Targets Other than Target: Increasing Focus on Intellectual Property Theft via Cyber-Attacks
On November 30, 2013, Steve Bennett, Chief Executive of Symantec Corporation, a leading cyber security software provider, and advisor to President Obama on matters of internet security, issued a dire warning on the perils of cyber-attacks. Nineteen days later, news broke of what would become the most publicized commercial data breach in history, when Target Corporation issued a press release revealing that the credit and debit card information of as many as 40 million of its customers was compromised over three weeks during the holiday shopping season. Response to this event was overwhelming. As news of the data breach spread, Target faced tremendous pressure from both the government and private sector to completely overhaul its cybersecurity measures. Over the six months that followed, Target’s Chief Information Officer and its Chief Executive Officer resigned as the company scrambled to rebuild its reputation in the wake of the data breach, which contributed to a reported 46% decline in the company’s net income and 9% drop in share price. Although Target’s share prices have since recovered, the company’s travails linger as it continues to revamp both its cyber protections and its reputation.
Given this timeline, it appears at a glance that Mr. Bennett’s dire warning about the hazards of cyber-attacks was well-timed. Mr. Bennett, however, spoke not of the perils of theft of consumer credit information. His warning instead focused on rising threats to a far richer pool of resources. “What I’m most concerned about for the world,” Mr. Bennett said, “is the economic threat if intellectual property [‘IP’] is transferred from IP creators to countries with lower costs.”
IP describes a wide variety of property created by musicians, authors, artists, and inventors. Federal and state laws regarding IP were created to encourage the development of art, science, and information by granting certain property rights to all artists and inventors, allowing them to protect themselves from infringement of their IP, including the unauthorized use and misuse of their creations. For many companies, these IP protections are invaluable because IP forms the entire basis for their profitability. For two short examples, the secret formula for Coca-Cola and the algorithm underlying Google’s search engine are frequently cited as among the most valuable pieces of property (not just IP) in the world. If these pieces of IP were stolen or otherwise divulged, these two monolithic companies would face problems on a far greater scale than those faced by Target in the wake of its data breach. Given these potential catastrophes, Mr. Bennett actually understated the damages that could be caused by cyber-attacks targeting IP when he said that such attacks could “have a big negative impact on global economic growth.”
Concerns regarding cyber-attacks targeting IP are especially prevalent here in Michigan, which remains home to a large sector of the automotive industry. Manufacturers of automobiles (frequently referred to as “Original Equipment Manufacturers” or “OEMs”) and manufacturers of the component parts of those automobiles live and die by their IP rights underlying their products – and so do drivers and passengers of those automobiles. The manufacture and sale of automobiles and their component parts within the United States is heavily regulated by the National Highway Traffic Safety Administration, which promulgates the Federal Motor Vehicle Safety Standards (“FMVSS”), a rigorous set of regulations dictating safety standards for every part of a vehicle from windshield glass to seatbelts, door locks to trunk lids. For example, the FMVSS regarding seatbelts (found in the Code of Federal Regulations from 49 C.F.R. 571.209-210) contain detailed requirements for the webbing, buckle, tongue, and other components of the seatbelts to be used in every vehicle manufactured or sold in the U.S. For webbing alone, FMVSS 209 dictates strict requirements for width, breaking strength, elongation, and resistance to abrasion, light, and micro-organisms. The FMVSS also dictate the tests that each component part of a vehicle must pass. These safety standards are necessary to ensure that each vehicle on the road provides the greatest possible protection for drivers and passengers.
OEMs and their component part suppliers have spent billions of dollars in research and development to design, manufacture and test vehicles and parts that comply with the FMVSS. These companies rely on all available IP protections afforded by law in order to ensure not only their own financial viability, but also to ensure that the parts used in vehicles on the roadways are the safest possible. OEMs and component part suppliers face the constant threat that the IP underlying their products will be compromised, allowing other entities to begin manufacturing knockoff parts that are not subjected to the rigorous scrutiny and testing procedures required by the FMVSS. By helping to ensure that other companies and entities do not steal the IP developed by OEMs and component part manufacturers, IP regulations not only protect billions of dollars, they also protect lives.
In recent years, as heralded by Mr. Bennett, cyber-attacks have threatened the value of this IP. On May 19, 2014, the U.S. Department of Justice indicted five Chinese military officials for cyber-attacks targeting IP interests of six large U.S. companies including Alcoa and Allegheny Technologies, Inc., manufacturers of products in the automotive, defense, and aerospace industries.
In the wake of these indictments, on May 22, 2014, Michigan Senator Carl Levin introduced the bipartisan Deter Cyber Theft Act (“DCTA”). According to Senator Levin’s remarks in introducing the bill, the DCTA “would authorize the President to direct the Treasury Department to freeze the assets of any foreign person or company, including a state owned enterprise, determined to have benefitted from the theft of U.S. technology or proprietary information stolen in cyberspace.”
The proposed DCTA and other measures like it are steps in the right direction toward recognizing the importance of protecting invaluable IP from cyber-attacks. These regulations, however, being remedial in nature, do not address the cause of the problem: a lack of focus on protections aimed at preventing the theft of IP via cyber-attacks in the first place. While well-publicized events like the Target data breach are helpful reminders to retailers to modernize their card swiping systems so that they incorporate more anti-hacking protections, we cannot lose focus on the potential for far more disastrous results from cyber-attacks. We would be wise to heed Mr. Bennett’s warning and remember that Target is not the only target.