John Floyd and Kamal Ghali Author Article on Using RICO in Corporate Data Breaches
How Corporate Data Breach Victims Can Use the Georgia RICO Statute to Recover Their Data
In Georgia, corporate victims of such flagrant and repeated criminal conduct should consider using the Georgia RICO Act’s broad civil remedy provisions to help reacquire lost or stolen data.
As some of the biggest companies in the U.S. have learned firsthand, corporate data breach victims often find themselves scrambling to recover their data after a malicious cyberattack. Whether it comes to the theft of trade secrets, proprietary source codes, detailed manufacturing processes or even embarrassing emails, companies often have a limited range of options for actually getting their stolen data back. One powerful—but often overlooked—vehicle for potentially recovering stolen data is the Georgia Racketeer and Influenced Corrupt Organizations Act’s unusually robust civil remedy provision.
Consider, for example, an all too familiar set of scenarios involving malicious insiders: An employee downloads troves of data before leaving the company; a current employee remotely conducts late-night downloads of valuable company information for no obvious work-related reason; or a disgruntled insider threatens to disclose sensitive data unless his settlement demands are met. By the time the company finds out, the insider may have already transmitted the data to third parties. To make matters worse, such insiders may be storing company data in personal laptops, various storage drives, email accounts, cloud-based servers, and other places beyond the immediate reach of the company.
This misconduct rarely involves just one unlawful act by an employee. Such thefts tend to involve sophisticated planning over a period of time. The conduct is often the culmination of a series of related unlawful acts, including improperly accessing computer networks, examining personal identifying information without authority, exfiltrating data out of a computer network and extorting the company by threatening disclosure. Such thefts almost certainly violate a host of state and federal criminal statutes, including federal prohibitions on mail and wire fraud, computer fraud and abuse and Georgia’s sweeping theft by taking statute, which prohibits the unlawful taking of “anything of value,” including intangible property.
In Georgia, corporate victims of such flagrant and repeated criminal conduct should consider using the Georgia RICO Act’s broad civil remedy provisions to help reacquire lost or stolen data. Georgia RICO bars individuals from acquiring or maintaining an interest in any personal property through a pattern of racketeering activity.
Notably, Georgia’s RICO statute, like that of several states, authorizes judges to issue a broad array of “appropriate orders and judgments” to enjoin violations of the statute. Where a company has identified a specific employee in possession of stolen data, a court could direct the employee to immediately surrender all stolen data and appoint a receiver or master to review certain email and online storage accounts for the purpose of retrieving any stolen data. Depending on the facts, the court might direct the defendant to identify logins, passwords, and any other accounts capable of storing data. Assuming the company could make an appropriate evidentiary showing, it could request a civil seizure order authorizing a law enforcement agency to conduct a narrow and targeted seizure for the purpose of reacquiring stolen data.
Georgia RICO also creates the possibility of obtaining injunctive relief against third parties in possession of a company’s stolen data. After all, individuals or entities that “receive” stolen property or retain it after they know (or should know) that the property was stolen may be acting in violation of Georgia’s broad “theft by receiving stolen property” statute. A thoughtfully crafted injunction might direct third parties in possession of such data to destroy or return the stolen information.
While corporate victims will consider using other statutes, such as federal and state laws banning trade secret theft, to try to get their property back, a state RICO statute may be more effective. Indeed, most definitions of a protected “trade secret” require a plaintiff to show it took reasonable measures to maintain the secret, and companies may have difficulty making that showing. In such cases, statutes authorizing injunctive relief for theft of trade secrets may come up short. On the other hand, a lack of diligence on the part of a corporate victim is not a defense to the criminal offense of theft or to a suit for injunctive relief under Georgia RICO.
Too many organizations are unprepared for the disruption that malicious insiders can cause.When it comes to addressing cyber threats by insiders, companies should ensure that their outside counsel have a range of plans in place to claw back stolen data. Where companies have learned about an ongoing theft in time to fight back, Georgia’s RICO statute is a potential vehicle for containing the fallout from a malicious insider attack.
Kamal Ghali is a former deputy chief of the cyber and intellectual property crime section at the U.S. attorney’s office in Atlanta and leads the cybersecurity and privacy practice at Bondurant, Mixson & Elmore.
John E. Floyd is a partner at Bondurant, Mixson & Elmore and the author of “RICO State By State: A Guide to Litigation Under the State Racketeering Statutes” (American Bar Association, Section of Antitrust Law 2011 and 1998).