Major outlets such as The Wall Street Journal report on data breaches constantly, especially when data that reveals personally identifiable information (PII) or personal medical information (PMI) is leaked. This type of data breach is a consumer protection matter, and the Federal Trade Commission as well as individual states have laws and regulations that companies must follow in an effort to prevent them and to respond when they happen. In many instances, the company may be required to notify state authorities and make disclosures so that individuals can act to protect their privacy and their identities.
Another type of data breach gets less press – when the leaked data is not PII or PMI, but includes proprietary commercial information owned by a company. One reason this type of data breach is not reported very often is because there is no reporting requirement and in most cases it is in the company’s best commercial interest to keep that kind of breach as quiet as possible. However, just because a data breach is kept quiet does not mean it won’t cause harm, and in the extreme case it can take away a business’s viability along with its competitive edge.
For a public company, even if the company can recover easily from a breach of proprietary competitive data, breaches that may cause “loss of intellectual property” are a risk factor that needs to be considered in securities filings, which in turn impacts the company’s bottom line. Public companies also have to account for loss of “customer relationship assets value” and “impairment of intellectual, intangible or other assets” in their financial statements. See 2018 SEC Cybersecurity Guidelines.
Recently, at least four data breaches were announced in one week, all affecting large companies that are household names. Three leaked PII and the fourth leaked proprietary competitive information, including computer code, new products that had not yet been released and data concerning the public’s consumption of the affected company’s products. An anonymous hacker has admitted guilt for this leak of information, claiming that it was acting to protect consumers from the affected company’s unfair business practices. Regardless of the hacker’s motivation, the affected company lost the advantage of secret information. The hack was targeted at and obtained the information from the company’s internal messaging system.
Unlike PII or PMI breaches, the company that was hit by this hack does not have a remedial playbook dictated by law in hand. Is there anything that the company can do to mitigate its damages and protect its information?
Unfortunately, there may be little the company can do to claw back the information that was already leaked to the public. It can try to apprehend the hacker and take legal action, but in many cases it’s impossible to identify the hacker, bring them under the jurisdiction of a court within the United States and collect any damages from them.
However, the company that suffered the breach (and others) can adhere to the maxim “never waste a good crisis” to learn from and try to prevent this type of breach going forward. A good plan includes both computer cybersecurity protections and legal protections. The best plans ensure that the computer cybersecurity protections, which are primarily preventive in character, enable the legal protections that come into play after a breach has occurred.
The First Line of Defense
First, and most important in the context of a hack, companies must ensure that their cybersecurity policies adhere to each of these important factors:
- Cybersecurity policies must be up to date. Today, most companies’ data is kept digitally, making cybersecurity the key defense. Bad actors are constantly improving methods of hacking into computer systems. In response, companies must ensure that they are aware of new threats and develop methods to deal with them. A company’s cybersecurity policy cannot be a static document – it must continually be reviewed and revised.
- Cybersecurity policies must be clearly defined. Written privacy policies that help to prevent PII data breaches follow the privacy rulebook dictated by law. But, in the case of a proprietary competitive information breach, companies have no external rulebook and must instead create their own. That rulebook should include everything that the company does to protect its computer systems, clearly articulate which department and which employees are responsible for implementation, and provide for oversight to ensure compliance, perhaps by regular and frequent audits.
- Cybersecurity policies must be properly implemented by the IT department. Of course, a rulebook is useless unless it is followed. Do not throw the rulebook in a drawer. Often, implementation of cybersecurity policies is pushed to the back of a company’s priority list because there are other issues that appear to be more urgent. But, treating implementation of cybersecurity policies as low priority is dangerous because bad actors have hacking as their top priority.
- Cybersecurity policies must be followed by all employees. Some of the policies in the cybersecurity rulebook are controlled by the IT department, but some are in the control of individual employees. While many companies require training on cybersecurity for new employees, many do not follow up to ensure that the employees are following best practices. Again, do not throw the rulebook in a drawer.
It may be expensive to follow these cybersecurity rules, but, ironically, the march of technology that has enabled digital data breaches also has created new and simple ways to manage cybersecurity. There are businesses to which a company can outsource its cybersecurity function, but their services do not factor in compliance by employees. There are businesses that will audit a company’s computer systems and suggest remedies. And, there are businesses that offer AI bots that can audit systems, identify weaknesses, suggest and implement remedies, and draft policies on a going-forward basis. Companies will need to research a vendor that may be able to help with all their individual needs.
Legal Risk Management Methods
Data that gains its value by virtue of its secrecy should be treated as a trade secret. The cybersecurity protections discussed above can maintain secrecy in such a way that the information will qualify as a trade secret. After a breach, if the data is protected as a trade secret, a company can sue a hacker under federal and state trade secret laws and may collect damages.
Contract provisions can help protect the secrecy of data on a going-forward basis and can help to ensure that competitive information is considered a trade secret. Unfortunately, while contracts can help prevent trade secret theft by individuals and entities with whom the affected company has a relationship, they cannot normally help against hackers who are unknown to and have no contract with the affected company. After a breach by someone with whom the company has the proper contract provisions in place, it can sue under a theory of breach of contract to collect damages.
Another important method of legal risk management is to maintain proper and sufficient insurance that will cover the theft of trade secrets. Some cyber-insurance policies cover damage caused by data breaches, but some do not. Companies should periodically review their policies to ensure that all cyber threats, including those that may have recently emerged, are covered.
Theories for Bringing Suit against an Identified Hacker
Although a breach of contract claim may not be available for a company that is targeted by a hacker, there are some statutory causes of action that the company may bring against the hacker. Each of these statutes, however, requires that the company implement some cybersecurity protection such that the hacker had reason to know that the information was protected.
The Computer Fraud and Abuse Act (CFAA) is a cause of action that a company can assert after its computers were improperly accessed if the company suffered at least $5,000 in damages. In 2021, in Van Buren v. United States, the U.S. Supreme Court explained that to trigger liability under the CFAA, a person must access a portion of the computer without authorization. In other words, the computer needs to have been the subject of a hack that breached cybersecurity defenses. In addition to creating a private cause of action for damages, the CFAA has a criminal aspect and can be punished by jail time and hefty fines, and therefore may act as a deterrent to a bad actor seeking to access the computer systems without permission.
Some aspects of proprietary competitive information may be protected by copyright in addition to having protection as a trade secret. For example, the selection and arrangement of data in large datasets may qualify for copyright protection. If this copyrighted information is subject to technology that controls access to the information, then circumventing that technology is a violation of the copyright laws, specifically, section 1201 of the Digital Millenium Copyright Act (DMCA). Companies’ cybersecurity efforts, if they include something as simple as a password to gain access to protected information, may be sufficient to create both civil and criminal liability for a hacker who accessed the protected information improperly. Liability can include damages, fines and prison time.
Neither the CFAA nor the DMCA requires that the offender be a competitor of the protected information holder. However, if a data breach is caused by a company’s competitors, the competitors also may be subject to liability under the Economic Espionage Act (EEA). But, again, the EEA only applies if the information is a trade secret.
Important for each of these post-hack causes of action is that the information be properly protected by computer systems. In most cases, the law cannot protect or provide recourse absent advance preparation and implementation of cybersecurity measures. Companies should work with their cybersecurity and data protection attorneys to ensure that their proprietary competitive data is protected and secure.