Cyber Attacks on IP: A Civil Response
Attacks by computer hackers on retailers such as the January 2012 attack on Zappos.com remind us that no one’s intellectual property is safe from cyber attacks—not even a shoe shopper’s. Attacks such as the December 2011 attack on Strategic Forecasting, Inc. (Stratfor) and the February 2011 HB Gary attack confirm that not even those with the motivation and means to thwart a cyber attack cannot successfully do so.
The attacks arise for different reasons. An attack’s objective may appear as merely criminal; for example, attempting to steal consumer data electronically stored by Zappos. And, as attack may be driven by ideology—Anonymous’s humiliating attack on HB Gary, following the security firm’s announcement that it would expose the identity of the unknown hackers’ guild. An attack may also have geo-political roots, supported by a nation state: it was reported in May 2010 that the elements of China’s military hacked the U.S. Chamber of Commerce’s computer network to gain information about the lobbying group’s more than three million members. That information was reportedly used to then infiltrate specific Chamber members involved in Asian policy. Attacks occur for mixed reasons as well. Stratfor’s CEO explained, in his apology for failing to prevent its hackers, that while consumer and commercial data was hacked, the attack was motivated by a desire to destroy Stratfor and expose and embarrass its clients.
While these recent examples confirm that all persons, corporations, and governments are potential victims, and suggest that the frequency and sophistication of cyber attacks is increasing, attacks need not be sophisticated. A scrupulous competitor and disloyal employee may simply work together to gain unauthorized access to a firm’s computer network to harm the firm, and benefit from the ill-gotten information and the advantage resulting from the harm caused. To illustrate, a 2004 case arising in Idaho pitted a trucking website operator against its competitor and a former employee. The competitor wanted to grow its market share, and to do so, engaged in such dishonest tactics as using its customers’ login and password to access the trucking website, reasoning that customers were likely to use the same information rather than creating and remember new logins and passwords. Further, the competitor lured away an employee who, before leaving his employment at the trucking website operator, gave his new employer a tour of the trucking website, and then downloaded information, including confidential customer information, and emailed it to his personal email account. The jury and the courts confirmed that this competitor and its “old-fashioned tricks” were unfair and unlawful, awarding the trucking website operator damages and costs associated with responding to this cyber attack, such as the forensic investigation necessary to understand the scope of the attack and learn the identities of the attackers.
An appropriate response to cyber attacks may be criminal prosecution, but it cannot be expected that all reported cyber attacks will be fully and effectively investigated, or even that all cyber attacks will be timely reported. Moreover, criminal punishment may also not provide the most appropriate remedy to the victim. The U.S. enacted the Computer Fraud and Abuse Act (CFAA) in 1984 to combat hacking. Since its enactment, and as amended, the CFAA allows civil litigants to bring claims against “[w]hoever conspires to commit or attempts to commit” the cyber attacks prohibit by the CFAA. The trucking website operator successful civil action was brought under the CFAA. In addition the protections afforded by the CFAA, many states have enacted statutes similar to, and sometimes broader than, the CFAA.
As the volume of electronically stored information grows, along with our reliance it, more and more “honey pots” are created. And your “honey pot” even a small one can be irresistible to your competitors or those that you thought you could trust. Consequently, whether it is customer data, commercial and financial information, state secrets, or other intellectual property such as trade secrets or know how, no electronically stored information can be consider entirely safe from cyber attacks.
Unfortunately, once an attack is discovered and the attackers identified, the harm is often already done. But, the resources spent on investigating and mitigating the harm are recoverable. And, the forensic effort made to uncover the attack’s details may prevent future attacks. Further, a successful civil litigant may obtain injunctive and monetary relief sufficient to deter others from considering the litigant a soft-target.
 See Creative Computing v. GetLoaded.com LLC, 386 F. 3d 930 (9th Cir. 2004).
 18 U.S.C. section 1030 et seq.