We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
20 January 2015
The fallout from the recent cyber-attack against Sony Picture Entertainment has reinvigorated a debate about whether and when the US government should take responsibility for protecting private companies from cyber-attacks. On December 19 2014 President Obama promised a "proportional" response to the Sony cyber-attack, which he described as a "serious national security matter".(1) The administration has since imposed sanctions against 10 North Korean officials and three government agencies, and confirmed that it will use a "broad set of tools to defend U.S. businesses and citizens".(2) In 2014 the federal government sought and secured a criminal indictment to deter ongoing cyber-attacks launched by the Chinese military. The Sony hackers could face similar charges; however, it remains unclear whether the United States is willing to use its prosecutorial powers as a tool to combat these types of cyber-attack or whether its responses will be robust enough to deter future cyber-attackers from North Korea, other rogue states or stateless actors.
This places the onus on organisations to enhance their security systems and, by so doing, minimise their vulnerabilities. Because no security measures can provide absolute protection from the most sophisticated hackers, organisations should separately consider what level of data protection will minimise their own civil and enforcement liabilities in the event of a breach. Sony is already facing civil lawsuits filed by employees who allege that Sony did not adequately protect their private data; organisations would be wise to review the adequacy of their security systems, particularly given this recent breach and the evolving nature of data security.
The cyber-attack against Sony in November 2014 destroyed systems and resulted in theft of large quantities of personal and commercial data. According to the Federal Bureau of Investigation (FBI), the hackers, who identified themselves as the 'guardians of peace', deployed destructive malware to steal proprietary and confidential information, including employees' personally identifiable information.(3) The attack caused Sony to take its computer network offline and rendered thousands of its computers inoperable.
Subsequently, the hackers sent emails to various news outlets and theateers, warning against the release of Sony's film, The Interview, a comedy portraying the assassination of North Korean leader Kim Jong-un, and threatening violence – "remember the 11th of September 2001" – at "the very times and places" of showings.(4) On December 19 2014 the FBI announced that it had concluded that the North Korean government was responsible for the cyber-attack.
In May 2014 the Department of Justice indicted five members of the Chinese military, the People's Liberation Army (PLA), for conspiring to hack into the computers of five US companies and a labour union and stealing proprietary trade secrets.(5) The indictment included charges under four criminal statutes: the Computer Fraud and Abuse Act, aggravated identity theft, economic espionage and theft of trade secrets.(6) The court hearing these cases issued arrest warrants for the five defendants but they remain at large and, without an extradition treaty with China or arrest during travel, there is little chance that they will ever stand trial.
The perpetrators of the cyber-attack on Sony, like the PLA hackers, are believed to have been working at the behest of a foreign government. However, unlike in the PLA case, the Sony attackers do not appear to have intended to convert Sony's trade secrets for the benefit of that government or anyone else. This distinction could prevent charges for theft of trade secrets,(7) but all of the other charges brought against the PLA defendants could apply to the Sony attackers as well.
Computer Fraud and Abuse Act
The individuals who orchestrated the cyber-attack on Sony could be charged with violating several provisions of the Computer Fraud and Abuse Act, all of which the PLA hackers also allegedly violated.
The Sony attackers likely violated the provision prohibiting access of a protected computer without authorisation. They:
The Sony attackers also violated the act by damaging Sony's computer systems. The statute:
In this case, the Sony attackers deployed destructive malware that "rendered thousands of [Sony's] computers inoperable, forced [Sony] to take its entire computer network offline, and significantly disrupted the company's business operations",(11) meeting both prongs of the statute.(12)
In addition, assuming multiple actors, the Department of Justice can also charge the Sony perpetrators under the conspiracy provision of the Computer Fraud and Abuse Act.(13)
Aggravated identity theft
As in the PLA indictment, the Sony attackers may also be charged with aggravated identity theft.(14) The statute applies when a defendant "knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person" during and in relation to certain enumerated federal felony offences, including the Computer Fraud and Abuse Act, and thus is often applicable in cases of computer-related crime.(15) It has been widely reported that the Sony attackers gained access to Sony's system at least in part by stealing the computer credentials of a system administrator.(16)
The Sony attackers also likely violated the Economic Espionage Act of 1996. Economic espionage charges require:
The Sony attackers reportedly stole information including unreleased films and information revealing concepts for films.(18) Because that information likely includes multiple trade secrets, all of these elements could likely be met.
Will criminal indictments deter future cyber-attacks?
Some believe that the decision to bring criminal charges in the PLA case had more to do with geopolitical theatrics than deterring future attacks.(19) In the case at hand, North Korea's isolationist policies would likely render criminal indictments of the Sony perpetrators even less effective as a deterrent. If the perpetrators are indeed North Koreans, identification of those individuals within North Korea's closed society may prove extremely challenging. Moreover, even if the perpetrators are indicted in absentia, as the PLA defendants were, such indictment would likely have little impact on North Korean residents. The perpetrators are unlikely ever to see the inside of a US courtroom.
Ultimately, it remains to be seen whether the United States has other effective tools – and is willing to use them – to deter state-sponsored and stateless cyber-attacks.
While the federal government continues to develop its response to the Sony attack, organisations should examine their internal policies in order to minimise their exposure to civil and enforcement liabilities that could arise from an attack. Few, if any, data systems are impenetrable. As former FBI Director Robert Mueller put it, "There are only two types of companies: those that have been hacked, and those that will be",(20) with a third category emerging to include "those that have been hacked and will be again."(21) The New York State Office of the Attorney General has also admonished that "[w]hile it may be impossible to completely prevent data loss, organizations that implement data security plans can greatly reduce the harm caused by a data security breach".(22) Data security measures in this sense are both prophylactic and therapeutic – and one cannot exist without the other. To reduce the harm is to also reduce the likelihood of data breach but, in the likely event of a breach, harm reduction efforts would mitigate the civil and enforcement fallout.
FTC and state enforcement in data breach cases
The Federal Trade Commission (FTC) has claimed authority to police data security breaches as unfair trade practices in violation of Section 5 of the FTC Act. A district court in New Jersey has upheld the FTC's authority,(23) although the Eleventh Circuit has agreed to hear a separate appeal challenging it.(24) In the meantime, the FTC continues to target mostly breaches involving consumer data, although it has also brought a couple of enforcement actions for employee data breach cases.(25) Even if it turns out that Section 5 is not as broad as the FTC claims, state attorneys general are quickly ramping up their own enforcement of data breach cases. Already, 47 states and the District of Columbia have laws requiring notification of the attorney general or the media in the event of a data breach. State attorneys general will continue to scrutinise organisations' preparedness to thwart a data breach, quickness to discover intrusions, timeliness of notifications of breach and reasonableness of response and compliance with other statutory and regulatory requirements relating to data security.
Standard of care for adequate security is reasonableness
Whether state or federal, the scope of any enforcement activity will be driven by the 'reasonableness' of the data security measures in place before the breach.(26) For example, the FTC requires organisations to implement reasonable data security measures and has brought administrative actions to enforce this requirement.(27) Similarly, California mandates "reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure".(28) However, 'reasonableness' is not subject to a precise definition. In fact, it is a moving target that must be evaluated constantly.
There is no time to despair that reasonableness cannot be reduced to a simple definition. Instead, organisations should embrace the opportunity to conduct a full analysis and determine what is reasonable given their unique situation. They can tailor an approach to address specific needs without falling into the trap of prescriptive requirements that could be both over and under-protective. To achieve the right balance, organisations should aim to adopt data security plans that are strong enough to prevent simple intrusions and reasonable enough to mitigate the fallout from sophisticated and determined cyber-attacks.(29)
Reasonable under the circumstances
Reasonableness should depend on many factors, including the size of the company, the type of industry, the type of data collected and the sensitivity within and across data. What is reasonable for a small regional retailer may be unreasonable for a national retailer, and what is reasonable for that national retailer may be inadequate for a bank. Organisations that do not collect consumer credit cards and PIN numbers may be subject to a lower standard of care, but the standard may be higher for defence companies. Whatever the case, the approach should be reasoned and justifiable well in advance of a breach.
Lastly, what is reasonable today may be unreasonable in five years or, more likely, sooner. Regular evaluation and updates are required to stay current with an evolving standard of security.
The absence of certainty is unsatisfying and costly. But as the federal government continues to develop a response that will hopefully lower the collective risks, organisations must act to minimise their own risks. Those that strengthen their data security systems will have substantially reduced the risks of breach and, in the likely event of a breach, mitigated the fallout from civil and enforcement actions. It is a much cheaper insurance than the litigation and reputational costs of being caught under-prepared, or worse, unprepared.
For further information on this topic please contact Sara Hallmark or Samson Asiyanbi at Hogan Lovells US LLP by telephone (+1 415 374 2300), fax (+1 415 374 2499) or email (firstname.lastname@example.org or email@example.com). The Hogan Lovells website can be accessed at www.hoganlovells.com.
(1) See, eg, Oliver Laughland and Dominic Rush, "Sony Pulling The Interview Was 'a Mistake' Says Obama", The Guardian (December 20 2014), www.theguardian.com/us-news/2014/dec/19/obama-sony-the-interview-mistake-north-korea.
(2) Caroline Morello and Greg Miller, "U.S. Imposes Sanctions on N. Korea Following Attack on Sony", The Washington Post (January 2 2015), www.washingtonpost.com/world/national-security/us-imposes-sanctions-on-n-korea-following-attack-on-sony/2015/01/02/3e5423ae-92af-11e4-a900-9960214d4cd7_story.html?wpmk=MK0000200.
(3) FBI press release, "Update on Sony Investigation", December 19 2014, www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigationclaimed.
(4) Michael Cieply and Brooks Barne, "Quandary for Sony in Terror Threats over 'The Interview'", The New York Times (December 16 2014), www.nytimes.com/2014/12/17/business/media/sony-weighs-terrorism-threat-against-opening-of-the-interview.html.
(5) Press release, US Department of Justice, "U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage", May 19 2014, www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor.
(7) 18 USC 1832 (a); Office of Legal Education Executive Office for United States Attorneys, Prosecuting Intellectual Property Crimes, available at www.justice.gov/criminal/cybercrime/docs/prosecuting_ip_crimes_manual_2013.pdf at 159.
(8) 18 USC § 1030(a)(2)(C) (2014). Due to the presence of several aggravating factors, the Department of Justice could likely charge the Sony hackers with a felony count under the statute, a violation punishable by a fine, up to five years' imprisonment, or both. Id.
(10) Office of Legal Education Executive Office for United States Attorneys, Prosecuting Computer Crimes, available at www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf at 38-39 (internal quotations omitted).
(12) Loss of at least $5,000 during a one-year period, as in this case, is sufficient to support the felony charges, which may result in up to 10 years in prison and/or a fine. 18 USC § 1030(c)(4)(A)(i) (2014).
(16) See, eg, Pamela Brown et al, "Investigators Think Hackers Stole Sony Passwords", CNN (December 19 2014), www.cnn.com/2014/12/18/politics/u-s-will-respond-to-north-korea-hack/index.html.
(17) 18 USC § 1831(a); Office of Legal Education Executive Office for United States Attorneys, Prosecuting Intellectual Property Crimes, available at www.justice.gov/criminal/cybercrime/docs/prosecuting_ip_crimes_manual_2013.pdf at 160.
(18) Steven Musil, "Unreleased Sony movies leaked to file-sharing sites after hack", Cnet, (November 30 2014), www.cnet.com/news/hackers-leak-new-sony-movies-to-file-sharing-sites.
(19) Fred Kaplan, "Why Did the Justice Department Indict Five Chinese Military Officers?", Slate, (May 21 2014), www.slate.com/articles/news_and_politics/war_stories/2014/05/justice_department_Indicts_five_chinese_military_officers_can_the_obama.html.
(22) Press release, "A.G. Schneiderman Releases Report Showing Rise in Data Breaches, Provides Security Tips to Small Business & Consumers", New York State Office of the Attorney General (July 15 2014), www.ag.ny.gov/press-release/ag-schneiderman-releases-report-showing-rise-data-breaches-provides-security-tips.
(23) See Allison Grande, "11th Circ To Hear LabMD, FTC Data Security Arguments", Law360 (August 20 2014), www.law360.com/articles/569222/11th-circ-to-hear-labmd-ftc-data-security-arguments.
(25) Press release, FTC , "FTC Settles Charges Against Two Companies That Allegedly Failed to Protect Sensitive Employee Data" (May 3 2011), www.ftc.gov/news-events/press-releases/2011/05/ftc-settles-charges-against-two-companies-allegedly-failed; press release, FTC, "Rite Aid Settles FTC Charges That It Failed to Protect Medical and Financial Privacy of Customers and Employees" (July 27 2010), www.ftc.gov/news-events/press-releases/2010/07/rite-aid-settles-ftc-charges-it-failed-protect-medical-and.
(26) The national prevailing standard is 'reasonableness'. But Massachusetts has adopted a prescriptive standard and New York recently proposed a prescriptive standard similar to Massachusetts. See "Hogan Lovells' IAPP Tracker Post Highlights State Data Security Laws", Chronicle of Data Protection (December 22 2014), www.hldataprotection.com/2014/12/articles/cybersecurity-data-breaches/hogan-lovells-iapp-tracker-post-highlights-state-data-security-laws/.
(27) Michelle Kisloff and Adam Cooke, "LabMD Rulings May Shed Future Light on 'Reasonable' Data Security Practices", Hogan Lovells Data Protection Blog (May 9 2014), www.hldataprotection.com/2014/05/articles/privacy-security-litigation/labmd-rulings-may-shed-future-light-on-reasonable-data-security-practices/.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.