On February 10, 2020, four Chinese nationals associated with the People’s Republic of China and the People’s Liberation Army were indicted for allegedly hacking into Equifax, the consumer credit reporting agency located in Atlanta, Georgia. The indictment alleges that between May 13, 2017, and July 30, 2017, the individuals conspired to hack into the Equifax database, maintain unauthorized access to the computers, and steal names, birth dates, and social security numbers of 145 million Americans. The hackers also allegedly obtained driver’s license numbers for at least 10 million Americans, and credit card numbers for 200,000 Americans.
According to the indictment, Equifax’s data compilation of Americans’ personally identifiable information constitutes a trade secret because it was proprietary and because Equifax took “reasonable measures to keep [it] secret.” Therefore, the indictment alleges, the data breach constituted a theft of trade secrets. The DOJ contends that the hack was one of several related data thefts organized by the Chinese military.
Attorney General William Barr noted during a news conference on February 10 that this was a deliberate “heist of sensitive information…as well as the hard work and intellectual property of an American company, by a unit of the Chinese military…” These comments are in step with the DOJ’s “China Initiative” announced in 2018 to prioritize economic espionage and theft of American trade secrets by Chinese actors. As we reported in both the 2018 and 2019 Year in Review, a number of other recent theft of trade secret cases have pursued this focus.
The charges brought against the four individuals are: computer fraud conspiracy, computer fraud and abuse: intentional damages, computer fraud and abuse: unauthorized access, conspiracy to commit economic espionage, economic espionage, conspiracy to commit wire fraud, and wire fraud. DOJ’s press release commends Equifax for “cooperat[ing] fully” and “provid[ing] valuable assistance in the investigation.”
TIP: It is important for companies to implement data protection measures, monitor their data access to prevent a potential data breach, and cooperate with government investigations into data hacks.