In our last column, my forensic analyst, Dylan Evans, detailed how his personal art laptop was stolen (and recovered the same day through some good investigative work). That incident caused me to meditate on the issues surrounding the valuation of stolen data, and how the law treats a physical theft of a digital device compared with a more traditional hacking breach.
In Dylan’s case, I thought it would be a clear-cut case of not only felony theft but computer crime. While the value of his laptop was only a few hundred dollars, the data for his illustration side-business — especially the contracts in progress — arguably brought the total value stolen well over the $1,000 cutoff between misdemeanor and felony theft.
Additionally, according to Section 18-2202 of the Idaho criminal code — the “computer crime” statute — “any person who knowingly and without authorization alters, damages, or destroys any computer ... or any computer software, program, documentation, or data contained in such computer,” commits a felony.
The thief created user accounts, uninstalled software and deleted data that would not have been recoverable without Dylan’s forensic background. The computer-crime case seemed like a slam dunk. Yet even after we repeatedly attempted to present this perspective to the prosecutor, the thief was charged only with misdemeanor theft. He subsequently failed to appear for his hearing.
It became clear to me that things were less cleanly cut in the eyes of the law.
What can this mean for small businesses? How many devices do you have — a laptop, a phone, a server — with data sitting on them? You’ve probably considered the implications of being hacked or suffering a “traditional” breach (as if such a thing existed). But what happens when your device is just taken? How do you establish the value of the stolen data?
I turned to Bradlee Frazer with Hawley Troxell, an expert on internet law.
“Data is a relatively new construct,” he says. “It doesn’t have a lot of precedence in the law because data is not real property, a copyright, a trademark, or a patent; data is data. The whole notion of data security, data breaches and identity theft — which inherently connote the loss of data — the law hasn’t caught up to yet, because there isn’t a box into which we put ‘data’ to describe it as intellectual property.”
Thus, the key is finding a way to attempt to fit the abstract definition of “data” into an existing intellectual-property construct, like trade secrets or copyrights. Even if your data doesn’t neatly fit, there are typical valuation models used in these “boxes” that can be potentially applied.
For example, if a soda company has its secret formula stolen by its biggest competitor, there are valuation models that can determine how much money the company will lose as a result. The same applies to a copyrighted work being misappropriated. And if the data has the potential to be independently monetized, that can be factored in. An example is potential earnings from a list of customers who have signed up for advertising.
A business owner needs to find out what sort of intellectual-property construct the data can fit into, what it will cost to replace or recreate, and whether it has the potential for independent monetization. These details need to be explicitly determined and documented before any theft occurs, because it is impossible to establish value after the device is in a thief’s hands.
Depending on the type of data, you may be able to obtain insurance on that data and declare it as an intangible asset in your accounting. Any steps in establishing a monetary value of the data beforehand are essential.
As a business owner, have you established the explicit value of the data on your devices? If not, you may not have any legal remedy available after the device is stolen.
In our next column, we will explore the implications of the various laws affecting hacking and how they might not apply to physical data theft, and whether something as seemingly simple as a stolen laptop could mandate the reporting of a data breach to your customers.
Neal Custer is president of Reveal Digital Forensics & Security, a subsidiary of Custer Agency Inc., and an adjunct professor at Boise State University. email@example.com. Written in collaboration with Dylan Evans, Reveal’s vice president of operations.