U.S. companies' vulnerability to data security incidents through computer hacking has garnered unprecedented public awareness in the last 12 months. Given our increasing volume of user data generated in business and its significant value, hacking will remain a common feature in the data landscape. In one respect, the most sophisticated hack is no different than the first stagecoach robbery: A crime has occurred.

Both the Computer Fraud and Abuse Act and Stored Communications Act contain criminal penalties for certain violations (see 18 U.S.C. §§ 1030 & 2701, respectively) and, depending on the particular data taken from the victim, other federal statutes may be implicated as well. Therefore, in the rush to respond to the hack, the victim needs to assess whether the involvement of law enforcement is appropriate.


Justin Daniels, Baker Donelson, Atlanta.

In our experience, we often see hacking victims hesitant to involve law enforcement. They fear law enforcement snooping around the company will soon lead to a knock on the door of a government regulator. This concern can start to outweigh the very real need to collect evidence, potentially find the perpetrator or determine if the attack is connected to other attacks or threat indicators that law enforcement is monitoring. What does a careful thought process look like to determine when and whether to involve the government?