Responding to Insider Data Theft
Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jonathan Cain and Paul Pelletier's Responding to Insider Data Theft & Disclosure presentation. Jonathan and Paul discussed how distinguishing the insider threat differs from the techniques used to identify and stop hackers, creating an environment that deters insiders from stealing data, and the legal remedies - both civil and criminal - that are available to recover stolen data and compensate for its loss. Nearly 100 participants joined us for this webinar.
For those who missed the webinar, some of the key takeaways include the following:
- Data losses due to insiders are not the most common source of loss, but they are consistently among the most damaging to the company's finances and future. They target customer data, intellectual property, future business plans and embarrassing skeletons.
- Insiders are not hackers and traditional technology based barriers to outside hackers don't stop them because the insider is entitled to be in the network and have authorized access to the data.
- Detecting insiders is an ongoing exercise of analyzing the data of nominally equivalent employees and identifying anomalous conduct.
- Deterring insiders through social engineering is easier and more productive than trying to identify an attacker after the fact. Where employees are aware that indicators of insider attacks are being watched, there is less likelihood that attacks will occur.
- The Computer Fraud and Abuse Act (CFAA), which is the most commonly employed federal statute to redress insider attacks, has inconsistent interpretations throughout the federal courts, and its effectiveness varies. State computer abuse, trade secrets, and breach of fiduciary duty law continues to provide suitable remedies, both civil and criminal.
- Criminal prosecution of insiders under federal law based on the CFAA, wire fraud, HIPAA and other federal criminal statutes is feasible, but is likely to be available only in the largest cases.
For a recording of the webinar, click here.
The next webinar -- the fourth in our Mintz Levin Privacy Series -- EU Data Protection for US Companies, will discuss the issues faced by US companies who do business in Europe or simply interact with European customers. We will look at how to determine whether EU data protection laws apply to you, and what you need to do to comply. We will also provide an overview of the upcoming major overhaul of EU data protection laws in the form of the draft Data Protection Regulation, which is likely to be finalized in late 2015 or 2016. The webinar will be presented by Susan Foster, a member in our London office, who is qualified as a solicitor in England & Wales as well as an attorney in California.
Sign up here to attend.