• FreeAdvice has a new Terms of Service and Privacy Policy, effective May 25, 2018.
    By continuing to use this site, you are consenting to our Terms of Service and use of cookies.

Data Breach Information Retention & Statute of Limitations

Accident - Bankruptcy - Criminal Law / DUI - Business - Consumer - Employment - Family - Immigration - Real Estate - Tax - Traffic - Wills   Please click a topic or scroll down for more.

J

Jimdigriz

Member
Were a person to possess contents of a massive governmental (state level) data breach including state personnel and other individuals' personal information, among other things, if they had retained information for the state's statute of limitations for Felonies (5 Years) and/or it's statute for Misdemeanors (2 years) (for states that have weak cyber crime laws), would said person be able to confidently and publicly leak that information without fear of prosecution? Most laws I know of in this particular field relate to possessing and/or using, accessing, etc network information and user credentials. If all of them by the date of release were to have changed one would presume that no other law could call it a crime to release that information I understand this is semi-vague and rather broad, so an answer likewise is more than okay!

Thanks in advance!
 


quincy

quincy

Senior Member
Jimdigriz said:
Were a person to possess contents of a massive governmental (state level) data breach including state personnel and other individuals' personal information, among other things, if they had retained information for the state's statute of limitations for Felonies (5 Years) and/or it's statute for Misdemeanors (2 years) (for states that have weak cyber crime laws), would said person be able to confidently and publicly leak that information without fear of prosecution? Most laws I know of in this particular field relate to possessing and/or using, accessing, etc network information and user credentials. If all of them by the date of release were to have changed one would presume that no other law could call it a crime to release that information I understand this is semi-vague and rather broad, so an answer likewise is more than okay!

Thanks in advance!
Click to expand...
What is the name of your state or, if not in the US, what is the name of your country?
 
T

Taxing Matters

Overtaxed Member
A lot depends on the details of how the person came into possession of the data, what data it is, and which state's law applies. It also matters what the details are relating to the proposed release of the data that was taken. It may be that the release or threatend release might violate federal law if this is in the U.S. In that case, the SOL would begin to run when the release or threat was made. The applicable state law might have laws that prohibit the release as well.

And, of course, the state and/or the individuals whose data is released may well have good civil claims to make for the release of their information.
 
quincy

quincy

Senior Member
The country matters as does the name of the state if in the US. It would be nice to have this information. :)

While waiting for Jimdigrez's return, here is a link to the National Conference of State Legislatures with state 2018 security breach legislation (and statutes):
http://www.ncsl.org/research/telecommunications-and-information-technology/2018-security-breach-legislation.aspx

Some states have introduced bills this year that would extend the statutes of limitations for data breach crimes and increase civil penalties.

Many of those responsible for hacking into major databases (e.g., JP Morgan, TJX Co., Heartland) have been identified, indicted on federal charges and sentenced to many many years in prison.
 
quincy

quincy

Senior Member
If he is one who possesses this data, his best action is to destroy what was accessed illegally. :)
 
J

Jimdigriz

Member
The country is the US and it's important to keep the name of the State anonymous for the moment. The nature of the supposed data is that it exposes a state's networking infrastructure as weak at the time. The individual who was or is in possession attempted to alert the state to the breach at that time and even proposed a NDA be imposed on his/herself but that the data breach should be known as it revealed gross negligence by the state while also revealing numerous state employees' and denizens' sensitive personal info. After these attempts were made the state's response (whether the destruction action was related or not, it would be difficult to prove) took physical destructive actions vs the location where the breach supposedly occurred, removing network equipment and even destroying buildings. The main concern is again that the state has misdeameanor laws and some felony laws against disclosing or possessing such information. The misdemeanors mean little, but the felonies still have about a year left, although according to the wording of the laws on the books it could be argued that a felony didn't occur. The state has really weak cyber laws and does not appear to have introduced anything new since. The main bulk of the breach supposedly includes (now old) user credentials, network information, paperwork (some of it legal paperwork) and just the proof that an individual who in no way should have even been physically capable of obtaining such information did in "fact" obtain it to the embarrassment of the state which blatantly refused to act or reveal openly to anyone that data had been compromised. His/Her main goal is to prove the state's refusal to reveal to anyone openly the breach, or to repair it in a transparent manner. Again, this person revealed the breach to the state -- even the state's highest legal individual authority -- and no actions were taken openly, even to legally respond. I realize this is vague again, but I really appreciate the help guys! Even if no consensus is come to it's still helpful to see other opinions or potential answers.
 
J

Jimdigriz

Member
That's understood -- there the statute of limitations is the same as the state's; five years and only applies if the Feds want to prosecute. What constitutes whether it becomes a Federal crime or not?
 
quincy

quincy

Senior Member
If the fellow notified the state about vulnerabilities in their system, the odds are pretty good that the identity of the hacker is known.

If anyone uses the data or discloses the data, there will no doubt be an investigation followed by prosecution. Accessing the data is a crime but new crimes are committed with publication of the data (and with these new crimes, new statutes of limitations).

If you are the one who hacked into the state's system and/ or are now in possession of the data, you would be smart to destroy it. Nothing good can come from this.
 
PayrollHRGuy

PayrollHRGuy

Senior Member
Jimdigriz said:
That's understood -- there the statute of limitations is the same as the state's; five years and only applies if the Feds want to prosecute. What constitutes whether it becomes a Federal crime or not?
Click to expand...
If he still has the data he is still breaking the law. If possession of the data is in itself a crime the statute of limitations hasn't started.

As to if it is federal or not. I can't imagine such a crime that couldn't come under federal jurisdiction if they really wanted the guy.
 
quincy

quincy

Senior Member
I agree that there are both state and federal computer crimes that are violated, and civil actions can possibly be filed by anyone whose identifying personal information has been compromised.
 
W

Whoops2u

Active Member
quincy said:
If you are the one who hacked into the state's system and/ or are now in possession of the data, you would be smart to destroy it.
Click to expand...
At the same time, holding the data might help prove he wanted to do good while destroying the data might help prove intent to commit the earlier crimes as well be a violation in and of itself. ( 18 U.S.C. § 1519 )
 
You must log in or register to reply here.

Find the Right Lawyer for Your Legal Issue!

Fast, Free, and Confidential
data-ad-format="auto">
Top