[BreachExchange] Cybersecurity 2017 – The Year In Preview: Trade Secret Theft Takes Center Stage

[Audrey McNeil]

http://www.jdsupra.com/legalnews/cybersecurity-2017-
the-year-in-preview-66975/

When it comes to the issue of data privacy and security, especially among
lawyers, the discussion generally concerns personally identifiable
information.  This includes names, addresses, social security numbers,
emails addresses, passwords, etc. of individuals.  Beginning with
California in 2002, states have been imposing privacy and security
obligations on companies that store personally identifiable information.
Now, fourteen years later, almost every state has laws protecting the
personally identifiable information of its residents.  Federal laws play an
important role too.  For instance, when you add medical information to the
mix, it becomes protected health information governed by the Health
Insurance Portability and Accountability Act (HIPAA).  If the information
is held by a financial institution, then Gramm-Leach-Bliley Act (GLBA)
might apply.

These laws are generally designed to protect the sensitive information of
individuals that companies maintain as part of their business. The laws can
require companies to take reasonable steps to secure that data, stop it
from being stolen or inadvertently disclosed, and in the event a breach
occurs, to notify the effected individuals.  All of this is unquestionably
important.  And part of the reason it is important is that an ever
increasing number of nefarious individuals are attempting to steal the
cache of personally identifiable information stored on the servers of
businesses.  Part of the incentive for such hacks is that this information
can be sold on the black market and used to commit identify fraud and other
criminal activities.

This is the world in which we live, and these laws and their implications
are the mainstay of data privacy and security discussions.  My prediction
for 2017 is that the conversation will shift from the security of
information about individual consumers to the security of sensitive
business information.  This is important because when hackers break into
Yahoo and LinkedIn and steal millions of usernames and passwords, as was
announced this year, the laws discussed above apply, and the effect on the
individual consumers is the primary concern.  But when hackers steal
confidential financial information, secret formulas, ongoing research and
development projects, confidential agreements with third parties, long-term
business plans, etc., the state and federal data security and privacy laws
discussed above generally do not apply.  Yet these breaches can be utterly
disastrous for a company.  Once in possession of this data, hackers can
make the information public, sell it to competitors, or use it for
extortion.  Thus, companies are well advised to develop strategies and
policies focused on protecting their business information from such attack.

These breaches are common and appear to be on the rise.  In fact, their
prevalence could be much greater than it seems because, unlike data
breaches affecting consumer information, data breach and security laws
generally do not require public disclosure of breaches that only affect
business information.  One example is ransomware, which is becoming a
prevalent form of such breaches.  In a ransomware attack, malicious
software takes control of the company’s computers and encrypts all of the
data, making the information inaccessible.  The hacker then demands a
payment in exchange for the decryption key necessary to unlock the data.
Such an attack not only places sensitive business information into the
hands of unknown hackers, but it also blocks the company from accessing its
data.  If the company does not have adequate back-ups, the ransomware
attack could mean that the data is gone unless the company pays the
ransom.  But even when the victim pays, sometimes the hackers still do not
provide the decryption key.  Moreover, paying the hackers only encourages
similar attacks in the future, and the company could be unknowingly funding
even worse criminal activities.  A recent study found that 47% of U.S.
companies have experienced a ransomware attack in the past year.  The CEO
of PhishMe, a cybersecurity company, recently reported: “Barely a year ago,
ransomware was a concerning trend on the rise.  Now, ransomware is a fully
established business model and a reliable profit engine for cybercriminals
….”

Cyberattacks by foreign governments and competitors are also on the rise.
And when foreign governments and competitors attack, trade secrets and
other sensitive business information are the likely target.  For instance,
back in April, U.S. Steel Corp. filed a trade complaint with the
International Trade Commission alleging that the Chinese steel industry
formed a cartel to set steel prices, and in collaboration with the Chinese
government, stole U.S. Steel’s trade secrets.  Similarly, Chinese hackers
were recently accused of perpetrating attacks on U.S. technology and drug
companies seeking intellectual property and trade secrets, including
designs and research for unreleased products.  Finally, this time last
year, Samsung announced that hackers attacked its network in an attempt to
steal the technology behind its Samsung Pay service.

Because the data security laws discussed above are not designed to deal
with theft of business information, victims need to pursue other avenues if
they want to seek redress.  One option is the Computer Fraud and Abuse Act,
which generally prohibits accessing a computer without authorization and
obtaining information from that computer.  Critically, the act includes a
civil cause of action.  Another option is the recently enacted Defend Trade
Secrets Act.  This act creates the first federal civil cause of action for
trade secret theft.  The act also includes a controversial civil seizure
procedure that allows a court “in extraordinary circumstances” to order the
seizure of property in order to prevent the dissemination of trade
secrets.  State law can also provide viable causes of action.  For
instance, in the event of a cyberattack by a competitor, claims for
torturous interference and unfair competition might be appropriate.

In the end, 2017 will certainly be an interesting year for data privacy and
security.  Massive hacks involving the theft of personally identifiable
information will continue, if not increase.  But I think we will also see
the rise of attacks targeted at sensitive business information.  Companies
should ensure in the year to come that they have strategies and procedures
in place to combat such attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161121/5e1b78e6/attachment.html>