The recent payment card data breach at Home Depot, a rise in hacking by current and former employees, and fears about the theft of business trade secrets sparked in September a number of warnings, inquiries, and legislative actions designed to thwart cyber threats from within and outside of U.S. companies.
The FBI and Department of Homeland Security issued a public service announcement warning U.S. businesses of the significant cyber threat posed by disgruntled and former employees due to their authorized access to sensitive information.
“The exploitation of business networks and servers by disgruntled and/or former employees has resulted in several significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts, and gain a competitive edge at a new company,” the agencies said in their statement.
A review of recent FBI cyber investigations found that victim businesses incur costs ranging from $5,000 to $3 million per incident. The announcement makes 10 recommendations for reducing the risk of cyber threats, including:
- Conducting a regular review of employee access
- Terminating any account that individuals do not need to perform their daily job responsibilities
- Terminating all accounts associated with an employee or contractor immediately upon dismissal
- Changing administrative passwords to servers and networks following the release of IT personnel
A day earlier, several lawmakers urged the Federal Trade Commission (FTC) to investigate Home Depot in the wake of the company's disclosure that it suffered a data security breach affecting customer payment information. In a letter to the FTC, they called on the agency to look into whether Home Depot's data security procedures meet a “reasonable standard” and requested details about unauthorized access to Apples cloud database that stores sensitive information on iPhone users. At the same time, Senate Commerce, Science, and Transportation Committee Chairman John Rockefeller (D-WV) announced plans for a committee staff investigation into the matter.
In addition, a trade association representing community banks issued a statement insisting that entities across the payments system, including merchants, be subject to the kind of data security standards imposed on financial institutions under the Gramm-Leach-Bliley Act and that legislation ensure that the costs of breaches are ultimately borne by the party at fault.
In an effort to combat trade secret theft, the House Judiciary Committee on September 17 reported a bill (H.R. 5233) to create a federal private right of action for misappropriation of a trade secret. It would allow a trade secret owner to seek injunctive relief and monetary damages, and it would allow a plaintiff to seek an ex parte order authorizing the seizure of any property that was used to help facilitate the commission of the misappropriation.
In the past few years Congress and the administration have made increased protection of American business trade secrets a priority. The Foreign and Economic Espionage Penalty Enhancement Act of 2012 increased from $500,000 to $5 million the maximum fine for individuals convicted under the Economic Espionage Act of 1996. In addition, the Theft of Trade Secrets Clarification Act of 2012 clarified that a defendant could be criminally liable for espionage if he or she stole information that is used internally by their employer, even if the information was not itself for sale.