In response, more companies are resorting to countermeasures like planting false information on their own servers to mislead data thieves, patrolling online forums to watch for stolen information and creating “honey pot” servers that gather information about intruders. Last year, companies also spent roughly $1.3 billion on insurance to help cover expenses associated with data theft.
Some security experts are urging even more aggressive action. “Companies want better results than are being delivered by law enforcement,” said Stewart A. Baker, former assistant secretary for policy at the Department of Homeland Security. He questioned whether the National Security Agency, the F.B.I. or the C.I.A. had enough qualified counterhackers to stake out corporate networks and also whether those businesses would be comfortable giving the government more access to their networks.
Mr. Baker maintains that victims of data theft can reasonably argue that they have a right to follow and retrieve stolen data wherever the thief takes it. And, he added, federal law on the matter is so ambiguous that prosecuting a company for trespassing on the domain of a hacker would be difficult and highly unlikely.