The Fear of Data Theft: How Lawyers Navigate Cybersecurity Challenges

Use these links to jump to different sections:

• “Pay the Money and Your Computer Won’t Be Hurt”
• The Misguided Assumption That You Won’t Be Targeted
• Data Terrorism
• What Can You Do Against Cyber Threats?
• Get Experienced Legal Help

If hackers steal your credit card info, they can ruin your day. If they steal your Social Security number, they can wreak financial havoc for years.

But if they freeze or steal your computer data, they can ruin your life or threaten your company’s very existence.

Identity theft is the digital headache of the 21st century. Millions of Americans struggle to recover from the paperwork hassles it brings each year.

And it seems to be getting worse. In the cat-and-mouse game between hackers and security professionals, the bad guys are running up the score.

“Pay the Money and Your Computer Won’t Be Hurt”

“I’m feeling like we have a lot less control [over protecting data],” says privacy lawyer Lisa Sotto of Hunton Andrews Kurth in New York City. “I was on a panel recently, and there wasn’t a whole lot of optimism among the speakers about business’ ability to manage the current cybersecurity threat environment. The hackers have made quite a splash in recent years.”

In January 2015, Alina Simone wrote in The New York Times about helping her terrified mother pay a $500 extortion fee in Bitcoins to hackers who had seized control of the woman’s computer and encrypted all her files. The cybercriminals used a malicious virus called CryptoWall that infected thousands of computers through spam or booby-trapped websites.

“That’s exactly how I see it going: companies and individuals paying ransomware demands because they generally have no choice,” Sotto says.

Such payments for cyberattacks, she says, are already common.

“I do not believe there is a heck of a lot of negotiation involved… Hackers who are operating in the ransomware space are not asking for exorbitant amounts, so, for the most part, what I hear is that people are paying.”

The Misguided Assumption That You Won’t Be Targeted

It’s understandable for individuals to believe they wouldn’t be targeted, says Melinda McLellan, a privacy and data protection law expert at Baker & Hostetler. Understandable and misguided.

“A private citizen might think, ‘What information do I have on my computer that would interest a hacker?” she says. “OK, but what if a criminal deleted your entire email account?

Data Terrorism

Destruction of a Gmail archive—replete with receipts, frequent flier numbers, bank accounts, credit card numbers, financial records, or last messages from deceased loved ones, along with other private information such as date of birth, phone numbers, and social media passwords—could be devastating.

McLellan warns about the increasing incidence of so-called “data terrorism,” enabled in part by the growing centralization of critical information.

“Data is easily the most valuable commodity on earth. For many companies, it’s worth far more than cash. And the black market for personal data outstripped everything—including the illegal drug trade—years ago,” McLellan says. “Hackers are nothing new, but we’ve never seen this level of aggregation of valuable information by so many entities around the world.”

It’s hard to overstate the impact of the 2014 Sony incident, which proved hackers could not only embarrass a company but derail a major product release.

“I can imagine the hacktivist community targeting a particular company, gaining access to that company’s internal emails, and publishing potentially damaging material in an attempt to stop, say, the launch of a pharmaceutical product,” McLellan says.

What Can You Do Against Cyber Threats?

So what can companies—and individuals—do?

It begins with a broader assessment of what sensitive data is critical, says Hadas Weisman, an intellectual property lawyer with her own practice.

“[Valuable data] can vary tremendously from one business to another,” she says. “Obviously, if there is some secret sauce, you start there and try to identify additional tiers of sensitive information.”

Tax returns or R&D documents might deserve the highest level of security. Perhaps you encrypt them. Maybe you don’t even store them on your computer. The worst time to decide what’s important—be it old family photos or chatty emails from executives—is after criminals have stolen the data.

Get Experienced Legal Help

If you or your business has been the victim of a cybercrime, or you are working to shore up vulnerabilities to prevent a security breach in the future, consider speaking with an attorney in the technology transactions, data security, and cybersecurity space.

For more information on this area of law, see our overview of technology transactions law and related content.