Recent highly publicized cyberattacks, including WikiLeaks’ dump of CIA documents in early March and the hack of the Democratic National Committee in 2016, underscore the threat that both companies and government agencies face from cyberattacks. Now more than ever, companies should be cognizant of the imminent risk of attack and the potential catastrophic effects. In a December 2015 report, the Association of Corporate Counsel found that one-third of reporting companies had experienced a data breach within the past few years. Cybersecurity and privacy issues impact every industry and present ongoing challenges that must be clearly understood and addressed by executive management and at the board level.
Cyberattacks often fall into one or more common scenarios, which include insider attacks, social engineering, exploitation malware, extortion and blackmail, and ransomware.
In an insider attack, employees or contractors may exploit their positions to hack the company’s computers or otherwise compromise its IT systems. Social engineering is a hacking technique that uses low tech or nontechnical approaches to persuade people to compromise security procedures and disclose sensitive information, most often through email “phishing” or in-person interaction aimed at uncovering access codes and passwords. Exploitation malware – commonly viruses and malware that infect systems through emails – exploits vulnerabilities in a company’s computer systems and can steal Social Security numbers and bank account information. Under an extortion and blackmail scenario, a company may receive threats from individuals claiming to have hacked its computer systems offering to return stolen confidential information in exchange for money. Ransomware attacks combine malware and extortion attacks, and typically occur when attackers install malware that makes a company’s systems or data inaccessible, then demand payment to release the systems or data back to the company, often through hard-to trace online payment methods such as Bitcoin.
A number of federal and state criminal and civil laws are potentially implicated in a cyberattack. The Computer Fraud and Abuse Act (CFAA) is the main federal criminal statute regulating computer crimes. The CFAA criminalizes accessing computers without authorization and governs cases involving computers used by or for a financial institution or the U.S. government, or computers used in interstate or foreign commerce. The penalties for committing CFAA offenses range from imprisonment for up to one year for simple cyber trespassing to life imprisonment when death results from intentional computer damage. The Wiretap Act, as amended by the Electronic Communications Privacy Act, prohibits the interception, use or disclosure of wire and electronic communications and allows for civil and statutory damages. The Stored Communications Act makes it illegal to intentionally access, without authorization, a facility through which an electronic communication service is provided. Offenses are punishable by fine and/or imprisonment. Civil and criminal actions may be available for copyright infringement under the federal Copyright Act and trademark infringement under the federal Lanham Act or state trademark law. The Digital Millennium Copyright Act prohibits the circumvention of technological, anti- piracy measures built into most commercial software that control access to copyrighted works. Further, the Racketeer Influenced and Corrupt Organizations Act (RICO) provides criminal penalties, including up to 20 years of imprisonment, for acts performed as part of an ongoing criminal organization.