On May 21, the Federal Bureau of Investigation’s (FBI’s) Cyber Division released an FBI Flash warning recipients that nation-state cyber actors are targeting domestic universities, research institutes and private companies conducting COVID-19 related research.1 This is not the first of such warnings. On May 13, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a public service announcement regarding the People’s Republic of China targeting COVID-19 research organizations. On May 5, the Department of Homeland Security, CISA and the United Kingdom’s National Cyber Security Centre issued a joint alert that advanced persistent threat groups are actively targeting organizations involved in both national and international COVID-19 responses, including health care bodies, pharmaceutical companies and medical research organizations.
The U.S. medical and pharmaceutical industries have long been targets of cyber espionage, but the current health crisis substantially raises the threat for a variety of reasons. The most obvious reason is the value of COVID-19 related research, whether related to a vaccine or otherwise. Last month, President Trump used the threat of such espionage to prohibit Chinese graduate students from attending U.S. research institutions.2 Less obvious is the risk that companies may let their guard down during these unprecedented times. Remote working conditions often create weak links in security, and time constraints may put security concerns on the backburner while more pressing matters take priority. The inability to properly train employees in a work-from-home environment also is a risk.
Companies may have proper security controls in place to protect their sensitive information under normal conditions, but those controls may not account for the current threat level. In the midst of COVID-19, the frequency and sophistication of threats are greater than usual. The types of protection that the current working environment requires may be different or higher than normal. The individuals responsible for implementing and overseeing the security controls may not be as vigilant as under normal conditions. All these factors may require companies to review their security protocols and ensure that they are adequately protected against the current threat level. In fact, we have recently published two articles alerting clients to the risk of heightened scams during the COVID-19 pandemic.3
On May 16, the Healthcare and Public Health Sector Coordinating Council released a white paper advising the health care industry of the risks of a security breach and recommending a framework for implementing proper security controls, including both passive and active measures. It recommends a comprehensive five-step process as follows:
-
continuously identify the sensitive information that requires protection
-
assign and periodically update the value and ownership of the sensitive information
-
establish comprehensive compliance requirements
-
terms of employment
-
physical security policy
-
acceptable use policy
-
awareness and training
-
security incident response and recovery procedures
-
supply chain and third-party oversight
-
physical security and HR processes
-
protect and take steps to close perceptible gaps
-
periodic review and sustain
A lapse in security can be the cause of a breach, but can also hinder the ability to recover in a civil action should a breach occur. Many courts will not protect trade secrets or sensitive information that were not adequately protected by their owners.4
More importantly, the ability to recover in a civil action is far from certain and comes with its own set of legal and practical challenges. Litigants need to overcome significant legal hurdles to recover their damages. In fact, the Supreme Court recently granted certiorari in Van Buren v. United States,5 where, as we explained in a recent article, we expect the Court may narrow the reach of the Computer Fraud and Abuse Act, an important tool used by government enforcement agencies and civil litigants to bring claims for stolen trade secrets and sensitive information.6
Practically, civil actions can be costly, open up the victim entity to discovery where sensitive information may be compromised, or motivate a defendant to bring counterclaims against the victim. Criminal referrals can be complicated too, as there is no guarantee of eventual prosecution, which may then serve as the basis for a malicious prosecution claim against the entity for referring the target to law enforcement.7
Endnotes
1 This FBI Flash was released as “TLP: Green” and therefore is not publicly available. Information marked as “TLP: Green” can only be shared with peers and partner organizations but not via publicly accessible channels.
2 See Teresa Watanabe, “Trump Bars Some Chinese Students: Universities Alarmed by Order, which U.S. Calls Security Measure,” L.A. Times, https://enewspaper.latimes.com/infinity/article_share.aspx?guid=e2af7d68-ccf5-49b2-b311-28fff64d9a07.
3 See Sharon R. Klein, et al., “U.S. and U.K. Agencies Warn of Increased COVID-19 Related Cyber Threats,” (Apr. 15, 2020), https://www.pepperlaw.com/publications/us-and-uk-agencies-warn-of-increased-covid-19-related-cyber-threats-2020-04-15/; Sharon R. Klein, et al., “Beware: Phishing Scams Prey on Coronavirus Fears,” (Mar. 18, 2020), https://www.pepperlaw.com/publications/beware-phishing-scams-prey-on-coronavirus-fears-2020-03-18/.
4 See, e.g., Yellowfin Yachts, Inc. v. Barker Boatworks, LLC, 898 F.3d 1279, 1300 (11th Cir. 2018) (rejecting trade secret claim for the owner’s failure to “employ[] reasonable efforts to secure the information”); N. Highland Inc. v. Jefferson Mach. & Tool Inc., 898 N.W.2d 741, 762 (Wis. 2017) (holding that trade secrets must be subject to reasonable efforts under the circumstances to protect their secrecy); Powercorp Alaska, LLC v. Alaska Energy Auth., 290 P.3d 1173, 1187 (Ala. 2012) (same).
5 940 F.3d 1192 (11th Cir. 2019), cert. granted, No. 19-783 (U.S. Apr. 20, 2020) (order granting certiorari available at https://www.supremecourt.gov/orders/courtorders/042020zor_dc8f.pdf).
6 See, e.g., Teva Pharm. USA, Inc. v. Sandhu, 2018 WL 617991 (Jan. 30, 2018) (holding that a former executive could not be liable under the Computer Fraud and Abuse Act [CFAA] for conduct that occurred while she had authorized access to computers from which she misappropriated trade secrets but that CFAA claims could be brought against the recipients of those trade secrets under an “indirect access” theory, and that Defend Trade Secrets Act [DTSA] claims could be brought on the basis of activity that began before the enactment of the DTSA but continued to occur after its passage).
7 See, e.g., Hasie v. Compass Bank, 2014 Tex. App. LEXIS 11589, at *4 (Tex. Ct. App. Oct. 21, 2014) (“The cornerstone of Appellants’ tort claims is that Appellees maliciously caused [their] prosecution by submitting a criminal referral to federal law enforcement authorities . . . .”).
