What to do when you are the victim of data theft

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lexology.com/library/detail.aspx?g=251598a9-ebe3-4e4d-a2e0-b157d515843c

How Data Theft Occurs

In today’s digital world, the theft, copying or destruction of your
databases, customer lists or trade secrets is often as simple as pushing a
button.  We see this often when competitors hack into databases or use
third parties posing as customers to exceed their limited license to access
a business’s database.   We see data theft occur much more often, however,
when an employee runs a business which competes with his/her current
employer or copies files, customer lists or whole databases in anticipation
of leaving and starting a rival business.  Fortunately for an employer,
there are many remedies available to businesses under such circumstances.
In light of the ease of duplication of digital material, it is impractical
to seek the return of stolen data.  Instead, most causes of action will
focus on preventing use of the data and seek damages that have resulted
from the theft.

Thinking Ahead of the Hackers

One of the best ways to address data theft is to take appropriate steps in
advance.  If employees, vendors or third parties have access to proprietary
databases, customer lists or trade secrets as part of their working
relationship with you, it is critical that you have each associated person
sign a comprehensive confidentiality/non-disclosure agreement.  Such
agreements should specify the types of data that they can/cannot lawfully
access, the specific rules relating to maintaining confidentiality of the
data and specific remedies, including injunctive relief and damages,
available to your business in the event of the breach of such agreements,
including data theft.  The agreements must also detail prohibitions on
post-employment use of such data.  Such agreements not only provide a bit
of a deterrent effect, they also make obtaining injunctive relief from a
court much simpler and cheaper to accomplish.

What To Do In the Event of a Data Theft

Once you learn of a theft of your database(s), customer list(s) or trade
secret(s), it is critical that you take appropriate steps immediately.
 First, because data theft often involves a breach of trust by a current or
recent employee or someone else with whom you work closely, it is easy to
react emotionally.  Do not overreact, call or threaten the person suspected
of misappropriation. The steps you take will have consequences.

Second, contact an attorney experienced in this area of law.  If you have
sufficient information indicating an actual theft or breach, your attorney
should immediately prepare and send a well-worded cease and desist letter,
demanding that the unlawful conduct stop and detailing the laws and/or
agreements violated.   Often this will be followed by the application for a
temporary restraining order (“TRO”), wherein, if granted, the court
prohibits the party who engaged in the alleged data theft from using the
data until the court can hold a hearing to decide whether to grant a
preliminary injunction, which would stay in place throughout the underlying
trial.  Time is of the essence when seeking a TRO, and providing the court
with as much evidentiary detail to support your claims of data theft is
critical.

In addition to the injunctive relief detailed above, there are many causes
of action available for you to pursue in order to obtain damages from the
offending party including unfair competition, misappropriation of trade
secrets, breach of confidentiality/non-disclosure agreements and unjust
enrichment.  Depending on the nature of the data theft, whether access was
authorized at the time of occurrence, and the existence of damages and
losses, you will likely have a cause of action under the Computer Fraud and
Abuse Act (“CFAA”), as well.   Note that the CFAA carries both civil and
criminal remedies.

Third, conduct a detailed investigation.   Was your database hacked or was
the data stolen by a current or former employee or vendor?   Does a former
employee/vendor still have remote password access to your computer systems?
 What databases, customer lists or trade secrets were affected, to what
degree and over what period of time?  Collect and preserve this
information, which will be critical at every step of your efforts to stop
the misappropriation and use of your data, and will be a key element in
proving damages in a court of law.

This topic should be of interest to any company or individual engaged in a
commercial venture within the United States, especially those involved in
the online marketing, data collection and/or consumer product industries.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!