By BECKY GILLETTE
There are potential criminal and civil liabilities for hackers who compromise trade secrets, customer names and credit card information from a business. But finding the hackers, proving the case and then also being able to collect damages is a daunting challenge.
“There is potential criminal liability for the hackers, assuming that you can find them and produce evidence of wrong-doing,” said Matthew Steffey, a professor of law at Mississippi College School of Law. “There is certainly the potential for civil action for anyone who invades a company’s internal system. It is a form of sabotage and a form of theft. The law protects against those things, burglars both real and virtual. But it is a long road between a right and a remedy. It requires expensive lawyers and information technology experts.”
The first problem is finding the hackers. Often the hackers are in the Ukraine or some other area of the world outside of the reach of the U.S. judicial system. It can be expensive and difficult to prove the true identity of a hacker who has likely used techniques to hijack other servers or email accounts that provide camouflage for what they are doing.
For criminal proceedings, businesses can contact the U.S. attorney general’s office. But Steffey said the U.S. attorney is already busy trying to keep U.S. government data protected.
It isn’t so much that the law doesn’t provide a remedy or punish wrong-doers. It does. But it reminds Steffey a bit of the stern warnings about pirating movies that runs at the beginning of each movie. Tracking down someone making bootleg copies of the latest movies in China can be impossible.
“You can hire a lawyer,” Steffey said. “You can get orders. But unless the hacker happens to live in your locality, a remedy after the fact is little comfort. You can get a judgement on paper, but can’t collect against a person you can’t find.”
What about people re-posting confidential information on social media such as the information recently that caught up prominent people signed up for the Ashley Madison dating website for married people? Steffey said if the information is true, likely there is no problem with posting it. But there are potential legal difficulties by republishing a libelous statement. Yet once an issue enters the public domain, there is a very little in the nature of a public remedy.
Once 500,000 people have seen or commented someone found on Ashley Madison website, it becomes a legitimate news story then protected by First Amendment.
Steffey said just like with the old-style embezzler, businesses are at most risk from their own employees.
“Unlike Ashley Madison, most businesses are not engaged in things that are of interest to the outside world,” he said. “If you are a manufacturing company or trucking firm, outsiders are not usually interested in your info. So most data security risks come from within the company. Half the time, cyber security problems are from someone on the inside.”
Mississippi Attorney General Jim Hood agrees that most in-state hacking involves disgruntled employees and/or terminated employees.
“We also see individuals who were hacked in relation to cyberstalking type criminal activities,” Hood said. “Most hacking cases involve suspects in other countries, mostly Russia or former Soviet Union. We have an investigator assigned to the FBI Cybercrime Task Force that works leads in these cases. The FBI has the authority and means to investigate multi-state and international hacking incidents.”
Cybercrimes involve numerous crimes defined in state statute.
“Obviously, we stay pretty busy so we feel they are pretty common,” Hood said. “Child exploitation remains the primary crime committed in Mississippi where a computer or the Internet is used as the primary means or instrumentality used to commit the crime. Other crimes involve data breaches, denial of service, intrusion, spear phishing and ransom ware.”
Hood said to prevent becoming a victim of a cybercrime, keep computer systems updated, patched and firewalled. Virus protection software is also highly advisable.
“Other things include employee training regarding a social engineering attack (think rogue email that installs malicious code),” Hood said. “Mandatory password rules, data encryption, dedicated IT security personnel and periodic penetration testing are also good ideas.”
Under MS Code § 75-24-29, if a business experiences a breach and the breach appears to be for fraudulent purposes or could cause harm to those affected, then the business must somehow give notice to those whose personal information was disclosed.
“Under this section, if businesses fail to give notice as required, then the Attorney General’s Office may treat it as a violation of the Consumer Protection Act,” Hood said.