No single event in 2012 defined the legal landscape in data security and privacy law. Companies battled the same threats to data security as in the past, although the perpetrators of those threats have become more sophisticated, malicious and, in some instances, politically motivated. The most prevalent issue for companies continued to be the prevention and remediation of data breaches. Defensive measures taken since 2005 – when data breaches emerged as a significant threat – have not deterred cyber-terrorists and criminals from attempting to steal valuable confidential information. If anything, their efforts are more aggressive. Other data security issues from 2012 included massive distributed denial-of-service (DDoS) attacks against major U.S. banks, in which organized groups attempted to deny the banks’ customers access to their online accounts. In addition, organized crime syndicates used sophisticated malware to steal payment card information from retailers’ point-of-sale (PoS) systems, including Barnes & Noble stores in California, Connecticut, Florida, New Jersey, New York, Illinois, Massachusetts, Pennsylvania and Rhode Island.
Going into 2013, the ABA’s Information Security Committee will consider the legal issues for companies considering fighting back by attacking the sources of cyber-attacks. This “hack back” strategy is attractive to companies that want to quickly disable a threat, but the legal ramifications have not yet been worked out. For example, many cyber-attacks involve unwitting individuals whose PCs have been hacked. What liability would a company face for accessing – and potentially damaging – one of these individuals’ computers to disable an attack?
In a recent roundtable discussion sponsored by the Information Security Media Group, Ron Raether, partner at Faruki Ireland & Cox P.L.L., David Navetta, co-founder of the Information Law Group, and Lisa Sotto, managing partner of Hunton & Williams, discussed the highlights and trends in data security and privacy law for 2012 discussed above, including the pros and cons of the “hack back” strategy being considered by the ABA. You can listen to the roundtable discussion and read a summary here.