Your SlideShare is downloading. ×
Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)

11,595
views

Published on

The slides are from a Continuing Legal Education seminar entitled "Computer Fraud and Abuse Act: A Lunch Sampler With A Little Something for Everyone" …

The slides are from a Continuing Legal Education seminar entitled "Computer Fraud and Abuse Act: A Lunch Sampler With A Little Something for Everyone"

I presented to the Dallas Bar Association on August 22, 2011.

If you have any questions please feel free to contact me at www.shawnetuma.com

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
11,595
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Good afternoon, thank you all very much for having me here to speak today. My name is Shawn Tuma and I am an attorney at Shields, Britton & Fraser in Plano.I have a peculiar interest in the Computer Fraud and Abuse Act and have been watching as it has developed over the last several years and then, within the last 6 mos. or so has become one of the most relevant laws anywhere.
  • First CLE presentationApril 2000 – Y2K Litigation!
  • Today giving you a sampler platter!A broad overview with enough information that will valuable to all lawyers, regardless of practice.
  • Who knows what movie this was from?Anyone remember?Early 80s - 1983
  • Movie War Games!
  • The first stab at the CFAA was this.Began to fear that with advancing technology the wire and mail fraud laws wouldn’t be sufficient.
  • Then we get the CFAA
  • Why? Because this is the primary law that is used to pursue those who misuse a computer to commit crimes, defraud, etc. Computers are everywhere and are involved in virtually everything!
  • CFAA’s definition of computer:Remember the “But”!!!
  • Protected Computer – more narrowLimits – some, for nowThink of homes where everything is automated via connection to the internet.
  • TI-99 was my first computer in early 80s.Daughter Clara (who started kindergarten today) has a Leapster!
  • To put it into perspective, compare the fastest desktop of the 80s withClara’s LeapsterCray SupercomputeriPhone 4!Now you see why, what seem silly to us today, clearly falls within the technical criteria for what the drafters initially considered to be a computer.
  • Now that we know what it applies to, let’s take about what the CFAA prohibits.
  • This is an overly broad generalization but, generally speaking, the CFAA prohibits wrongfully accessing a computer where the person
  • Not too long ago I was talking with someone about a case they had involving criminal indictment for the CFAA.I offered help but was rebuffed – told: “I’ve read the statute, I’ve got it”Ok – best of luck to you (and your clients!)!
  • What would your advice, as a lawyer, be in this situation?
  • Have you heard these words lately???
  • Personal Information – PI = your name and a combination of the other information.
  • This is what is currently the most common proposed amendments.
  • Who knows what this beauty is?Better yet, who knows why I have included it?
  • Why? (Remember what Steve Jobs said last December – everything has a computer in it nowadays!)The CFAA is what is most commonly used to deal with misuse of computers.
  • Presentation slides – available on my website: www.shawnetuma.comThis was taken from an article coming out in Fall 2011 in the University of South Carolina Law Review – the article will also be available once it is published.
  • Transcript

    • 1. Computer Fraud andAbuse Act
      A Lunch Sampler With A Little Something For Everyone
      Dallas Bar Association
      Computer Law Section
      August 22, 2011
      Shawn E. Tuma
      www.shawnetuma.com
    • 2. 2
      Wouldn’t be the first time
    • 3. 3
      Enjoy!
    • 4. 4
      Something for every practice
      • Civil Litigation Lawyers
      • 5. Criminal Lawyers
      • 6. Employment Lawyers
      • 7. Family Lawyers
      • 8. In-house Counsel
      • 9. Business & Transactional Lawyers
      • 10. Technology & Privacy Lawyers
      www.shawnetuma.com
    • 11. 5
      Topics to be covered
      • History and Original Purpose of CFAA
      • 12. Why?
      • 13. What Does the CFAA Prohibit?
      • 14. Most Controversial Issues Under CFAA
      • 15. Examples of Most Common CFAA Violations
      • 16. Proposed Amendments to the CFAA
      www.shawnetuma.com
    • 17. 6
      Brief history of the cfaa
      www.shawnetuma.com
    • 18. 7
      History of CFAA
      www.shawnetuma.com
    • 19. 8
      History of CFAA
      www.shawnetuma.com
    • 20. 9
      History of CFAA
      Comprehensive Crime Control Act of 1984
      • Criminal statute
      • 21. Wire & mail fraud
      • 22. Response to movie War Games
      www.shawnetuma.com
    • 23. 10
      History of CFAA
      Computer Fraud and Abuse Act of 1986
      • Hacking of “Government interest” computers
      • 24. Criminal only
      • 25. 3 major amendments (9 total)
      • 26. Added private cause of action in ’94
      • 27. 2008 most recent
      www.shawnetuma.com
    • 28. 11
      Why?
      Why is the Computer Fraud and Abuse Act important?
      • Primary Law for Misuse of Computers
      • 29. Computers …
      www.shawnetuma.com
    • 30. 12
      Steve Jobs says …
      Do you know who Steve Jobs is?
      Do you know what Steve Jobs recently said?
      “Everything has a computer in it nowadays.”
      www.shawnetuma.com
    • 31. 13
      What is a Computer?
      www.shawnetuma.com
    • 32. 14
      What is a computer?
      The CFAA says
      “the term ‘computer’ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but …”
      “such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;”
      www.shawnetuma.com
    • 33. 15
      What is a computer?
      The Fourth Circuit says
      “If a device is ‘an electronic … or other high speed data processing device performing logical, arithmetic, or storage functions,’ it is a computer. This definition captures any device that makes use of an electronic data processor, examples of which are legion.”
      -United States v. Kramer
      www.shawnetuma.com
    • 34. 16
      What is a computer?
      What about
      www.shawnetuma.com
    • 35. 17
      Anything with a microchip
      The Fourth Circuit says
      “’Just think of the common household items that include microchips and electronic storage devices, and thus will satisfy the statutory definition of “computer.”’
      “’That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, . . . .”
      -United States v. Kramer
      www.shawnetuma.com
    • 36. 18
      What is a “protected” computer?
      The CFAA applies only to “protected” computers
      This may limit the problem of applying it to alarm clocks, toasters, and coffee makers
      Protected = connected to the Internet
      Any situations where these devices are connected?
      www.shawnetuma.com
    • 37. 19
      Perspective
      www.shawnetuma.com
    • 46. 20
      Perspective
      66 MHz = fastest desktop in 80s
      96 MHz = child’s toy today
      250 MHz = fastest super computer in 80s
      800 MHz = standard telephone today
      www.shawnetuma.com
    • 47. 21
      What does the cfaa prohibit?
      www.shawnetuma.com
    • 48. 22
      Statutory Language
      CFAA prohibits the access of a protected computer that is
      • Without authorization, or
      • 49. Exceeds authorized access
      www.shawnetuma.com
    • 50. 23
      Statutory Language
      Where the person accessing
      • Obtains information
      • 51. Commits a fraud
      • 52. Obtains something of value
      • 53. Transmits damaging information
      • 54. Causes damage
      • 55. Traffics in passwords
      • 56. Commits extortion
      www.shawnetuma.com
    • 57. 24
      Very Complex Statute
      “I am the wisest man alive, for I know one thing, and that is that I know nothing.”
      -Socrates
      • Overly simplistic list
      • 58. Very complex statute
      • 59. Superficially it appears deceptively straightforward
      • 60. Many pitfalls
      www.shawnetuma.com
    • 61. 25
      Very Complex Statute
      Two Most Problematic Issues
      • Unauthorized / Exceeding Authorized Access
      • 62. Evolving jurisprudence
      • 63. Interpreted by 5th, 7th, 9th and 11th Circuits
      • 64. Still no unanimous approach
      • 65. “Loss” Requirement
      • 66. Confuses lawyers and judges alike
      www.shawnetuma.com
    • 67. 26
      Civil Remedy
      Limited civil remedy
      • Procedurally complex with many cross-references
      • 68. “damage” ≠ “damages”
      • 69. Must have $5,000 “loss”
      • 70. Loss requirement is jurisdictional threshold
      www.shawnetuma.com
    • 71. 27
      Civil Remedy
      What is a “loss”?
      “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”
      Loss = cost (unless interruption of service)
      www.shawnetuma.com
    • 72. 28
      Civil Remedy
      What can qualify as a “loss”?
      • Investigation and response costs
      • 73. Forensics analysis and investigation
      • 74. Diagnostic measures
      • 75. Restoration of system
      • 76. Bartered services for investigation / restoration
      • 77. Value of employees’ time
      • 78. Attorneys’ fees if leading investigation
      www.shawnetuma.com
    • 79. 29
      Civil Remedy
      What is not a “loss”?
      • Lost revenue (unless interruption of service)
      • 80. Value of trade secrets
      • 81. Lost profits
      • 82. Lost customers
      • 83. Lost business opportunities
      • 84. Privacy and Personally Identifiable Information
      www.shawnetuma.com
    • 85. 30
      Civil Remedy
      Privacy and Personally Identifiable Information
      • iTracking
      • 86. Hacking / data breach
      • 87. Browser cookies
      REMEMBER: Loss is only required for civil remedy – not criminal violation
      www.shawnetuma.com
    • 88. 31
      Civil Remedy
      What would you advise?
      • Wrongful access of your client’s computer
      • 89. Considering a CFAA claim
      • 90. Your advice would be to ________?
      www.shawnetuma.com
    • 91. 32
      Civil Remedy
      Remedies
      • Available
      • 92. Economic damages
      • 93. Loss damage
      • 94. Injunctive relief
      • 95. Not Available
      • 96. Exemplary damages
      • 97. Attorneys’ fees
      • 98. Privacy and Personally Identifiable Information
      www.shawnetuma.com
    • 99. 33
      Basic Elements
      Elements of broadest CFAA Claim
      Intentionally access computer;
      Without authorization or exceeding authorized access;
      Obtained information from any protected computer; and
      Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.
      www.shawnetuma.com
    • 100. 34
      Civil Remedy
      Procedural Points
      • 2 year limitations
      • 101. Concurrent jurisdiction
      • 102. No preemption
      • 103. Not Available
      • 104. No Rule 9 heightened pleading
      www.shawnetuma.com
    • 105. 35
      Wrongful Access
      www.shawnetuma.com
    • 106. 36
      Wrongful Access
      General Access Principles
      • Access by informational / data use
      • 107. ≠ technician
      • 108. Must be knowing or intentional access
      • 109. ≠ accidental access
      www.shawnetuma.com
    • 110. Wrongful Access
      Two Types of Wrongful Access
      “without authorization”
      Outsiders
      No rights
      Not defined
      Only requires intent to access, not harm
      Hacker!
      “exceeds authorized”
      Insiders
      Some rights
      CFAA defines: use in a way not entitled
      Necessarily requires limits of authorization
      Employees, web users, etc.
      37
      www.shawnetuma.com
    • 111. 38
      Wrongful Access
      First step should be “which is it”?
      Instead, confusion of the two
      • Lawyers plead both
      • 112. Courts don’t usually indicate which – or care – go straight to the outcome
      • 113. Case outcomes do not reflect Congressional framework
      www.shawnetuma.com
    • 114. 39
      Wrongful Access
      “without authorization”
      • Clear when hacker
      • 115. Question is whether “exceeds” becomes “without”
      • 116. Insider authorized for some computers
      • 117. Insider authorized for some locations
      • 118. Insider authorized for intended use
      • 119. United States v. Morris
      • 120. Unauthorized system and intended use
      www.shawnetuma.com
    • 121. 40
      Wrongful Access
      When does authorization terminate?
      • Now there are two general lines of cases
      • 122. Agency Theory
      • 123. Intended-Use Analysis
      www.shawnetuma.com
    • 124. 41
      Wrongful Access
      Agency Theory
      Employee’s breach of duty of loyal to his employer terminated his right to access the computer based on common law agency principles.
      • International Airport Centers, LLC v. Citrin (7th Cir. 2006)
      • 125. Earlier case
      • 126. Minority view
      www.shawnetuma.com
    • 127. 42
      Wrongful Access
      Intended-Use Analysis
      Authorization continues until terminated by the grantor but exceeding prior contractual access and use limitations exceeds authorized access.
      • United States v. Nosal(9th Cir. 2011); United States v. Rodriguez (11th Cir. 2010); United States v. John (5th Cir. 2010), LVRC Holdings LLC v. Brekka (9th Cir. 2009)
      • 128. Majority view (overly simplified)
      • 129. Prior notice of limits is vital
      • 130. Emphasizes need for contractual limits
      www.shawnetuma.com
    • 131. 43
      Wrongful Access
      Ways to establish limits
      • Contractual
      • 132. Policies: computer use, employment & manuals
      • 133. Website Terms of Service
      • 134. Technological
      • 135. Login and access restrictions
      • 136. System warnings
      • 137. Training and other evidence of notification
      • 138. Notices of intent to use CFAA
      www.shawnetuma.com
    • 139. 44
      Wrongful Access
      Contractual limits should
      • Clearly notify of limits
      • 140. Limit access to information
      • 141. Limit use of information accessed
      • 142. Terminate access rights upon violation
      • 143. Indicate intent to enforce by CFAA
      Goal: limit or terminate authorization
      www.shawnetuma.com
    • 144. 45
      Wrongful AccessExamples
      The following examples are situations that may constitute a wrongful access under the CFAA
      • I say “may” because …
      • 145. We’re talking about law!
      • 146. Evolving jurisprudence
      • 147. Access limits are huge factor
      • 148. Facts can vary greatly
      www.shawnetuma.com
    • 149. 46
      Wrongful AccessExamples
      Employment Situations
      Most common scenario is employment
      • Employee access and take customer account information
      • 150. Employee accesses and takes or emails confidential information to competitor
      • 151. Employee improperly deletes data and email
      • 152. Employee deletes browser history 
      • 153. Employee accessing their Facebook, Gmail, Chase accounts at work 
      www.shawnetuma.com
    • 154. 47
      Wrongful AccessExamples
      Family Law Situations
      Have you ever logged into your significant other’s email or Facebook to see what they’re saying to others?
      DON’T ANSWER THAT!
      • Estranged spouse in Arkansas did after separation
      • 155. NTTA account?
      • 156. Bank account?
      • 157. Cancelling services via online accounts?
      www.shawnetuma.com
    • 158. 48
      Wrongful AccessExamples
      Sharing Website Logins
      Have you ever borrowed or shared website login credentials and passwords?
      DON’T ANSWER THAT!
      • Recent case held that permitting others to use login credentials for paid website was viable CFAA claim
      • 159. The key factor here was the conduct was prohibited by the website’s agreed to Terms of Service
      www.shawnetuma.com
    • 160. 49
      Wrongful AccessExamples
      Misuse of Websites
      Ever created a fake profile or used a website for something other than its intended purpose?
      DON’T ANSWER THAT!
      • Myspace Mom case
      • 161. Fake login to disrupt legitimate website sales
      • 162. Accessing website to gain competitive information when prohibited by TOS
      • 163. Creating fake Facebook to research opposing parties
      www.shawnetuma.com
    • 164. 50
      Wrongful AccessExamples
      Hacking & Private Information
      Hacking was original purpose for CFAA
      • Hacking and obtaining private information
      • 165. Tracking individuals through geo-tagging
      • 166. Website collection of private information
      • 167. All fit within the prohibitions of the CFAA
      • 168. Loss is the problem, from a civil standpoint
      www.shawnetuma.com
    • 169. 51
      Proposed amendments
      www.shawnetuma.com
    • 170. 52
      Proposed Amendments
      Hacking
      Data Breach
      Privacy
      www.shawnetuma.com
    • 171. 53
      Proposed Amendments
      Hacking, Data Breach & Privacy
      • Biggest news event of year?
      • 172. 46 States  Breach Notification Laws
      • 173. Administration & Congress want to act
      • 174. Protect Personal Information (“PI”)
      • 175. Name + address, SS#, DL#, or financial acct #
      • 176. Health data
      • 177. Vehicle of choice is to amend the CFAA
      www.shawnetuma.com
    • 178. 54
      Proposed Amendments
      Proposed Amendments
      • Several bills
      • 179. Proposals generally seek
      • 180. National standard breach notification law
      • 181. Preempt State laws
      • 182. Regulate businesses handling PI
      • 183. Limit PI businesses retain
      • 184. Stronger criminal penalties for hacking
      www.shawnetuma.com
    • 185. 55
      Proposed Amendments
      Will tougher criminal penalties help?
      The Real Question:
      Is it possible to keep data secure from being breached?
      www.shawnetuma.com
    • 186. 56
      Proposed Amendments
      www.shawnetuma.com
    • 187. 57
      Proposed Amendments
      Who’s gonna get it?
      Cost – benefit analysis
      • $11 per vehicle
      • 188. Cheaper to defend wrongful death lawsuits
      • 189. The “Ford Pinto Memo”
      • 190. Actual damages: $2.5 million
      • 191. Punitive damages: $125 million
      www.shawnetuma.com
    • 192. 58
      Proposed Amendments
      Ford got the message!
      Deterrence: civil v. criminal?
      Amend CFAA to permit more civil claims
      • Give owner of PI a cause of action against
      • 193. Hacker
      • 194. Breached entity
      • 195. Include breach of PI as a “loss”
      • 196. Permit recovery of costs and attorneys’ fees
      • 197. Likelihood of civil greater than criminal
      www.shawnetuma.com
    • 198. 59
      Conclusion
      • Why? Remember what Jobs said
      • 199. CFAA is very broad and covers all kinds of computer misuse
      • 200. CFAA is complex with lots of pitfalls
      • 201. Proposed Amendments will broaden CFAA
      • 202. Data breach
      • 203. Privacy
      www.shawnetuma.com
    • 204. 60
      THE END
      www.shawnetuma.com