Alternative Corporate Responses to Internet Data Theft

471 PLI/Pat 737

Practising Law Institute

Patents, Copyrights, Trademarks, and Literary Property Course Handbook Series

PLI Order No. G4-3987

March, 1997

17th Annual Institute on Computer Law: The Evolving Law of the Internet-

Commerce, Free Speech, Security, Obsenity and Entertainment

ALTERNATIVE CORPORATE RESPONSES TO INTERNET DATA THEFT

Ian C. Ballon

I. THEFT OF CORPORATE INFORMATION -- AN OVERVIEW.

A. The Problem of Internet Theft.

Theft of corporate data is one of the most serious, and most common problems facing industry in the information age. Only a small percentage of corporate theft is actually reported to the police because companies fear that publicity could be harmful and, in cases of external penetration, embolden crackers to try "copy cat" break-ins.

B. The Profile of Internet Thieves.

Corporate information typically is stolen by three types of people: (1) employees, (2) crackers, who break into computer systems for the challenge of doing so (or for malicious reasons), and (3) industrial spies. Most computer crime is committed by company employees. Increasingly, however, the Internet is being used for corporate espionage.

C. Detection Problems.

While corporate security departments can detect theft of tangible property by posting security guards at entrances, using video cameras and taking physical inventories, theft of company data poses special problems of detection and retrieval.

1. Detecting a Loss. Companies may not detect losses because information in digital form may be copied exactly, without any degradation in quality. Information therefore can be moved offsite almost transparently over open networks and telephone lines; unlike tangible property, when information is stolen, it is merely copied, and the original may be left intact.

2. Identifying the Thieves. Once a loss is discovered, it may be difficult to trace how the information was moved, since the trail left by computer thieves is more subtle, and can be more easily masked, than when tangible property is stolen. In addition, once information has been stolen, it may be difficult to determine where it was sent, and how many copies were made (since digitized information can be copied exactly).

II. INTERNET SECURITY.

There are three levels of Internet security relevant to corporate theft: (1) the security of information while in transit over the Internet; (2) gateway security; and (3) internal security on the sender and recipient's internal networks. While the Internet is relatively secure for most types of communications, trade secrets or other valuable corporate information generally should only be transmitted electronically in encrypted form or over secure lines because of potential gateway security limitations and the ease with which electronic communications may be forwarded to unintended recipients.

A. The Security of Internet Transmissions.

1. Interception is Difficult. Under the TCP/IP protocols which govern the transmission of information over the Internet, a single message may be broken into multiple packets and sent by different routes to the recipient's address, where the packets are reassembled. It is therefore very difficult to actually intercept a complete Internet communication while in transit.

2. Interception is Illegal. Just as it is a federal crime to tap telephone lines (without a court order), it is a criminal offense to intercept an email message transmitted over public communication lines. 18 U.S.C. 壯 2510 et seq.; United States v. Maxwell, 42 M.J. 568 (U.S. Air Force Crim. App. 1995).

B. Gateway Security.

A gateway controls access to and from a computer network.

1. Open Networks are Designed to Allow Access. The Internet originally was designed to facilitate, rather than prevent access to remote computer systems, and experienced hackers know many ways to gain unauthorized access to a company's computer network.

2. Firewalls. Companies protect the point of connection between their internal networks and the Internet through firewalls. A firewall is a collection of components or a system that is placed between two computer networks (through which all traffic into or out of a network must pass), which prevents unauthorized access to a network and is itself immune to penetration. NCSA Firewall Policy Guide 5 (1996), citing William R. Cheswick & Steven M. Bellovin, Firewalls and Internet Security (1994). There are three basic types of firewalls: (1) packet-filtering routers, (2) application level (proxy) servers, and (3) stateful inspection. Chey Cobb, "Just the Facts," NCSA News, Oct. 1996, at 8.

3. Firewall Maintenance. Crackers continually devise new ways to break through firewalls. To remain effective, a firewall needs to be maintained and updated periodically.

C. Internal Company Security.

1. Companies Cannot Rely Exclusively on Firewalls for Security. Potentially the greatest threat to the security of Internet communications occurs inhouse, where information may not be properly protected.

2. Human Error. Human error, in addition to theft, may account for security lapses. Information in digital form can be copied in a matter of seconds, and effortlessly (and thoughtlessly) forwarded to people who should not have access to it.

3. Email and Internet Policies. Companies typically adopt Internet use and email policies, including provisions governing retention and destruction of email, in part to address security concerns.

4. Internal Use of Encryption and Access Restrictions. Companies also establish private areas on a corporate network, or encrypt sensitive material available over an intranet to restrict access to confidential material.

III. CHOOSING BETWEEN CIVIL AND CRIMINAL REMEDIES.

A. The Challenge for Counsel.

1. Pre-plan a Company's Response. Inhouse counsel and attorneys advising corporate clients need to anticipate information crimes before they happen, and consider the alternative remedies available, in order to be able to immediately implement a response plan when a problem arises.

2. Quick Action is Required When Information is Stolen. Companies need to take swift action because of (1) the speed with which information may travel over open networks; (2) the ease with which it may be copied; and (3) the difficulties of tracing the origin of the loss or intended recipients of the information, especially with the passage of time. Digital form data can be quickly, easily and inexpensively copied exactly, and then stored on disk or transmitted over the Internet or other open networks.

3. Evaluate Potential Civil and Criminal Remedies. In quickly responding to a report of a potential corporate loss, counsel need to understand the interplay between civil and criminal remedies. In evaluating how to proceed, counsel need to consider the source of the problem (an employee vs. an unknown cracker), the extent of loss (if known), potential future damage, and the likely public relations effect of initiating legal action.

4. Most Information Crime Goes Unreported. Frequently, companies choose to avoid adverse publicity and resolve matters internally.

B. Benefits of Choosing Criminal Remedies.

1. Broader Preliminary Relief. The government may obtain a broader search and seizure order than a civil litigant pursuing a seizure order and T.R.O., and may be able to obtain relief more quickly.

2. Greater Credibility. The government potentially has greater credibility with the court in obtaining preliminary relief as a disinterested party.

3. Jurisdiction. Law enforcement agencies can more easily overcome jurisdictional obstacles to obtain prompt relief when potential defendants are located in different states or foreign countries. The FBI has national jurisdiction, and many government agencies have cooperative relationships with law enforcement authorities in other countries.

4. Cost. Investigation costs are borne by the government.

C. Disadvantages of Choosing Criminal Remedies.

1. Loss of Control. Prosecutors will decide how, when and whether to proceed, and the terms of any plea bargain.

2. Inadequate Resources. Many municipalities do not have the resources to maintain a high technology crimes unit, or to pay experts to analyze computer back up tapes, hard drives or investigate other places where evidence of computer crimes will be found.

3. More Difficult to Obtain Relief on the Merits. There is a higher burden of proof in criminal cases than in civil matters.

D. Benefits of Initiating a Civil Action.

1. Greater Control. A plaintiff may maintain greater control over the prosecution of a civil action, and be able to frame the nature of preliminary relief sought (including the terms of any protective order governing nondisclosure of confidential information).

2. Better Long Term Relief. It may be easier ultimately to prevail on the merits in a civil action than in a criminal case, where the defendant is afforded added constitutional protections and the state has a higher burden of proof. A civil action may be brought in addition to a criminal action.

3. Settlement. In some cases, it may be easier to reach a settlement if there is not also an ongoing criminal investigation.

E. Disadvantages of Initiating a Civil Action.

1. Preliminary Relief More Difficult to Obtain. It may be more difficult, and take longer to obtain a T.R.O. than it would for the government to obtain a search and seizure order.

2. Educating the Judge. A civil litigant seeking preliminary relief may need to quickly retain an expert to explain Internet technology -- and what has been stolen -- to a judge, which may be difficult and expensive on short notice.

3. The Broad Relief Necessary to Trace Internet Theft May be Difficult to Obtain at a Preliminary Stage of Civil Litigation. It may be difficult to obtain a suitable civil seizure order in an Internet case since a judge may be reluctant to enter a ruling that could effectively shut down a company's computer network (even for a brief period of time), if it would cause a substantial disruption to the company.

4. A Network Computer Consultant May Need to be Retained to Implement a Court Order. A civil plaintiff may need to ask that a special master or court-appointed expert implement any order relating to the theft of information. Nonexperts may be ill equipped to execute an order seizing a network server or email backup tapes, and the court may be unwilling to designate an employee of the plaintiff or some other non-neutral party.

5. Bond. A T.R.O., preliminary injunction or seizure order generally will issue only upon the posting of a bond, which may be difficult or expensive for a plaintiff to obtain.

IV. CHECKLIST OF POTENTIAL CRIMINAL REMEDIES.

[Table Deleted]

V. CHECKLIST OF POTENTIAL CIVIL REMEDIES.

[Table deleted.]

VI. MINIMIZING THE RISK OF DATA LOSS.

A. Plan Ahead.

Whea theft occurs, a company may have only a limited time within which to act if it hopes to trace the source of a loss and take effective measures to limit the distribution the stolen information. In the time it takes to determine whether the local police department has a technology crimes unit capable of responding to the problem, or whether civil or criminal remedies should be pursued, information can be copied thousands of times and the task of detection made more complicated.

B. Protect Against Internal Threats.

1. Email and Internet Use Policies. Companies should adopt and enforce email and Internet use policies.

a. Reasons Why Companies Should Adopt Internet Policies.

(i) To negate any expectation of privacy employees might otherwise have. As a general rule, individuals have an expectation of privacy in Internet email communications. See United States v. Maxwell, 42 M.J. 568 (U.S. Air Force Crim. App. 1995). In at least one case, Smith v. Pillsbury Co., 914 F.Supp. 97 (E.D. Pa. 1996), a federal district court in Philadelphia, applying Pennsylvania state law, held that an employee who was fired for the contents of an email message that he transmitted from a company computer had no cause of action for wrongful termination because he did not have a reasonable expectation of privacy. Whether, in the absence of a formal policy, an employee has a reasonable expectation of privacy in email may be resolved differently in different jurisdictions. For security, as well as practical business reasons (for example, when an employee is ill or on vacation), companies should retain the right to monitor employee email.

(ii) To limit liability under the Telecommunications Act of 1996. By taking affirmative action to monitor email transmissions for offensive conduct, a company may be able to avoid indirect liability for third party violations of state law (such as sexual harassment and defamation) under the Good Samaritan exemption created by the Telecommunications Act of 1996.

b. Terms to Include in an Email Policy.

(i) The company owns the computer system and all data stored on or transmitted over company networks.

(ii) The employee has no right to privacy in any information stored on the system. The employer reserves the right (but does not assume the obligation) to monitor employee email.

(iii) Define categories of email that should be retained in the ordinary course of business and specific procedures for retaining such communications.

(iv) Purge all other email messages at regular intervals.

2. Encryption.

a. Encryption Defined. Encryption has been defined as "the process of disguising a message in such a way as to hide its substance ... " Karn v. Department of State, 925 F.Supp. 1, 3 n.1 (D.D.C. 1996), citing Bruce Schneier, Applied Cryptography, at 1 (1994). Cryptography, or the science of encrypting messages, has been used for centuries to protect confidential information in transit from an author to its intended recipient. With the advent of computers, it became possible to generate more complex codes for encrypting messages using mathematic algorithms. Internet messages may be encrypted by converting information (stored in digital form as a series of 1s and Os) into an incomprehensible code through use of a cryptographic algorithm.

b. Use of Encryption. Sensitive information stored on intranets should be encrypted.

C. Protect Against External Threats.

Companies should establish and maintain firewalls and encrypt certain sensitive information stored on a company network, intranet or extranet.

VII. UPDATE INFORMATION AND NEW CASE LAW.

This outline may be updated periodically to account for the rapid transformations taking place in the emerging field of Internet law. To request a free update, email your name, address and phone number to iballo00 @counsel.com or contact the author by fax or phone.