On May 7, I appeared on the PBS Newshour to discuss an appeals court ruling on the National Security Agency’s (NSA) program that collects the phone data of millions of Americans.  The US Court of Appeals for the Second Circuit found that the program is illegal and not sanction by the Patriot Act.

The full interview can be viewed at PBS Newshour.

Most people who’ve heard of “Bitcoin” know it only as a virtual currency sometimes used by criminals.  But there are entrepreneurs, engineers, venture capitalists, and bankers who are betting big on the untapped economic potential of the “blockchain” – the underlying technology that makes Bitcoin run.  In a sense, Bitcoin is just the first “app” to use the blockchain technology.  There will be many other apps in the years to come that could transform the way we do business, the way we move assets, and, through the Internet of Things, even the way we live.  But for the blockchain’s potential to be realized, Bitcoin cannot be perceived as the “currency of criminals” – and that means law enforcement has to be able to go after those who would use Bitcoin and the blockchain to commit crimes.

One of my responsibilities at the Justice Department was overseeing the Criminal Division’s cybercrime and transnational organized crime programs.  Based on that perspective, I recently did a backgrounder for Coin Center – “How Can Law Enforcement Leverage the Blockchain in Investigations?” – which discusses how, contrary to popular belief, Bitcoin and the blockchain technology actually provide significant advantages for law enforcement in conducting investigations of those who would seek to exploit this technology for criminal purposes.

I recently did a guest a blog for ID Experts regarding the cyber risks facing health insurers in the wake of the Anthem and Premera breaches.  The post, “More Health Insurer Data Breaches Are Coming – What Can You Do to Prepare?,” provides an overview of what other health insurers can do to mitigate their risk of a breach and to respond effectively if and when one occurs.

I hope you will join us on Thursday, May 7 from 6:00 pm – 9:00 pm for the “Triple Entente Beer Summit” at The Washington Firehouse (1626 North Capitol Street Northwest, Washington, DC).  This live recording of the three podcasts – Steptoe Cyberlaw Podcast, Lawfare Podcast, and Rational Security – will be your chance to meet the voices behind the podcasts, ask all of your burning cyberlaw questions, and support Lawfare.

Tickets to the event can be purchased at Lawfare.

The executive order allowing the President to impose OFAC sanctions on hackers is good news.  I’ve been calling on the government for several years to go beyond attribution to retribution.  See, for example this post from 2012, this Foreign Policy article, and this recent podcast with Juan Zarate.  Similar sentiments were expressed in a 2013 report by the American Bar Association.

The good news from the Sony case is how much better and faster we’ve gotten at attributing network espionage and network attacks.  But that won’t do much good until we can also punish those we identify.

This order offers a real possibility that we can.  Even the hackers don’t want to work for government forever; they hope to run startups just like everybody else, but that will be hard with an OFAC sanction hanging over their heads.

And the companies that benefit from stolen trade secrets could also find themselves sanctioned, since the order extends to them as well. Sanctions can be applied to any company that is:

responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means knowing they have been misappropriated, where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.

The program is a bit of an empty shell right now:  it authorizes but doesn’t apply sanctions to any hackers.  But if it’s used wisely it could be a game changer — the first real deterrent to cyberspying and cyberattacks.

The House Intelligence Committee has now adopted a manager’s amendment to what it’s now calling the “Protecting Cyber Networks Act.”  Predictably, privacy groups are already inveighing against it.

Cyberspies can’t count on anonymity any more.

The United States (and the private security firm Mandiant) stripped a PLA espionage unit of its cover two years ago with a detailed description of the unit’s individual hackers; that report was followed by federal indictments of members of the unit that described them and their activities is great detail. More recently, the President outed North Korea for the attack on Sony. And as if to underscore the growing confidence of the intelligence community in its attribution capabilities, the Director of National Intelligence almost casually tagged Iran for a destructive cyberattack on Sheldon Adelson’s Las Vegas Sands gambling empire.

That’s good news, but it’s only a first step. To make a real difference, attribution has to yield more than talk.

Unfortunately, neither the companies victimized by network intrusions nor their governments have yet found ways to turn attribution into deterrence. No one expects to see members of the PLA in federal court any time soon. The administration’s public sanctions on North Korea were barely pinpricks. And Iran could be forgiven for concluding that its cyberattacks were rewarded by concessions in the nuclear enrichment negotiations.

But that’s not the last word. I attended a recent international conference where a surprising number of European officials signaled their eagerness to confront countries engaged in cyberespionage against their industries. They assumed that they could identify the countries that were stealing corporate secrets.

What they wanted were legal remedies — and remedies of a particular kind. They didn’t want to punish the hackers, who all too often are well protected by government. What they wanted was a way to punish the hackers’ customers — the state-owned companies who were benefiting from the theft of competitors’ intellectual property. Unlike the hackers, those companies can’t hide at home forever. To get the full benefit of their shiny new stolen technology, they have to sell their products globally. Which means they have to submit to the law and the jurisdiction of western nations.

But what law? Does a company victimized by cyberespionage have any legal remedies against the company that received the stolen data? That’s the question European (and American) trade officials were beginning to ask.

Faced with that question, I found three plausible legal remedies for companies that are victimized by hacking aimed at their corporate intellectual property. Here they are.

First, victims of cyberespionage could sue the foreign company benefiting from the theft of trade secrets. A company can be sued under the Uniform Trade Secrets Act (UTSA) if it uses “a trade secret of another without express or implied consent” and it “knew or had reason to know that [its] knowledge of the trade secret was derived from or through a person who had utilized improper means to acquire it.” UTSA § 1(2)(ii)(B)(II). So if the foreign company had reason to believe that it was receiving data stolen from a competitor’s network, it is at grave risk of liability under the UTSA.

The UTSA has been adopted in one form or another in forty-eight states, and plaintiffs can sue for damages, including “actual loss,” “unjust enrichment . . . that is not taken into account in computing actual loss,” and “exemplary damages” for “willful and malicious” violations. UTSA § 3(a), (b). All of those damages would seem to apply where the defendant was complicit in an attack on the plaintiff’s corporate network.

Second, the federal Computer Fraud and Abuse Act (CFAA) allows private suits against anyone who “intentionally accesses a computer without authorization,” obtains information, and causes at least $5,000 of loss. 18 U.S.C. § 1030(a)(2)(C). That certainly applies to the hackers themselves; but what about the recipients of the stolen data? They’re liable too, at least if they can be shown to have “conspired” with the intruders. 18 U.S.C. § 1030 (b). Proving conspiracy poses a higher hurdle than meeting the UTSA’s “reason to know” standard; some courts say that a charge of conspiracy requires “specific allegations of an agreement and common activities.” See, e.g., NetApp, Inc. v. Nimble Storage, Inc., No. 5:13-cv-05058, 2014 WL 1903639, at *13 (N.D. Cal. May 12, 2014). But there will be many times when the evidence strongly suggests both. For example, if the theft of data was more than just a one-off event, there is every reason to believe that the beneficiary of the thefts was actively telling the thieves what to steal.

A third remedy is section 337 of the Tariff Act of 1930. It allows the International Trade Commission (ITC) to bar the importation of goods produced using stolen trade secrets. The ITC may exclude such goods from the United States if they are the result of “unfair methods of competition . . . the threat or effect of which is to destroy or substantially injure an industry in the United States.” 19 U.S.C. § 1337(a), (d). “Unfair methods of competition” includes a federal common law cause of action for the theft of trade secrets, which closely mirrors the provisions of the UTSA. See TianRui Grp. Co. v. Int’l Trade Comm’n, 661 F.3d 1322, 1327–28 (Fed. Cir. 2011). A complaint can be filed in the ITC even if the theft of trade secrets occurred abroad, so long as the theft violated the laws of the place where the secret was stolen. Id. at 1328. Although Section 337 does not allow for the recovery of money damages, a victim of commercial cyberespionage can at least make sure he’s not competing in the United States against products that are produced using his trade secrets and intellectual property.

In short, there are surprisingly robust legal remedies not just against cyberspies but against the companies who benefit from the spies’ intrusions. But that is not the end of the matter. Just having a good legal case does not mean that a victim will bring suit. There are plenty of practical reasons why a lawsuit might not be prudent even with the law on your side. But that’s a topic for another day, and another post.

Recently, I was the keynote speaker for CityNationalBank’s “Cyberespionage: Who Wants Your Data? And What Can You Do About It?,” where I discussed the increased cyberattacks on law firms involved in international mergers and acquisitions.

Government policymakers have been hoping for twenty years that companies will be driven to good cybersecurity by the threat of tort liability. That hope is understandable. Tort liability would allow government to get the benefit of regulating cybersecurity without taking heat for imposing restrictions directly on the digital economy.

Those who see tort law as a cybersecurity savior are now getting their day in court. Literally. Mandatory data breach notices have led, inevitably, to data breach class actions. And the class actions have led to settlements. And those freely negotiated deals set what might be called a market price for data breach liability, a price that can be used to decide how much money a company ought to spend on security.

So, how much incentive for better security comes from the threat of data breach liability? Some, but not much. As I’ve been saying for a while, the actual damages from data breaches are pretty modest in dollar terms, and the pattern of losses makes it very hard to sustain a single class, something that forces up the cost of litigation for the plaintiffs.

You can see this pattern in recent data breach settlements. I put this chart together for a talk on the subject at the Center for Strategic and International Studies. While the settlements below all have complications (Sony’s settlement was mostly in free game play, for example), they all cap the defendants’ total liability. And what’s striking about the caps is how low a price these agreements set, especially on an individual basis, where $2.50 per victim looks to set the high end and 50 cents the low. Of course, to determine how much you spend annually to avoid that liability, a company would have to discount the settlement price by the probability of a breach in any given year. Even Sony doesn’t have a breach every year, so a probability adjustment cuts the value of avoiding liability to something between a half and a tenth. At those prices, I wouldn’t expect much change in corporate cybersecurity budgets.

(I know that these charts don’t account for the biggest claims in cases like Target and Home Depot — banks suing for the cost of reissuing credit cards. That’s a very different theory of liability mainly applicable to a limited number of big retailers. In the end I doubt that liabilities to issuing banks will drive much cybersecurity either, not because the claims are low — they’re more likely to be in the $50 per card range — but because establishing liability will not be all that easy and because things like tokenization will likely prove much cheaper than improving security.)

It was a busy week for companies and government agencies struggling to combat the growing threat of cyber-attacks, with some bad news and some good news.  Here’s what you need to know, and how we can help.

What you Need to know

First, the bad news:

  • Lawsuits against Target move forward and lawsuits against Home Depot pile up:  Target faces over 90 lawsuits arising from its data breach last holiday season, including suits filed by consumers, banks, credit card companies, and shareholders.  Last week a federal judge in Minnesota rejected Target’s efforts to dismiss the lawsuits by the banks, clearing the way for banks to go after merchants for alleged negligence in cybersecurity.  Meanwhile, Home Depot revealed in its most recent quarterly SEC filing that it already faces at least 44 lawsuits, as well as investigations by multiple state and federal regulators, arising from the breach it announced just three months ago.  The price tag from the breach so far is reportedly $28 million, but that number will likely grow exponentially in the months ahead.  It has also been reported that Home Depot, like Target, suffered the breach in part because hackers were able to get into its system through a third-party vendor.
  • Destructive malware used in Sony Pictures attack and Iran-based hacking group attacks targets worldwide:  Sony Pictures has been victimized by an attack that resulted in the leak of several completed films as well as information about executive compensation and other personal information about employees.  The malware used in the attack reportedly wipes data from computers in a way that makes it nearly impossible, if not impossible, to recover it.  The FBI is warning other US businesses that they face a similar threat.  Meanwhile, the FBI also released an alert to US businesses in multiple sectors about coordinated cyber-attacks originating from Iran.  A private security firm released a report about the same hacking group, indicating that victims included a defense contractor as well as companies in the energy, transportation, automotive, and medical services sectors.

Now, the good – or at least encouraging – news:

  • FTC declines to pursue case against Verizon:  The FTC recently ended an investigation into allegations regarding Verizon’s security practices for customer routers.  But unlike FTC investigations into more than 50 other companies, this inquiry ended without a consent decree requiring fines or burdensome compliance audits.  On the contrary, the FTC closed its inquiry without taking any action based on Verizon’s strong, proactive remedial measures and the quality of its overall data security practices relating to routers.
  • DOJ Criminal Division announces new Cybersecurity Unit:  Leslie Caldwell, the Assistant Attorney General for DOJ’s Criminal Division, announced the formation of a new Cybersecurity Unit within the Criminal Division’s Computer Crime and Intellectual Property Section.  The new unit will act as a central hub to provide legal guidance and expertise for US and foreign law enforcement agencies and to support cybersecurity activities by public and private sector partners.  Those functions are not now – indeed, CCIPS does all of them right now.  But CCIPS has historically lacked the resources to tackle the increasingly global cybercrime problem on the scale it requires, so if the creation of the new Unit means more high-level attention and resources to the effort, then it’s a great step.  But the critical test will be whether new resources are devoted to the section to support the new Unit, so it is more than just a new line on an organizational chart.

What you need to do now

The key takeaways from these developments are:

  • Test your privacy and security program:   If you get breached, you will be sued and investigated.  Just ask Target and Home Depot.  That means it’s important to have a vetted cybersecurity program in place before a breach occurs, and to test and adapt that program as risks and threats evolve.  The best way to defend yourself later when courts and regulators are looking at your conduct is to take proactive measures now, before an incident occurs.  Steptoe can help you review and revise your security program, under the protection of the attorney-client privilege, to mitigate your risk of an incident now and to reduce your litigation exposure later.  We’ve released a free data breach toolkit to help companies better understand how to address these risks.
  • Test your incident response plan and team:  Poor breach response can make a bad situation much, much worse.  A breach is a crisis, and Steptoe can help you test your company’s ability to respond to all aspects of the crisis – including technical, legal, and public relations — through a breach simulation.  That way you can be confident that when the real thing occurs, your people will be able to handle it effectively.
  • Your vendors’ cybersecurity practices could pose a risk to your network:  Target and Home Depot both demonstrate that a hacker can get into your system though one of your vendors or suppliers.  How much do you know about your vendors’ cybersecurity practices?  Do you have contracts with your vendors that obligate them to maintain certain levels of security, and to indemnify you for a breach on your system?  Steptoe can review your vendor management program to help protect you from this third-party risk.
  • Law enforcement engagement and information-sharing are critical:  Sharing of cyber-threat information between the government and private sector has never been more important.  And one of the most challenging parts of breach response is the question of whether and how to engage with law enforcement.  Steptoe has unparalleled government cyber experience and relationships, including former DOJ, FBI, DOD, and DHS officials with responsibility for cybercrime and cybersecurity.

If you have questions about these recent developments or would like to discuss steps to address your cybersecurity and litigation risks, please contact our cybersecurity team: Stewart Baker at 202.429.6402; Michael Vatis at 212.506.3927; or Jason Weinstein at 202.429.8061.