As the United States moves further into the 21st century, it is interesting to consider how the data breaches of today compare to similar situations in our past. Looking back to the beginning of the 20th century with the Espionage Act of 1917, it is important to understand what espionage is and how it affects the United States in times of war and peace. Espionage is defined as the things that are done to find out secrets from enemies or competitors. At the beginning of World War I, it was important to define the limits of espionage and detail the limits on all citizens during wartime. Using the Espionage Act of 1917 and the Sedition Act of 1918, Congress was able to protect national security at the expense of the First Amendment. The first case to truly apply the Espionage Act of 1917 was Schenck v. United States, where Charles T. Schenck was charged with espionage for distributing leaflets discouraging men from signing up for the draft. The idea of freedom of speech was tested, and found to be a guideline that needed restriction during wartime for the protection of the country.
A century later, the United States has added several pieces of the Espionage Act to US Code Title 18 – Crimes and Criminal Procedure. This allows the boundaries established by the Espionage Act of 1917 to apply in times of peace, instead of only under US Code Title 50 – War and National Defense. This is important in today’s world, as several individuals have disclosed sensitive information regarding the US Military – including Chelsea Manning, Edward Snowden, and former Director of the CIA David Petraeus. These individuals have been charged for violating the Espionage Act, all within the last decade.
The question now, as we consider the many recent and ever-increasing data breaches, is at what point do we hold companies and security firms responsible for leaking sensitive information? Can they be charged under the Espionage Act as having released sensitive military information – particularly the OPM with its extensive database of government employees – or is this not considered espionage? Section 18 of the US Code defines espionage as the removal, or attempt to remove, any information pertaining to defense. While the OPM data breach appears to have only affected public employees and officials, it is not entirely clear who and what exactly has been affected. It does not seem unlikely that sensitive, defense-related information was held at the OPM, and as the OPM was breached twice, it is still not entirely clear the extent of the breaches and what exactly has been compromised.
Can the United States government bring espionage charges if it is found that any United States citizen was involved? What about the security firms that are hired to protect sensitive information? Can they be charged under 18 U.S. Code § 793(f)(1) for gross negligence if the information pertains to national security?
Data breaches happen for a number of reasons, but these reasons will need to be addressed in order to protect intellectual property, as well as private and personal information. The issue almost always comes back to money – either not having enough to hire adequate security personnel, or the search for more by stealing information and selling it to the highest bidder. In the situation with the OPM data breach, the highest seller was China, looking for more information and a better understanding of our technology.
It will be interesting to see just how security firms are held responsible for the data breaches of today, and how the United States government will respond to data breaches that can compromise national security in the future.