Data Theft

Fundamentals of Criminal Law by Adam J. McKee

Data theft is a form of cybercrime where unauthorized individuals or entities access, steal, or misuse sensitive data. This data can range from personal information, like credit card details and social security numbers, to corporate secrets or government intelligence. With the increasing digitization of personal and commercial activities, data has become a valuable commodity, and its theft can result in severe consequences for individuals, businesses, and institutions. While the act of stealing data may be virtual, its impact can be as destructive as any physical theft, leading to financial loss, identity theft, corporate espionage, and compromised national security.

In criminal law, data theft can be prosecuted under various statutes, depending on the nature of the crime and the type of data involved. To convict someone of data theft, the prosecution must prove the traditional elements of a crime: actus reus (the criminal act) and mens rea (the criminal intent). Actus reus in the case of data theft typically involves unauthorized access to and copying or exfiltration of data, while mens rea focuses on proving that the theft was intentional and carried out with a specific purpose, such as financial gain, espionage, or harm to the victim.

Federal Statutes Governing Data Theft

Several federal laws address the issue of data theft, reflecting the serious nature of this crime in the digital age. Chief among these statutes is the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030), which criminalizes unauthorized access to computer systems and the subsequent theft of data. Under the CFAA, it is illegal to “intentionally access a computer without authorization or exceed authorized access” and obtain information from any protected computer, which broadly includes any system used in interstate or foreign commerce.

The Economic Espionage Act (EEA) (18 U.S.C. §§ 1831-1832) is another critical piece of legislation that targets the theft of trade secrets and proprietary information. While the CFAA broadly applies to many types of data theft, the EEA focuses specifically on the theft of trade secrets for economic advantage or to benefit foreign entities. This law criminalizes both the theft of trade secrets and the transmission of those secrets to competitors or foreign governments.

In addition to the CFAA and the EEA, the Identity Theft and Assumption Deterrence Act (18 U.S.C. § 1028) is used to prosecute cases where personal identifying information is stolen and used to commit fraud or other crimes. This law addresses situations where data theft leads to identity theft, a crime that can have lasting repercussions on victims’ finances and reputations.

Types of Data Theft

Data theft can take several forms, depending on the nature of the information targeted and the methods used by the perpetrators. Common forms of data theft include personal data theft, corporate espionage, and intellectual property theft.

Personal Data Theft involves stealing information such as credit card numbers, social security numbers, passwords, and other personal identifiers. This type of data is often targeted by cybercriminals to commit identity theft, where they assume another person’s identity to carry out financial fraud or other illegal activities. Personal data theft is frequently accomplished through methods such as phishing, hacking, or exploiting security vulnerabilities in databases that store sensitive information.

Corporate Espionage refers to the theft of proprietary business information, including trade secrets, customer lists, marketing strategies, and product designs. Competitors may engage in corporate espionage to gain a competitive edge by unlawfully acquiring another company’s intellectual property or confidential data. This form of data theft is particularly concerning for companies that rely on their proprietary technologies and innovations to maintain their market position.

Intellectual Property Theft is closely related to corporate espionage but focuses specifically on the theft of creations protected by copyright, patent, or trademark laws. Intellectual property theft can involve the illegal copying of software, music, films, or technology designs. This type of theft is often prosecuted under laws like the Digital Millennium Copyright Act (DMCA), which protects against the unauthorized reproduction and distribution of copyrighted works.

Actus Reus and Mens Rea in Data Theft

In cases of data theft, the actus reus typically involves gaining unauthorized access to a computer or network, and then stealing or copying data without the owner’s consent. For example, if a hacker bypasses security protocols to download customer data from a corporate server, their act of unauthorized access and copying the data constitutes the actus reus of data theft. Importantly, the theft itself does not always require physical removal of the data, as in traditional theft. In most cases, copying or exfiltrating the data is sufficient to fulfill the criminal act requirement.

Mens rea, or the intent behind the crime, is also a crucial element in data theft cases. Prosecutors must demonstrate that the defendant acted intentionally, knowingly, or willfully in accessing and stealing the data. In some cases, intent to profit from the stolen data, to harm the victim, or to provide the data to a competitor can establish the requisite mens rea. For example, in corporate espionage cases, the offender’s intent to provide the stolen data to a rival company for financial gain often serves as key evidence of criminal intent.

Corporate Espionage and the Economic Espionage Act

The Economic Espionage Act (EEA) plays a critical role in prosecuting cases of corporate espionage, where data theft is carried out for the purpose of stealing trade secrets. Trade secrets can include any information, formula, or process that provides a company with a competitive edge. The EEA criminalizes both the theft of trade secrets for commercial gain and the transmission of those secrets to foreign governments or entities.

In United States v. Aleynikov (2012), Sergey Aleynikov, a former Goldman Sachs employee, was prosecuted under the EEA for stealing the source code for the company’s proprietary high-frequency trading system. Aleynikov uploaded portions of the code to an external server with the intention of using it to benefit a new employer. Although his initial conviction under the EEA was overturned due to technical interpretations of the law, this case highlighted the challenges of prosecuting data theft under trade secret laws, particularly in the highly competitive world of corporate finance and technology.

The mens rea in cases prosecuted under the EEA typically requires proof that the defendant intended to benefit economically from the theft of trade secrets, either personally or for another company. In Aleynikov’s case, the intent to take the code to a competitor was sufficient to satisfy this requirement, even though the specific application of the EEA was debated in court.

Data Breaches and Large-Scale Data Theft

Data theft is not limited to individual acts of hacking or corporate espionage. Large-scale data breaches have become increasingly common, affecting millions of individuals and compromising vast amounts of sensitive information. These breaches often result from vulnerabilities in a company’s security systems, allowing hackers to gain unauthorized access to databases containing personal, financial, or corporate data. Once this data is stolen, it is often sold on the black market or used to commit further crimes, such as identity theft or financial fraud.

A notorious example of large-scale data theft is the 2017 Equifax Data Breach, in which hackers stole the personal information of 147 million Americans, including social security numbers, birth dates, and addresses. The breach occurred due to a vulnerability in Equifax’s web application framework, which the company failed to patch in a timely manner. The Equifax case led to widespread outrage and numerous lawsuits, including enforcement actions under the CFAA and identity theft laws. Equifax eventually agreed to a settlement of up to $700 million to compensate victims, highlighting the significant financial and legal consequences of data breaches.

In such cases, the actus reus often involves exploiting security flaws to access a company’s data, while the mens rea centers on the hacker’s intent to steal and misuse the information. The Equifax breach also underscores the importance of cybersecurity measures, as companies that fail to protect their data can face severe legal and financial repercussions.

Identity Theft and Assumption Deterrence Act

Data theft is frequently tied to identity theft, where stolen personal information is used to commit fraud. The Identity Theft and Assumption Deterrence Act (18 U.S.C. § 1028) makes it a federal crime to knowingly transfer or use another person’s identifying information without lawful authority, with the intent to commit a crime. Identity theft can lead to financial fraud, credit card abuse, and even the creation of synthetic identities, where criminals combine real and fake information to create new identities used to defraud financial institutions.

An example of identity theft through data theft occurred in United States v. Abdelshafi (2011), where the defendant stole the personal information of Medicare beneficiaries to submit fraudulent claims. Abdelshafi accessed sensitive data, including social security numbers and medical information, which he used to generate millions of dollars in false claims. This case exemplifies how data theft can serve as the gateway to more extensive fraudulent schemes, especially when personal identifying information is involved.

The mens rea in identity theft cases typically focuses on the intent to commit fraud or other crimes using the stolen data. In Abdelshafi’s case, the court found that the defendant’s clear intention to profit from the stolen Medicare information satisfied the intent requirement under the Identity Theft and Assumption Deterrence Act.

Conclusion

Data theft represents a significant threat in the digital age, affecting individuals, businesses, and governments alike. Through statutes like the Computer Fraud and Abuse Act, the Economic Espionage Act, and the Identity Theft and Assumption Deterrence Act, both federal and state governments have established a robust legal framework to combat this growing problem. As technology continues to advance, and as data becomes an increasingly valuable commodity, the legal system must continue to adapt to address the evolving tactics used by cybercriminals. In prosecuting data theft, establishing the actus reus of unauthorized access and theft, along with the mens rea of intent to steal or misuse the data, remains key to securing convictions and protecting the integrity of digital information.


Key Terms

 


References and Further Reading

 

 

Modification History

File Created:  07/17/2018

Last Modified:  10/21/2024

[ Back | Content | Next]


This work is licensed under an Open Educational Resource-Quality Master Source (OER-QMS) License.

Open Education Resource--Quality Master Source License

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.