To Catch an E-Thief — Under Federal Property Law

As businesses move away from paper documents, courts are poised to broaden ‘conversion’ definition.

BY NICK AKERMAN

The fundamental shift for busi­nesses in the past 15 years from paper documents to computer data has forced the courts to decide whether intan­gible electronic data should enjoy the same legal protections as physical property.

Because of this shift, it is important to review the judicial response to the electronic-data issue in the context of a feder­al criminal statute, the National Stolen Property Act (NSPA), and common law conversion.

The NSPA makes it a felony for one who “transports, transmits, or transfers in interstate or foreign commerce any goods, wares, mer­chandise … of the value of $5,000 or more, knowing the same to have been stolen, converted or taken by fraud.”  Conversion is the state civil cause of action for the theft of property.

In 2013 , Yijia  Zhang, a computer- systems manager, was indicted for violating the NSPA, predicated on allegations that he stole 3,200 confidential data files belonging to his employer and transmitted them to Internet storage sites he maintained in Sweden and Germany.  In United States v. Zhang, the federal court in the Pennsylvania’s Eastern District granted Zhang’s motion to dismiss the NSPA charge on the ground that computer data is purely intangible property and that only tangible physical proper­ty is encompassed within the statute’s meaning of “goods,” “wares” or “merchandise.”

The court acknowledged that “goods,” “wares” or merchandise” are not defined in the statue and that “[i]t is an open question in the Third Circuit whether digital files can constitute goods, wares, or merchandise within the mean­ing of NSPA.”  Nonetheless, the court chose to follow precedent in the U.S. Court of Appeals in the First Circuit, United States v. Martin; in the Second Circuit, United States v. Aleynikov; in the Seventh Circuit, United States v. Stafford; and in the Tenth Circuit, United States v. Brown.  Those courts held that the NSPA only protects tangible physical proper­ty, not intangible computer data.

The recognized exception in these circuits is comput­er data connected to a physical object. For example, in United States v. Agrawal, the Second Circuit last year upheld the defendant’s conviction for violating the NSPA for stealing computer code by “printing the code onto thousands of sheets of paper, which he then physi­cally removed from [his employer’s] New York office to his New Jersey home.”

DICTIONARY MEANINGS

The circuit cases rejecting computer data from the ambit of the NSPA, other than the Second Circuit’s 2012 ruling in Aleynikov, were decided between 1991 and 2000 and relied upon law dat­ing back to 1959, prior to U.S. businesses shifting nearly all of their internal paper documents to electronic data.  In the Second Circuit case, Sergey Aleynikov, a computer programmer in The Goldman Sachs Group Inc.’s New York office, had been convict­ed under the NSPA for stealing Goldman’s confidential and pro­prietary high-frequency trading system.  Prior to resigning from Goldman, Aleynikov “up-load­ed to a server in Germany more than 500,000 lines of source code” from that trading system and subsequently took the source code with him to a meeting with a Goldman competitor.

Nowhere in Aleynikov or any of the other circuit opinions limit­ing “goods,” “wares” or “mer­chandise” to physical property, do any of the courts address the dictionary definition of these individual words and, in par­ticular, the word “goods,” which the Merriam-Webster Dictionary defines simply as “person­al property having intrinsic value.”  This omission is signifi­cant because the word “prop­erty” in turn has been interpret­ed by the U.S. Supreme Court in Carpenter v. United States in the mail and wire fraud statutes to include intangible as well as physical property.

Carpenter, handed down in 1987, upheld the conviction of a Wall Street Journal reporter who schemed with others to use pre­publication information from his regular column to trade in stocks, the prices of which were affected by the analyses in the published column. Although the Seventh Circuit’s 1998 decision in Stafford justified its restrictive definition of “goods” in the NSPA based, in part, on its enactment during the 1930s when computer data was nonexistent, Congress enacted the mail fraud statute some 60 years earlier in 1872.

Not all courts are technologi­cally tone deaf.  In 2007 the New York high court, the Court of Appeals, in Thyroff v. Nationwide Mutual Insurance Co., broadened the scope of conversion beyond physical property to include intangible computer data.  As the circuit courts have strained to find a connection to the physi­cal world in the NSPA, New York courts had previously adopted the “merger doctrine” requiring intangible property to “be united with a tangible object for conver­sion purposes.”  Conversion, for example, was a proper claim for the theft of intangible shares of company stock only because the shares were represented by a tan­gible stock certificate.

Thyroff abandoned the “merger doctrine” recognizing that “[a] document stored on a computer hard drive has the same value as a paper document kept in a file cabinet,” and that the law “must keep pace with the con­temporary realities of widespread computer use”—that “society’s reliance on computers and elec­tronic data is substantial, if not essential,” and “[c]omputers and digital information are ubiqui­tous and pervade all aspects of business, financial and personal communication activities.”

Although Thyroff is not universally accepted by all states, its underlying rationale is clearly the future.

California Privacy Laws Change: Identity Theft and Mitigation Services

Continuing the trend of changes in state breach notification and related laws, Cal. A.B. 1710 amends California’s breach notification, security procedures, and Social Security number (SSN) laws in the wake of significant data breaches, particularly in the retail sector. (See “Changes in State Breach Notification Laws.”)

Cal. A.B. 1710 will become effective on January 1, 2015. State, federal, and foreign breach notification and related laws should continue to be monitored carefully regarding changes.

Breach Notification—Identity Theft Prevention and Mitigation Services

The primary change to California’s breach notification law is a first-of-its-kind requirement. Where a person or business was the source of a breach, the person or business providing breach notification must offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost to an affected individual for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed his or her first name or first initial and last name, together with any of the following data elements, where the name or the data elements are not encrypted:

  • SSN
  • Driver’s license number or California identification card number

By comparison, where Florida’s breach notification law requires a breach notification to its state regulator, such breach notification must include any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals and instructions as to how to use such services. Fla. Stat. § 501.171. Previously, offering to provide identity theft prevention and mitigation services in a breach notification has been a practice versus a legal requirement under state breach notification laws.

A potential consequence of this change is that identity theft prevention and mitigation services also could be offered to residents of other states where they are similarly impacted by the same breach. From a practical standpoint, a provider must first be engaged to provide identity theft prevention and mitigation services. Engagement of these providers, including costs, should be taken into account in breach preparation, including in incident response plans.

Security Procedures

California’s security procedures law expands its application by adding the definition of “maintain,” meaning personal information that a business maintains but does not own or license. Accordingly, a business that owns, licenses, or maintains personal information about a California resident must implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Also, a business that discloses personal information about a California resident under a contract with a nonaffiliated third party that does not own, license, or maintain such personal information must require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Written information security programs, security procedures, and practices, and contractual provisions regarding security procedures and practices should be revisited in light of the expanded application of California’s security procedures law.

SSNs

California’s SSN law adds a prohibition on the sale, advertisement for sale, or offer to sell an individual’s SSN. However, this prohibition does not apply to the release of an individual’s SSN (1) if the release of the SSN is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose (but the release of an individual’s SSN for marketing purposes is prohibited) or (2) for a purpose specifically authorized or specifically allowed by federal or state law.

SSN policies and practices should be reviewed and updated regarding this additional prohibition.

This article was first published on IRMI.com and is reproduced with permission. Copyright 2014, International Risk Management Institute, Inc.