By some estimates, some data on one out of every two Americans has now been breached. So what can do you about it? Can you - as an individual or even as a corporation - go after those that may have compromised your data? If you are hacked, should you not be able to hack back against those who have stolen things from you?
Not so fast.
One of the more interesting discussions on the first day of the RSA Security Conference was: Does the law allow you to be the Cyber-Posse going after those that have compromised your systems and stolen your data?
The answer might actually surprise you. As a matter of fact, the law does not allow you to become a cyber vigilante. In the USA, you are expressly forbidden from doing just that. Section 18 USC 1030 (a) specifically prohibits this kind of activity.
When it comes to cyber exploitation, there is no room for affirmative defense in the law.
If after determining who has stolen your data, you decide to go after those criminals - perhaps simply to recover or delete your own data from their systems - you may still be on shaky legal grounds.If you were in Europe, you would hardly be better of. They too limit this kind of activity.
So there is a conundrum.
If someone stole property from your home you can go to the police. You may even have some rights to give chase if you apprehended someone in the act. If, on the other hand, someone stole your companies data, you don't have many choices. You cannot really go to the police (most local police are not equipped to deal with such a problem anyway) and in most instances you would realize the theft after the fact. And the law forbids you from hacking the hacker.
There is a convoluted logic to this law. What if you retaliated against someone who you thought had been the perpetrator? There is strong evidence that the hacking community takes great care to make sure that the overt signs on being discovered, are that someone else did it. If you accessed the systems of the wrong organization/person, thinking they were the ones who attacked and stole from you - you are now the perpetrator. Quite a mess and not one you can easily get out of.
And because you cannot chase down the hackers easily, and do so within the law, the hacking community is aware of that and may be able to use the existing laws to shield themselves from those who they have compromised and who might be wanting some retribution.
Don't hold your breath. No one is willing to take this on any time soon.
The only silver lining is that most prosecutors are turning a blind eye to someone who rides out on a Cyber-Posse. Prosecutors have other things to do and they are not too keen to be part of a headline which might read:
Prosecutor nails lady who tried to delete her own stolen data from the hacker's systems!
