Reprinted with permission from the February 19, 2015 edition of the The National Law Journal © 2011 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 - firstname.lastname@example.org or visit www.almreprints.com.
On Jan. 20, during his State of the Union Address, President Barack Obama highlighted the need to enact cybersecurity legislation in the near term. As he framed the issue:
"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyberattacks, combat identity theft and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”
The White House later previewed some of its cybersecurity strategy and legislative proposals. More details will be coming soon. Additionally, FBI Director James Comey highlighted “ a five-point strategy” to address cybersecurity. On Feb. 10, a new Cyber Threat Intelligence Integration Center was announced by White House officials as part of an effort to strengthen our national cyber defenses. On Feb. 13, Stanford hosted the White House Cybersecurity Summit, which focused on a host of cybersecurity issues.
There are many facets to cybersecurity. This article highlights five key issues for consideration.
1. National notification standards. Data breach notification has become unnecessarily complicated, confusing and costly. Clearly defined uniform standards would promote the objectives of notification.
Nearly 13 years ago, the first data security-breach notification law was enacted in California. Since then, 47 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have adopted breach notification laws. Many states are adding and enacting notification requirements or considering new ones.
The original objective—to inform consumers about data breaches involving their personal and financial information—has turned into a notification maze and nightmare. Given the many notification standards, conflicts have emerged including over what triggers notification and when and how to provide notice. It should not be as complicated and confusing as it has become for a company to provide notice to consumers. The failure to satisfy the notification standards may subject the company to lawsuits even though the company has tried in good faith to comply.
The states are unlikely to adopt uniform notification standards, given the myriad of state laws and standards that have been adopted and new ones being advanced. Eventually, Congress can establish national notification standards. Delay in doing so will permit the status quo to persist, resulting in an unnecessarily complicated, confusing and costly mix of standards undermining the notification purposes and compliance.
2. Restore effectiveness to the Computer Fraud and Abuse Act. The primary federal computer crime statute is the Computer Fraud and Abuse Act (CFAA), originally enacted in 1984 and amended through the years. A civil private right of action may also be permitted under the law. The effectiveness of this statute has been questioned in recent years. The act should be updated to address current computer crime issues. A couple of examples are noted.
Courts are divided about whether the CFAA covers insiders initially granted access to computers but who then use that access to harm the company or owners of the computer data. Let’s say you just learned that a long-term, trusted employee had used company computers to download, steal and transfer confidential business information either to start his own company or provide it to a competitor.
Would this theft of company information be a crime under federal law? Under existing law, it depends on the jurisdiction in which the theft occurred. The federal courts are divided as to whether the company’s prior authorization of its computers disallows a later violation under the CFAA.
The courts have found the statutory terms concerning computer access “without authorization” or “exceed[ing] authorized access” difficult to apply. The statute does not define the terms “without authorization.” However, the terms “exceeds authorized access” mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The division in the courts over the application of the statute has persisted for several years and should be clarified. Insider theft of computer information should be a crime covered under the statute. This type of conduct should not be subject to varying interpretations by the courts.
Other ambiguities persist. For example, since 2008 the CFAA has included a conspiracy provision. However, the statute does not specify what penalties apply to conspiracy convictions.
3. Trade-secret remedies and protection. Trade secrets continue to provide a key source of innovation and value to the economy. As a result of their significant value, trade secrets are targeted for theft and cyber-espionage. Some have estimated the cost of trade-secret theft to range from 1 percent to 3 percent of the gross domestic product of the United States and other advanced industrial economies.
In his recent speech, the president made clear that neither foreign nations nor hackers should be allowed to “steal our trade secrets.” Congress should enact legislation that would create a federal private right of action for the theft of trade secrets for the first time. Under the Economic Espionage Act of 1996, the Department of Justice could prosecute the misappropriation of trade secrets. However, few trade-secret thefts require or criminal prosecution.
Generally, state trade-secret laws are effective at addressing local theft. When trade secrets are removed from the state or country, trade-secret owners confront a cumbersome process in seeking effective remedies. Trade-secret owners should be able to remedy theft in federal court. Trade secrets are the only form of intellectual property that lacks a federal private right of action.
Companies should have the option of seeking relief in either state or federal court. The new federal law would also provide more effective protection for trade secrets than under existing state law and encourage innovation and trade-secret development.
4. Sharing of cyberthreat information. New avenues should be established to effectively share government and private industry information about cyberthreats to avoid and mitigate further harm. Information sharing takes places on many levels. The government has information about cyberthreats that it can share with private industry. Private industry obtains information that it can provide to others in the private sector and to government.
The National Institute of Standards and Technology recently issued a draft report for public comment to highlight information-sharing best practices. As summarized by the report:
“When an organization identifies and successfully responds to a cyberattack, it acquires information that can be used by other organizations that face the same or similar threats. When information is shared, threatened organizations have access to threat intelligence provided by peer organizations and are able to rapidly deploy effective countermeasures and detect intrusion attempts. As a result, the impact of a successful cyberattack can be reduced.”
Presently, there is a chilling effect on sharing cyberthreat information that may help others based on liability concerns. Some companies fear that the disclosure of information would result in regulatory action or lawsuits. Congress has been considering this problem and legislation has twice passed in the House of Representatives only to stall in the Senate. Until the liability problems can be addressed, key threat information will not be disseminated to those who can use it.
5. Promoting understanding and restoring public trust. Without public trust, law enforcement is constrained in investigating crime and protecting society.
On Dec. 4, Assistant Attorney General Leslie Caldwell announced the creation of a DOJ cybersecurity unit to “address cyberthreats on multiple fronts, with both a robust enforcement strategy as well as a broad prevention strategy.” In her speech, she appropriately noted “a growing public distrust of law enforcement surveillance and high-tech investigative techniques” that “can hamper investigations” which may be based on “misconceptions about the technical abilities of the law enforcement tools and the manners in which they are used.”
She is correct. Restoring public trust is a top priority. Without it, the ability to address cybercrime will be less effective. Steps should be taken to promote a better public understanding of how law enforcement solves cybercrimes and addresses privacy concerns. An important part of this debate is learning about what judicial showing is required for law enforcement to obtain data and the steps necessary to address cybercrime today.
There are many aspects to providing effective cybersecurity. These five issues, among others, will advance cybersecurity efforts. The time is ripe for meaningful legislation.
Mark L. Krotoski is a partner in the privacy and cybersecurity, antitrust and litigation groups at Morgan, Lewis & Bockius. He previously served as a prosecutor in computer hacking and intellectual property crime units in the Northern and Eastern Districts of California and as coordinator of the DOJ’s national program. The views expressed are his own and not necessarily those of the firm or any clients.