As the dust settles on the legal battle between Apple and the F.B.I., businesses should take note of the many issues related to the privacy and confidentiality of electronically stored information. Though Apple arguably emerged victorious in refusing to create a backdoor for its security measures, the still unknown point of access utilized by the F.B.I. highlights the risk that electronically stored information is never truly secure. Data breaches at Sony, Home Depot, Target, and even within the federal government highlight this point.
Given their volume and value of data, businesses need to be particularly cognizant of the cyber-threats and nimble in response to cyber-attacks. However, it is not enough to simply recognize the threat posed by a cyber-attack. Businesses need to be prepared to act swiftly and effectively to prevent any further misappropriation or transmission of electronically stored information.
It can be no doubt that external cyber threats pose the greatest harm to companies because, often, the attacker is unknown and therefore leaves a business without a true remedy. After discovering the what, where, and why, the question quickly becomes who? Specifically, who do you seek relief from? If the attacker is unknown or anonymous, how do you prevent further dissemination of confidential and proprietary information? Unfortunately, for many businesses, those questions remain forever unanswered.
But while the threat of external theft is great, businesses should not disregard or overlook the potential possibility of internal cyber threats. Employees, partners, shareholders, members, agents, and others all are typically given unquestioned access to confidential and proprietary information of a business. The logic and intent of this access is simple. Those individuals will use their access to better the business. But what happens when the relationship sours? What happens if an employee copies information, or retains unauthorized access to information after either termination or voluntary departure? This may be of no concern if the employee does not utilize the information, but it could be of great concern if the employee joins or forms a competition entity. Though the attacker is known, unlike an external cyber-threat, the damage can nonetheless be catastrophic.
As a means of preparing for both internal and external threats, businesses should not only seek to continually improve computer security, but also develop and maintain proper legal protections. A recommended first step in this process is to define access levels. If your business maintains confidential and proprietary information, then access to that information should be defined and enforced. The second step is subjecting those employees requiring access to proper agreements providing for the protection of said information, including, but not limited to, non-disclosure agreements, restrictive covenants, non-solicitation agreement, etc. These agreements will not only serve as mechanism of enforcement in the event of an internal cyber-attack, but also a tool for any equitable action related to the exposure of confidential or proprietary material.
The third step is to regularly update those agreements consistent with the terms of applicable laws, like the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, the New Jersey Computer Related Offenses Act, N.J.S.A. 2A:38A-1 et seq., and the New Jersey Trade Secrets Act, N.J.S.A. § 56:15-1, et seq. The last step is to monitor access and use of confidential and proprietary information and to enforce non-compliance with the above agreements in the event of a breach. Given the particularly sensitive nature of electronically stored information, a business needs to act swiftly in the event of an attack to prevent any use of further transmission.
George Washington once wrote “that offensive operations, often times, is the surest, if not the only (in some cases) means of defence.” That adage is particularly relevant in the realm of cyberlaw. A business should prepare the sword as a means of deterrence to internal threats, and as a means of shielding the potential damage of an external attack.
If you are a business that maintains sensitive electronically stored information, it is strongly recommended that you consult with an attorney to take these proactive steps. Likewise, if you are a business or individual has been subjected to an attack, it is strongly recommended that you consult with an attorney for guidance in securing relief.