How Corporate Data Breach Victims Can Use the Georgia RICO Statute to Recover Their Data
In Georgia, corporate victims of such flagrant and repeated criminal conduct should consider using the Georgia RICO Act's broad civil remedy provisions to help reacquire lost or stolen data.
May 31, 2019 at 11:16 AM
5 minute read
As some of the biggest companies in the U.S. have learned firsthand, corporate data breach victims often find themselves scrambling to recover their data after a malicious cyberattack. Whether it comes to the theft of trade secrets, proprietary source codes, detailed manufacturing processes or even embarrassing emails, companies often have a limited range of options for actually getting their stolen data back. One powerful—but often overlooked—vehicle for potentially recovering stolen data is the Georgia Racketeer and Influenced Corrupt Organizations Act's unusually robust civil remedy provision.
Consider, for example, an all too familiar set of scenarios involving malicious insiders: An employee downloads troves of data before leaving the company; a current employee remotely conducts late-night downloads of valuable company information for no obvious work-related reason; or a disgruntled insider threatens to disclose sensitive data unless his settlement demands are met. By the time the company finds out, the insider may have already transmitted the data to third parties. To make matters worse, such insiders may be storing company data in personal laptops, various storage drives, email accounts, cloud-based servers, and other places beyond the immediate reach of the company.
This misconduct rarely involves just one unlawful act by an employee. Such thefts tend to involve sophisticated planning over a period of time. The conduct is often the culmination of a series of related unlawful acts, including improperly accessing computer networks, examining personal identifying information without authority, exfiltrating data out of a computer network and extorting the company by threatening disclosure. Such thefts almost certainly violate a host of state and federal criminal statutes, including federal prohibitions on mail and wire fraud, computer fraud and abuse and Georgia's sweeping theft by taking statute, which prohibits the unlawful taking of “anything of value,” including intangible property.
In Georgia, corporate victims of such flagrant and repeated criminal conduct should consider using the Georgia RICO Act's broad civil remedy provisions to help reacquire lost or stolen data. Georgia RICO bars individuals from acquiring or maintaining an interest in any personal property through a pattern of racketeering activity.
Notably, Georgia's RICO statute, like that of several states, authorizes judges to issue a broad array of “appropriate orders and judgments” to enjoin violations of the statute. Where a company has identified a specific employee in possession of stolen data, a court could direct the employee to immediately surrender all stolen data and appoint a receiver or master to review certain email and online storage accounts for the purpose of retrieving any stolen data. Depending on the facts, the court might direct the defendant to identify logins, passwords, and any other accounts capable of storing data. Assuming the company could make an appropriate evidentiary showing, it could request a civil seizure order authorizing a law enforcement agency to conduct a narrow and targeted seizure for the purpose of reacquiring stolen data.
Georgia RICO also creates the possibility of obtaining injunctive relief against third parties in possession of a company's stolen data. After all, individuals or entities that “receive” stolen property or retain it after they know (or should know) that the property was stolen may be acting in violation of Georgia's broad “theft by receiving stolen property” statute. A thoughtfully crafted injunction might direct third parties in possession of such data to destroy or return the stolen information.
While corporate victims will consider using other statutes, such as federal and state laws banning trade secret theft, to try to get their property back, a state RICO statute may be more effective. Indeed, most definitions of a protected “trade secret” require a plaintiff to show it took reasonable measures to maintain the secret, and companies may have difficulty making that showing. In such cases, statutes authorizing injunctive relief for theft of trade secrets may come up short. On the other hand, a lack of diligence on the part of a corporate victim is not a defense to the criminal offense of theft or to a suit for injunctive relief under Georgia RICO.
Too many organizations are unprepared for the disruption that malicious insiders can cause. When it comes to addressing cyber threats by insiders, companies should ensure that their outside counsel have a range of plans in place to claw back stolen data. Where companies have learned about an ongoing theft in time to fight back, Georgia's RICO statute is a potential vehicle for containing the fallout from a malicious insider attack.
Kamal Ghali is a former deputy chief of the cyber and intellectual property crime section at the U.S. attorney's office in Atlanta and leads the cybersecurity and privacy practice at Bondurant, Mixson & Elmore.
John E. Floyd is a partner at Bondurant, Mixson & Elmore and the author of “RICO State By State: A Guide to Litigation Under the State Racketeering Statutes” (American Bar Association, Section of Antitrust Law 2011 and 1998).
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllWho Got the Work: 16 Lawyers Appointed to BioLab Class Action Litigation
4 minute read'Possible Harm'?: Winston & Strawn Will Appeal Unfavorable Ruling in NASCAR Antitrust Lawsuit
3 minute readTrending Stories
- 1Where Do Web-Tracking Class Actions Belong? 8th Circuit Weighs the Issue
- 2While Data Breaches May Lead to Years of Legal Battles, Cyberattacks Can be Prevented
- 3The Definition of Special Employment
- 4People in the News—Nov. 21, 2024—Willig Williams, Hangley Aronchick
- 5Rawle & Henderson Hires New Del. Managing Partner
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250