Cyberespionage

In general, economic espionage takes place when the culprit steals a trade secret in order to be used for the benefit of a foreign government, foreign instrumentality, or foreign agent. There are various state and federal laws that prohibit economic espionage.

In some cases, foreign agents have stolen trade secrets from companies to obtain an unfair advantage. These activities may constitute cyberespionage operations that are usually initiated by foreign hackers. The culprits engage in cyber spying which happens when the individuals procure intellectual properties (e.g., trade secrets) without the owner’s knowledge or consent. The bad actors use different types of malware (e.g., virus, trojan horse, spyware) to accomplish the task. Also, cyber spying has recently involved analyzing the general public activities on social media websites for strategic advantages and subversion. Unfortunately, in most cases, the victims find out about these cybercrimes at a later time.

The courts have been grappling with these cases for several years. For example, they have faced situations where the culprits have stolen confidential information from military research institutions by using sophisticated malware. Foreign government agents have surreptitiously attacked foreign ministries in order to gather foreign intelligence. Private corporations have fallen victims to these attacks when their employees distributed confidential information to competitors. The U.S. Government’s Office of Personnel Management (“OPM”) was targeted several years ago wherein the culprits gained unauthorized access to the private information of approximately 21 million citizens. In fact, large corporations have fallen victim to cyberespionage when the perpetrators have exploited vulnerabilities and used stealth techniques to gain unauthorized access to confidential information. Large spy networks (e.g., GhostNet) have been able to gain access to highly-confidential information by compromising computer network infrastructures. Foreign actors have initiated clandestine operations to gain access to energy companies and steal their data (e.g., topographical maps). There have been reports that politicians have been targets of these cybercrimes since they have access to sensitive foreign policy information.

Also, international laws may be applicable to some situations because there are foreign actors that extract the information and transfer it to a foreign country. For example, the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) of the World Trade Organization compels the members to safeguard intellectual property rights within their territories.

Cyberespionage (a/k/a “digital espionage”) may happen at every level whether as an internal or external attack. Therefore, business owners must be aware of the preventive and reactive measures. For example, using special types of hardware and software tools to protect private, sensitive, or confidential information is important. Business owners should regularly train employees so they would be familiar with the various types of covert operations. Moreover, business owners should have a plan if they become cybercrime targets. This plan may include obtaining a forensic report and informing the management team, law enforcement agencies, and affected users.

We must understand the threat so we can come up with a practical solution. We must find the motive and be able to identify the technique that was used to initiate the threat. Then, we must take a practical approach to be able to properly protect the sensitive information. Business owners, investors, or entrepreneurs must understand that their company’s information is valuable. It’s valuable because it yields confidential and proprietary information (e.g., intellectual property) that should be protected. There are different ways to protect intellectual properties which includes using advance technical applications to detect, notify, and protect the attack. Also, the courts can provide legal and equitable relief against the perpetrators – e.g., injunctions, monetary damages. There are state and federal laws that can apply to each situation. So, it’s necessary to have a qualified legal and technical team on your side for these situations. Also, you need to know your rights and responsibilities when or if your company is hacked so you can follow the proper security breach notification laws.

For example, California Civil Code § 1798.29 states that:

Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Moreover, California Civil Code § 1798.82 states that:

A person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

These statutes outline the rights and responsibilities of individuals and commercial entities that store, maintain, or control personal information. They define “personal information” as social security numbers, driver license numbers, credit card numbers, or medical information. However, personal information does not include publicly available information that can be extracted from state, federal, or local government records. These statutes also outline when and how they should notify the affected parties. So, as a final note, it’s important to speak with a knowledgeable cyberlaw attorney regarding your legal rights.