Legal Issues in Data Security

While almost everyone agrees that the law needs to protect the security of the data stored on remote servers, or even on your own servers, the ability of the law to do so can sometimes vary depending upon how the data is stored and who is accessing it.

Federal Laws

A few federal laws exist that attempt to prevent security breaches and criminalize them when they do happen. The most important of these in today's context is the Computer Fraud and Abuse Act of 1984 (CFAA), 18 U.S.C. § 1030 (2006). It has been updated slightly by the National Information Infrastructure Protection Act of 1996. This statute criminalizes, among other things, "knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . ." § 1030(a)(4). The CFAA defines a "protected computer" as one that is a government computer, financial institution computer, or a computer "which is used in or affecting interstate or foreign commerce or communication . . . ." §1030(e)(2)(B). As nearly every computer on the Internet is accessing servers in different states, this is not much of a limitation at all. Essentially, the CFAA criminalizes "black hat" hacking, breaking into a computer system with malice. It likely includes the creation of computer viruses as well. According to one judge in California, however, it does not include simply violating a service provider's Terms of Use or other similar contract.

There are few cases relating the CFAA to cloud computing. Much of the case law that would be relevant centers around what is a "thing of value." One case, United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997), found that simply accessing tax records beyond the defendant's authorization was not a "thing of value." A similar result was reached in P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC, 428 F.3d 504 (3d Cir. 2005).

Unfortunately, the CFAA has some major pitfalls. First, while it claims to reach outside the United States, realistically, the US's jurisdiction cannot reach outside its borders. This means that if data resides on a server outside the United States, it may not be protected by this law. Additionally, because the person storing data on the computers does not own those computers, it may be difficult for a person to get law enforcement agencies to investigate or prosecute a data theft if the service provider does not wish to pursue charges.

Still used occasionally in other computer crimes is the older wire fraud statute, 18 U.S.C. § 1343, but on its face it does not appear to cloud computing data theft. According to Maxim May of the SANS Institute, the Economic Espionage Act of 1996, 18 U.S.C. §§ 1831-1839, is sometimes used to prosecute theft of trade secrets or other economically-valuable property.

Some industries, like banking, are required to inform federal regulators and, in some cases, consumers if information security is breached with regards to personal information that would allow one to access the bank account. See 12 C.F.R. pt. 208, app. D-2 (2006). This gives the businesses an incentive to secure data.

U.S. Capitol


State Laws

NC Senate

Almost all states now have laws stating that a company that stores data for a user must notify its users if security is breached. The laws vary widely in what consumers must be told and when. North Carolina's law, the Identity Theft Protection Act, was passed in 2005, which, among other things, requires businesses operating in North Carolina to inform consumers of a breach "without unreasonable delay[.]" It is limited mostly to financial information and information that would allow someone to access one's financial records like a Social Security Number. It does not, however, provide a cause of action if the company fails to do so. New York's law, on the other hand, does provide a cause of action.

California's law, Cal. Civ. Code § 1798.83, is one of the strongest in the country. In addition to similar notification-of-breach requirements like New York and North Carolina, it requires that a notice be posted on the Website of a company doing business in California that must be called, "Your Privacy Rights," and it must inform people of their rights to notification in the event of a breach.

These state laws are given a thorough treatment by Christopher Wolf, ed., Proskauer on Privacy: A Guide to Privacy and Data Security Law in the Information Age (2006).