Skip to Content

A Modern Game of Hide and Go Seek? Some Lessons Learned Following Sony and Other Widely-Publicized Data Breaches

While the recent hack of Sony was prominent news because of the celebrity ties and potential geo-political implications, other prominent cyber-attacks over the last few months are enough to give any company pause. The January 2015 hacks of Swiss bank BCGE and American health insurer Anthem show us, once again, that any company could be next.

There is always the risk that an inside job could lead to the unauthorized disclosure of private, proprietary, and/or highly confidential information, including personal health information—any of which may result in lost business, reputational harm, regulatory actions, and/or civil lawsuits, such as the class action lawsuit filed in January 2015 against Sony Pictures by former employees alleging violations of the California Confidentiality in Medical Information Act.

Sony succeeded in getting a good portion of its hacked material (e.g., movie scripts) removed from various websites—but this was primarily because the hacked material is protected under U.S. copyright laws, and thus was promptly removed by the websites pursuant to the take-down provisions of the Digital Millennium Copyright Act (DMCA). What other laws might be of use to a company following a data security breach, especially when the information does not fall under the DMCA? Consider the following federal statutes:

  • Computer Fraud and Abuse Act (CFAA): The CFAA broadly prohibits unauthorized systems access, including by employees that exceed their authorized access. It provides for civil and criminal liability; however, a civil action requires a showing that the violation caused "loss" (as defined in the CFAA) aggregating at least $5,000 in value.
  • Electronic Communications Privacy Act (ECPA): The ECPA provides for civil and criminal liability for unauthorized systems access, including any electronic communications (e.g., emails) disseminated after such access, and allows for compensatory, statutory, and punitive damages, and reasonable attorneys’ fees and costs.
  • Stored Communications Act (SCA) of the ECPA: Under the SCA, it is a crime to intentionally access emails or other electronically stored communications without authorization, or to intentionally exceed authorized access to such communications. In a civil action, the SCA provides for compensatory, statutory, and punitive damages, and reasonable attorney’s fee and costs.

In addition, state computer crime and state trade secret statutes could afford protection and relief to companies that experience a data security breach. However, in an increasingly interconnected world, it is possible that the laws of more than one state would be applicable in a particular instance.

One fact remains true: being proactive before any data security breach is the best protection for limiting repercussions following a data security breach. This includes the implementation of a comprehensive written information security plan that outlines the necessary steps and contacts for recovering and limiting the spread of accessed information, and pursuing hackers, as well as frequently testing the plan for opportunities to improve its effectiveness.

©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.