Closing-in on Cybercrime
By Mary Kay Elloian, Esq.
Introduction
Cybercrime costs our economy billions of dollars per year. The most vulnerable to these cyberattacks, are those companies who either carelessly, or unwittingly, store their intellectual property and corporate secrets on their in-house servers. Most servers which store such data are routinely believed to be accessible only to employees, although as we are finding out, cybercrime knows no boundaries, and spares no avenue of attack.
You might ask, what is the our government doing to quell some of these cyberattacks, viruses, worms, and denial of service attacks that are running amuck in our electronic world of cybercomputing—here’s just a sample.
Criminalizing Cyber Espionage
In 1996, The Economic Espionage Act (“EEA”) was enacted to criminalize the theft or misappropriation of trade secrets. The Act is composed of two provisions: the first provision is codified at 18 U.S.C. s 1831, which is focused on foreign economic espionage and requires that the theft of the trade secret be done to benefit a foreign government, instrumentality, or agent. Because of the serious nature of economic espionage, a defendant who is convicted of violating s 1831 can be imprisoned for up to 15 years and fined $500,000 or both. Any organization that commits any offense as described in s 1831 shall be fined not more than $10,000,000. However, the second provision of the EEA, which is really at issue here, “Theft of Trade Secrets” is codified as 18 U.S.C. s 1832. This provision makes criminal the more common commercial theft of trade secrets—no matter who benefits from the criminal act. A defendant convicted for theft of trade secrets under this provision, can be imprisoned for up to 10 years and fined $500,000 or both. Any organization that commits any offense as described in s 1832 shall be fined not more than $5,000,000. Both provisions of the EEA criminalize the knowing receipt, purchase or possession of a stolen trade secret—similar to the crime of receiving stolen property as we know it. Additionally, the EEA authorizes the Department of Justice to seek temporary injunctive relief in civil actions to restrain ongoing violations of the statute.
However, because of the serious implications these attacks have upon the financial integrity of the corporation as well as the economy, it is imperative that companies take an offensive posture to thwart an attack before it happens. Because the monetary cost of such an attack can probably never be realized to compensate a full blown cyberattack—vigilance is the key.
Implementing Cyber-Security Measures to Minimize Intrusion
Encryption mechanisms can be set up to protect valuable corporate secrets to help ensure that only authorized personnel have access to the information. By use of public and private key infrastructures, companies can limit access to those key management people who must have access to such information. Digital encryption technology is available to limit access and to validate entry into a main computing systems which may prove to be vulnerable. In addition, other system servers should not be overlooked. A weak link in the computing infrastructure can prove to be a haven for cyberattackers as well. Firewalls should be implemented and continually monitored and maintained to protect against system penetration.
Traditional Non-Disclosure Agreements Serve New Role
In addition to the protective measures cited above, nondisclosure agreements are an important part of maintaining and securing corporate secrets stored on in-house computers. Making a nondisclosure agreement a prerequisite of employment should always be the first step in safeguarding company secrets. These agreements provide a company with an avenue of attack should a violation occur. A violator who may be a former or disgruntled employee, will be less inclined to disclose secrets if he or she knows that they will be held civilly liable for any monetary damage that can be attributed to their actions, in addition to criminal penalties that may be imposed.
Again, it is necessary for the offensive posture to be taken to safeguard a company’s intellectual property, and other secrets before they fall into the wrong hands. In addition to taking in-house security measures—there are serious legal implications, both criminal and civil for cybercriminals.
Congress Codifies the Computer Fraud and Abuse Act
In the last few years, Congress has promulgated many laws to protect against cybercrime. The legislature codified the Computer Fraud and Abuse Act, 18 USC s 1030, making it the principal federal computer crime statute. This statute protects all government computers, financial institution computers, and computers used in interstate or foreign commerce or communications. The coverage of this Act is so broad, that it incorporates almost any computer using a modem used to access or retrieve data. The statute also prohibits unauthorized access, or access exceeding authorized access to obtain information from a US government agency or any information from a “protected” computer. A protected computer as defined by the Code is any computer which is used in interstate or foreign commerce or communication—which seems to include just about everyone who communicates on the internet. What is important to note about this statute, is that the requirement of “obtaining information” does not require the act of downloading or destruction of existing information—observation alone is enough. Under this statute, it is therefore a crime if theft is “only” of computer time—thereby making it is a felony if the value of the computer time taken is $5,000 or more in any one-year period. The calculation of this dollar amount can be reached in a number of ways, including calculating the damage to the system, which includes the system repair costs, as well as the costs from the lost use of the system. Therefore, this $5,000 threshold can be easily reached under the statute.
“Observation Only” is Enough for Prosecution
In addition to the amount threshold, The Computer Fraud and Abuse Act will help with the prosecution of any intruder who steals company information by “observation only” and is worthwhile to pursue to help a company preserve its rights to the “observed” information. Of course, discovery of sensitive corporate secrets during trial is another matter which needs to be addressed, most notably through the use of “protective orders” authorized by the court. It is important to note that with prosecutions under the Economic Espionage Act (EEA), 18 U.S.C. s 1831, the courts are explicitly authorized to enter orders to “protect” the confidentiality of trade secrets in criminal prosecutions. There are several levels of offenses under this Act ranging from a mandatory minimum 6 month jail term. In addition, 18 USC s 1030(g) creates a private civil right of action for victims of the conduct prohibited by the statute. Under this statute, a victim can claim both economic damages and injunctive relief resultant from the violation of the provisions of the Computer Fraud and Abuse Act.
Massachusetts Heightens the Penalty for Cybercriminals
In addition to federal law, Massachusetts has pending legislation to toughen the laws against cybercriminals. The existing penalty for violations for unauthorized access to computers is $1,000 or 30 days in a house of correction. Proposed legislation would create a more encompassing penalty structure ranging from 2 ½ years to 10 years incarceration. Also proposed legislation would increase existing fines for unauthorized access to include fines ranging from $2500 up to $10,000. In addition, Massachusetts also has a state trademark statute allowing state law enforcement to prosecute sellers of counterfeit or pirated products including software, as well as other computer related laws.
Where We Go From Here?
Cybercrime laws are getting stricter with harsher penalties for those that violate the laws. But as always, the best defense against a cyberattack is a best offense. Don’t wait until your company secrets are compromised–technology is now available to protect your proprietary information against cyberattackers–but protection is only as good as the implementation and maintenance of the security devices you have in place. As always, there is no substitute for security training and a knowledgeable system support staff to fend off would-be cybercriminals.
Copyright 2000, Mary Kay Elloian
Attorney Elloian is a principal of the Law Offices of Mary Kay Elloian in Burlington, Massachusetts. She holds an M.B.A., and has an extensive background in high-tech and computer documentation and analysis. Her practice area includes cyberlaw, licensing, and high tech contract law as a complement to her general business/corporate law practice. She can be reached by email at Counsel@EstatePlanningForFamilies.com or on the worldwide web at www.EstatePlanningForFamilies.com