Canada’s new data breach law, The Personal Information Protection and Electronic Documents Act (“PIPEDA”), took effect on November 1. Official guidance released by the country’s Privacy Commissioner explains a few of the law’s key provisions that will affect organizations, specifically, breach reporting and notification obligations, their triggers, and record retention.

Reporting & Notification Obligations

Under

In March 2017, Rep. Tom Graves, R-Ga., introduced a draft bill titled the Active Cyber Defense Certainty Act. The bill would amend the Computer Fraud and Abuse Act to enable victims of cyberattacks to employ “limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.”[1] More specifically, the ACDC would empower individuals and companies to leave their own network to ascertain the perpetrator (i.e., establish attribution), disrupt cyberattacks without damaging others’ computers, retrieve and destroy stolen files, monitor the behavior of an attacker, and utilize beaconing technology.[2] An updated, bipartisan version of the bill was introduced by Rep. Graves and Rep. Kyrsten Sinema, D-Ariz., in October 2017.[3]

There has been significant debate on whether the types of “self-help” measures that the ACDC expressly authorizes — sometimes referred to as “active defense” — are currently prohibited by the CFAA. While no court has yet ruled on the issue, several commentators (and the U.S. Department of Justice) have long argued that because the CFAA prohibits accessing computers without “authorization,” cyberattack victims expose themselves to criminal liability if they venture outside their network to unmask an attacker and disrupt, disable or destroy the attacker’s system.[4] The purpose of the ACDC is to reduce legal uncertainty by, in effect, providing a statutory safe harbor for victims of cyberattacks to “hack back” — under the right circumstances, and subject to limitations.

In addition to the legal question of whether active defense is currently barred by the CFAA, the desirability of active defense as a policy matter has also been debated. Advocates of the ACDC have argued that companies, no matter how sophisticated their preventive cyber defenses, continue to suffer major breaches, and that the number of cyberattacks far exceeds the government’s ability to identify and prosecute criminals. They argue that in a lopsided cyber battlefield, victims need additional tools to actively respond to ongoing attacks. In critics’ view, however, the bill will promote cyber-vigilantism by victims who are overeager to aggressively strike back at cyber intruders and thieves — thereby creating tit-for-tat patterns of retribution and a significant risk of collateral damage to innocent third-party computer systems.

While the legal and policy debates raised by the ACDC are important, they often overlook the fact that victims of hostile cyber activity may already be able to avail themselves of the judicial process to lawfully engage in the types of “active defense” measures that the ACDC would expressly authorize. Several such techniques of “active defense through litigation” are relatively well-established; others are untested. Because active defense through litigation necessarily involves the judicial process, moreover, it can be relatively time-consuming (particularly in comparison with the more immediate responsive measures contemplated by the ACDC). Although courts can provide certain forms of expedited relief in a matter of days or even less, this time frame may be prohibitive in some cases. Nevertheless, for victims of cyberattacks that are weighing an active response, it may be worth considering one or more of these options.

The most established and typical form of active defense through litigation is using third-party discovery to obtain information about the perpetrators of a cyber-intrusion and, potentially, establishing “attribution” of the culprit. In Liberty Media Holdings LLC v. Does 1-59, for example, hackers unlawfully accessed copyrighted materials on a company’s protected website.[5] The company brought suit against the unknown culprits — named “John Does” in the complaint — for violating the CFAA, the Electronic Communications Privacy Act and the Copyright Act.[6] It then provided the court with the internet protocol addresses of each defendant.[7] The court granted the company’s motion that it be allowed to serve subpoenas on the defendants’ internet service providers and cable providers to compel them to “produce all documents and/or information sufficient to identify the users of the IP addresses.”[8]
Continue Reading Litigation Options For Post-Cyberattack ‘Active Defense’