What’s in a Law?

The Economic Espionage Act of 1996 was established to protect U.S. trade secrets by foreign bodies and make the prosecution of such crimes easier. To date, it has done little to either end, with only 13 known cases being brought against individuals in U.S. courts, according to www.lawfareblog.com. The problem with prosecuting someone under the law is twofold: the value of the supposed trade secret and the steps taken to protect it and keep it secret.

  • Value: The determination of a trade secret’s intrinsic value to a company is hard to do.
  • Protection: Proving that the firm in possession of the trade secret or proprietary information took great measure to ensure the information remains in their sole possession is also hard to do.

Lawmakers are seeking to change that, first by establishing the Cybersecurity Act of 2012, which sets up the Department of Homeland Security as the regulating entity over businesses that are considered part of critical infrastructure. These businesses will have to comply with certain governmental standards. The problem with this bureaucratic approach, however, is that it puts the cost of compliance, and the monitoring of that compliance, on the affected entities. While this is not devastating for larger corporations that can absorb this cost, the small- and medium-sized companies that fall under the umbrella of this law will have a hard time complying.

Another approach being included in many security bill drafts is the imposition of penalties for data breaches, for both the companies found to not have the security to prevent attacks and those individuals, and entities, who steal trade secrets. The problem with such an approach is that currently the fines put more of the burden on the firms who lose data ($5,000,000) than they do on individuals ($500,000), though the system does fine entities that partake in economic espionage at a much higher rate ($10,000,000).

A final alternative being considered is the issuance of liability protection to companies that voluntarily disclose any sort of cyber threat data to the intelligence community. While this might work by keeping the Federal Trade Commission (FTC) from prosecuting companies that are in noncompliance of current requirements, it could still lead to reputational and market share loss.

None of these current proposals seem to enhance the ability of officials to investigate, much less stop, foreign economic espionage. Any efforts to bolster the protection of American company assets should include tougher investigative and prosecutorial abilities. In this way, America’s overall cyber security will be strengthened.

For more information about the Cybersecurity Act of 2012, visit: http://www.lawfareblog.com/2012/03/dan-geer-and-brock-dahl-on-problems-with-pending-cybersecurity-legislation/