporate information security experts. Most recently, the White House's new Cyber Security Coordinator Howard Schmidt, who was featured on SC Magazine's cover last month, has made public/private partnering a main goal of his. “Part of the role I have is sitting down with the broad breadth of government activities to look at securing government systems, securing military systems, [as well as] working with the private sector – finding out what [they are] doing, how they are doing it, making sure there's no duplicity between different efforts that are going on, making sure that we're moving at a pace that's fast enough to really affect some long-term positive changes, but not take long-term to get there,” he says.
Additionally, all to familiar to most enterprise information security pros and their bosses, there are scores of domestic laws and both industry and federal compliance mandates designed to outlaw cybercrime and/or push organizations to adequately protect sensitive information in such areas as finance (Sarbanes-Oxley Act of 2002, Gramm-Leach-Bliley Act of 1999), health care (HIPAA and HITECH), retail (Payment Card Industry standards), and many others (state data breach notification laws, and more). National security, as laid out in Homeland Security Act of 2002, often comes into play in suspected cases of cyber terrorism.
But lawyers believe more can be done legislatively to create a specific federal law focused solely on internet crime. The Cybersecurity Act of 2009 (S.773) was recently approved unanimously by the U.S. Senate Committee on Commerce, Science and Transportation. The bill is expected to be taken up this session by the full Senate. In part, the bill seeks to “ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications” and “to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption.”
“The focus has been on terrorism and child pornography. I think that's going to change,” says Steven Teppler, a partner with Edelson McGuire, a law firm with offices in Chicago, Los Angeles and New York, of legislative attempts to address cybercrime. Others point out that boundaries need to be established. The federal circuit courts now deciding such cases “are all split,” says attorney Jon Stanley, who has a private practice in Maine focusing on information security, as well as privacy and cybercrime. He adds that a U.S. Supreme Court ruling would be a helpful guide for the lower courts, but it's more of an “if and when” situation – there's no predicting if they'll even take a case.
“Lots of stuff never makes it to a jury trial,” says Stanley, who estimates he's worked on several dozen cybercrime cases within the past two years.
In addition to more help legislatively, companies need to consider dedicating more funds and resources to information security and risk management planning. Even though the still touchy economic climate is far from making such a call any simpler, upper management must weigh very carefully the decision of short-changing their information security budgets, in part because of business and legal consequences that extend far beyond fixing the software and pursuing the thief.
Say a cybercriminal successfully breaches your company's database. Belatedly, the company pays to upgrade its data security system. In the meantime, the company's reputation is harmed, which may result in customer loss. If the company is a public one, its stock price may fall. And, even though the company even may avoid violating any laws or compliance mandates in this particular instance, for business reasons alone, it likely will cover any losses customers actually suffer from the fraudulent use of their credit card numbers. But, the potential liability doesn't stop there.
Most data breach notification laws now ascribe liability to the company that was breached if sundry precautions were not taken as dictated by the mandate. In essence, these laws view the company, though a victim of the cyberattacker, as an accomplice of sorts for failing to adequately protect its consumer databases. Lawyers call this type of liability, which is one step removed from the principal perpetrator, “downstream liability.”
Unfair, some say, for one company to pay if another party caused (or contributed to) the problem. Take as an example the recent Ford Explorer and Bridgestone/Firestone case. When some drivers' Ford Explorers lost control, the drivers sued Ford. Ford charged that the tires were at fault and sued Bridgestone/Firestone in turn. Potential liability deters whoever is to blame.
In cyber crime, criminal prosecutions haven't stopped the next hacker. Often, neither your company nor law enforcement can find the hacker. And, even if found, the hacker doesn't have, and thus the company can't recover, the lawsuit can expose the company's vulnerabilities and prolong negative publicity. The problem with a cybercrime, though, is that often a company can't find that other party – the cyberattacker. And, even if the company does, it's unlikely that the online criminal has, and the company can recover, the stolen money. So, it's highly improbable that a cybercriminal will pay the consumers' direct losses, let alone even a small fraction of the company's financial and reputational losses.
Also, the unfortunate reality is that online crime pays. As a result, cases of known criminals – who have been profiting from their technologically driven crimes, tracked down by law enforcement and maybe even punished under criminal laws, still fail to convince the next online thief to stop.
“The laws have headed toward the [victim companies],” notes Randy Sabett, a partner in the Washington office of Sonnenschein, Nath & Rosenthal. In fact, 46 states already shift liability to the entities whose databases have been breached. The only states that don't have data breach notification laws are Kentucky, Alabama, New Mexico and South Dakota.
For legislatures that have signed such laws into effect, the potential costs to consumers – and ultimately to the country's financial system – outweigh the financial losses of individual companies. Even if consumers haven't lost money from a specific incident, their personal information is now in the hands of people who may misuse it or sell it. In essence, a retail company can replace its credit cards with new ones, but, in many real instances, customers' PII – such as Social Security numbers, driver's license numbers or bank account numbers – have been stored in the compromised database unencrypted and exposed. And while customers can arrange to change those, it will take a lot of time and often years of explanations. Many lawmakers fear that if breaches become even more commonplace, the country's system of doing business will break down.
This means companies must take responsibility for their need to make sure that they are not susceptible to downstream liability in negligence lawsuits, says Sabett. Given that companies typically outsource some of their IT operations to third parties, both a company and its vendors need to take enough precautions to protect sensitive information if they don't want to be susceptible to lawsuits – and more. Sabett says his firm gets calls these days in equal measure from companies being proactive and reactive regarding cybercrime.
“Companies realize they have a legal obligation, but we're also getting calls of the reactive sort that they had a data breach,” he says.
The bottom line, experts say, is that now and in the future, a company continually needs to evaluate the types of customer data it keeps, the quality of its existing data security systems, the laws that regulate maintenance of consumer data, and the potential costs of a serious breach. It may make sense to spend the money and upgrade your data security system now.
Up against the will
Everyone understand that their corporate networks can never be 100 percent secure from break-ins, no matter how robust their security measures and thorough their risk management plans. “You can't stop people from inflicting damage if they really want to,” says Edelson McGuire's Teppler.
Sylint's Jorgensen adds that in the past two years, there has been a clear uptick in the hacker and the hacker-in-the-building-next-door working together for a more coordinated attack. They maximize each other's expertise in, say, programming and social engineering to write the email that figures out how to get your software in the door, he says. This hacker is not doing it for the fun of it, the challenge, as was the case 10 years ago. It's all about the financial reward.
An informal survey of leading attorneys interviewed for this story on tracking computer-driven malfeasance produced a recurring theme: The bad guys are getting increasingly sophisticated, making security experts wince at a time of diminishing budgets for something that might never be needed.
“With security, it's impossible to show ROI. What's the return if nothing bad happens? It comes down to two things: What threat vectors your company faces. And your appetite for risk,” adds Sabett.
Too often, in these days of slashing budgets, companies typically hope nothing bad happens. But a prepared company is constantly gauging today's advanced persistent threats (APTs), a threat vector receiving a great deal of attention these days, though some experts claim it's being overhyped by some vendors. The individuals behind APTs are not the casual hacker, says Sabett. “They like to show off [their skills].”
On one side, the poor economy has seen cybercrimes strengthening in terms of numbers, stealth and sophistication. On the other, the economic downturn has taken its toll on security resources.
“[Clients] are all telling me that ‘we have to do more with less [budget],” Wu notes. “They're not able to take care of all the areas that present risks.” He adds that his firm is increasingly being asked to undertake a risk analysis for its clients.
It's a matter of prioritization. The best ways for companies to ward off cyberattacks of all kinds or indicators of compromise (IOCs) is to educate the entire management team – including the C-suite, legal, finance, HR, IT, marketing and PR – so everyone is on the same page.
Education, training and policy development are common among the services offered by law firms specializing in cybercrime. Employees need to be informed what email links they should not click on under any circumstance. Nor should they be absent-minded regarding work laptops and USB sticks containing company information.
As an example, Marc Zwillinger, founding partner of Zwillinger Genetski, based in Washington, D.C, notes that publicly used computers, such as at a hotel or internet café, are particularly susceptible to a spyware plant if the proprietor is not vigilant about installing the latest software updates to fend off unwanted viruses with illegal ulterior motives. Following a risk assessment, companies might change the way they do remote access, Zwillinger says.
Once a breach has been detected, outside counsel or internal legal teams usually call in computer forensics experts. Legal firms are getting many more calls than they used to for these types of services. Depending on the situation, the firm might call in law enforcement, such as the FBI or Secret Service, points out Thomas Smedinghoff, a partner with Wildman, Harrold, Allen & Dixon.
“One hundred years ago, people robbed banks [and somebody went to jail]. In the digital age, they blame those who were stolen from, and file lawsuits against the stakeholders,” Smedinghoff says.
Illustration by Julie Delton