In the aftermath of the Target breach announced last month, there has been understandable anxiety on the part of consumers and understandable concern by lawmakers about how to respond to large-scale breaches of this type.
In recent weeks, there have been calls by members of Congress for hearings on the Hill. Several Senators have demanded an investigation by the Federal Trade Commission (FTC) and have discussed legislation beefing up the FTC’s enforcement powers—although as I’ve written here previously, the FTC has not exactly needed an engraved invitation to investigate data breaches in recent years and does not seem to have been inhibited at all by the lack of clear (some might say any) authority to do so. And just this week, Sen. Patrick Leahy (D-VT) reintroduced the Personal Data Privacy and Security Act, which among other things would create a national breach notification standard.
The congressional focus on consumer protection is certainly laudable. In particular, I worked on previous iterations of Sen. Leahy’s bill when I oversaw the Justice Department’s (DOJ) computer crime section, and it’s an important piece of legislation. A national breach notification standard would make compliance easier for companies experiencing data breaches, which now must navigate a patchwork of breach notification laws in 46 states and several U.S. territories. The only people who benefit from this complicated regulatory landscape are lawyers, like me, who advise companies on breach notification. Simplifying these rules may not be good for lawyers, but it will be good for their clients.
Because it’s not enough to improve our ability to clean up the mess after a breach occurs—we also need to focus on doing more at the front end to identify and punish hackers and to stop stolen data from ever being used.
But if the congressional response focuses entirely on breach notification and on strengthening the hand of the FTC, then Congress will be, well, off-target. Because it’s not enough to improve our ability to clean up the mess after a breach occurs—we also need to focus on doing more at the front end to identify and punish hackers and to stop stolen data from ever being used.
Imagine if, within hours of discovering the attack, Target brought in computer forensics experts who were able to trace the stolen card data back to a server where the hackers were storing it, find that stolen data and delete it, encrypt it or otherwise render it unusable by the thieves. How many millions of dollars in fraudulent transactions could be prevented? And that’s not to mention the evidence identifying the bad guys that could immediately be turned over to law enforcement for further investigation and eventual prosecution. Isn’t that course of action—preventing the bad guys from profiting from their crimes and helping law enforcement take action to identify and punish them—smarter and cheaper than just focusing on the legal and financial fallout after the stolen data has been used?
So why isn’t this happening right now?
Because the Justice Department’s view is that the Computer Fraud and Abuse Act (CFAA)— the statute used to prosecute hackers—technically could be violated if a company were to take the kind of steps I just described. DOJ also believes that allowing these kinds of measures by victim companies—sometimes called “active defense” but often derisively referred to as “hacking back”— is bad policy, because companies could end up damaging computers owned by innocent third parties that have been taken over by the hackers and used to facilitate their crimes. I used to share that view when I was at DOJ, but my views have changed considerably— I guess you could say this is preaching by the converted.
But even if DOJ’s budget for cybercrime were doubled tomorrow, that still would not be the solution, because law enforcement cannot investigate and prosecute its way out of this problem. Instead, we need to rely on the combined resources and capabilities of the government and the private sector.
The reality is that cybercrime is not a problem that law enforcement can solve on its own. While at DOJ, during a 2011 hearing on cybersecurity, I told a Senate Judiciary subcommittee that the scope of the cybercrime problem far outpaced the resources available to pursue it. That was certainly true back in 2011, but it is even more so today, after years of hiring freezes, the sequester and an extremely challenging budget environment.
But even if DOJ’s budget for cybercrime were doubled tomorrow, that still would not be the solution, because law enforcement cannot investigate and prosecute its way out of this problem. Instead, we need to rely on the combined resources and capabilities of the government and the private sector. As one of my colleagues likes to say, the government has clear authority to go after hackers but not enough resources, while the private sector has the resources but lacks clear authority.
So how can Congress help address this problem?
There is a disagreement among commentators about whether the kind of measures I described above do indeed violate the CFAA as currently written. That debate is a topic for another time. But Congress can resolve the issue by amending the CFAA to clarify the authority of companies to take measures to trace and recover or disable their stolen data, without fear of criminal exposure. This can be done in a reasonable, responsible way, in coordination with law enforcement. Should companies be subject to civil liability if, in the course of taking these actions, they cause damage to an innocent third party’s computer (a computer that, by the way, is already under the control of hackers)? Maybe, maybe not. But should they be guilty of a crime? Absolutely not.
There can certainly be debate among reasonable people about the precise types of active defense measures that companies should be permitted to take, and about how coordination with law enforcement should work both legally and practically, but we need to have that debate. And we need Congress, informed by that debate, to make clear that some sort of active defense is permissible, so innocent victim companies can take appropriate action without worrying that they will be treated as criminals.
Congress can resolve the issue by amending the CFAA to clarify the authority of companies to take measures to trace and recover or disable their stolen data, without fear of criminal exposure. This can be done in a reasonable, responsible way, in coordination with law enforcement.
There is no one silver bullet for the problem of data breaches and other cyber-attacks. We need strong, well-resourced law enforcement. We need good consumer protection measures. We need companies to adopt sensible cybersecurity measures. But we also need companies to be able to take reasonable actions to track down and delete or disable their stolen data—whether we’re talking about 40 million credit and debit card numbers or a company’s trade secrets or other intellectual property—before the hackers can do further harm. And we need to use the information developed along the way to help law enforcement punish those hackers and deter others.
One other aspect of the early reaction to the Target breach is noteworthy, and frankly a bit troubling. The focus on breach notification and FTC authorities, and the tenor of some of the public comments made by folks on the Hill, seem to reflect an assumption that the breach is Target’s fault. Target is being treated as if it’s guilty until proven innocent or, I should say, “negligent until proven reasonable.” That’s simply unfair.
Just because a company is hacked doesn’t mean it did anything wrong. A company can have the best cybersecurity in the world and still get hacked. Often, companies that are the victims of cyber-attacks are just that—victims.
Class-action lawyers may be ready to blame the victim here, but the rest of us should withhold judgment. It’s way too early in the investigation to be assigning blame— except to the hackers themselves.