FRAUD 2.0An Overview of the Laws that HelpBusinesses and Individuals Combat        Computer Fraud        Association of Ce...
THINK ABOUT THIS …www.brittontuma.com              2
[SEE FOLLOING VIDEO]                      https://vimeo.com/2030361www.brittontuma.com                               3
WHAT DOES THAT MEAN             TO YOU?www.brittontuma.com          4
STUXNET?www.brittontuma.com              5
NON COMPUTER                RELATED FRAUD?www.brittontuma.com              6
As of September 2012, cybercrime      • costs $110 billion annually      • 18 adults every second are victims      • 556,0...
What is fraud?      • Fraud is, in its simplest form, deception      • Black’s Law Dictionary          • all multifarious ...
Traditional vehicles for fraud?      • verbal communication      • written communication      • in person      • through m...
What do computers do?           EFFICIENCY!www.brittontuma.com           10
FRAUD 2.0www.brittontuma.com         11
Computer Fraud = Fraud 2.0      •   Deception, through the use of a computer      •   “old crimes committed in new ways … ...
Who knows the percentage of       businesses that suffered at least one act           of computer fraud in last year?     ...
Computer Fraud and Abuse Act                  Federal Law – 18 U.S.C § 1030www.brittontuma.com                            ...
BRIEF HISTORY OF    THE CFAA                   15
www.brittontuma.com   16
www.brittontuma.com   17
Why is the Computer Fraud                      and Abuse Act important?       Primary Law for Misuse of Computers       ...
“Everything has a          computer in it nowadays.”                            -Steve Jobswww.brittontuma.com            ...
WHAT IS A COMPUTER?                      20
The CFAA says          has a processor or stores data              “the term ‘computer’ means an electronic, magnetic, opt...
What aboutwww.brittontuma.com   22
The Fourth Circuit says         “’Just think of the common household items that         include microchips and electronic ...
The CFAA applies only to “protected” computers         This may limit the problem of applying it to alarm         clocks, ...
• TI-99               • Leap Frog Leapster   • iPhone 5    • 3.3 MHz Processor   • 96 MHz Processor     • 1.02 GHz Process...
66 MHz =        fastest        desktop in 80s        96 MHz = child’s        toy today        250 MHz =        fastest sup...
WHAT DOES THE CFAA     PROHIBIT?                     27
CFAA prohibits the access of a protected     computer that is          Without authorization, or          Exceeds author...
Where the person accessing          Obtains information          Commits a fraud          Obtains something of value   ...
“I am the wisest man alive,              for I know one thing, and that              is that I know nothing.”             ...
Two Most Problematic Issues           “Loss” Requirement              • Confuses lawyers and judges alike           Unau...
Limited civil remedy          Procedurally complex with many cross-           references          “damage” ≠ “damages”  ...
What is a “loss”?         “any reasonable cost to any victim, including the cost of         responding to an offense, cond...
What can qualify as a “loss”?           Investigation and response costs              •   Forensics analysis and investig...
What is not a “loss”?          Lost revenue (unless interruption of service)          Value of trade secrets          L...
Privacy and Personally Identifiable Information          iTracking          Hacking / data breach          Browser cook...
What would you advise?          Wrongful access of your client’s           computer          Considering a CFAA claim   ...
Remedies          Available                 •    Economic damages                 •    Loss damage                 •    I...
Elements of broadest CFAA Claim         1. Intentionally access computer;         2. Without authorization or exceeding au...
Elements of CFAA Fraud Claim         1. Knowingly and with intent to defraud;         2. Accesses a protected computer;   ...
WRONGFUL ACCESS                  41
General Access Principles          Access by informational / data use          ≠ technician          Must be knowing or...
Two Types of Wrongful Access    “without authorization”        “exceeds authorized”        Outsiders                    ...
When does authorization terminate?         As of April 10, 2012, there are (once again) three         general lines of cas...
Ways to establish limits for Intended-Use          Contractual             •   Policies: computer use, employment & manua...
Contractual limits should          Clearly notify of limits          Limit authorization to access information         ...
Employment Situations           Most common scenario is employment           •   Employee access and take customer account...
Family Law Situations           Have you ever logged into your significant other’s email or Facebook           to see what...
Sharing Website Logins           Have you ever borrowed or shared website login credentials and           passwords for li...
Misuse of Websites           Ever created a fake profile or used a website for           something other than its intended...
Hacking & Private Information           Hacking was original purpose for CFAA           •   Hacking and obtaining private ...
What about …           • Hacking a car?           • Hacking a person?           • What else?www.brittontuma.com           ...
What about …           • Denial of Service Attacks           • Password Traffickingwww.brittontuma.com                    ...
OTHER LAWS FORCOMBATING FRAUD 2.0                      54
Federal Laws for Combating Fraud 2.0        •   Electronic Communications Privacy Act - 18 U.S.C. § 2510            •   Wi...
Texas Laws for Combating Fraud 2.0        •   Breach of Computer Security Act (Tx. Penal Code § 33.02)            •   know...
• Welcome to the world of Fraud 2.0!        • Why? Remember what Jobs said        • CFAA is very broad and covers all kind...
www.brittontuma.com   58
Upcoming SlideShare
Loading in …5
×

Fraud 2.0 - The Laws that Help Businesses Combat Computer Fraud

15,710 views
15,668 views

Published on

What is Fraud 2.0? Computer fraud is the fraud of the century and it is increasing exponentially each year. Shawn Tuma provides an in-depth analysis of the federal Computer Fraud and Abuse Act, the primary law that is available to help businesses and individuals combat the threat of computer fraud and obtain both civil and criminal remedies for those frauds. Tuma explains how the Computer Fraud and Abuse Act works, some of the practical steps that need to be taken in advance to ensure it is available should a computer fraud occur, and give practical examples of several situations where the Computer Fraud and Abuse Act has been used successfully. He also provides a brief overview of some of the other laws that can be used to combat computer fraud – Fraud 2.0.

This presentation was made to Association of Certified Fraud Examiners (ACFE) - Dallas on November 8, 2012.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
15,710
On SlideShare
0
From Embeds
0
Number of Embeds
14,405
Actions
Shares
0
Downloads
27
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Who knows what movie this was from?Anyone remember?Early 80s – 1983
  • Movie War Games!
  • Why? Because this is the primary law that is used to pursue those who misuse a computer to commit crimes, defraud, etc. Computers are everywhere and are involved in virtually everything!
  • CFAA’s definition of computer:Remember the “But”!!!
  • Now that we know what it applies to, let’s take about what the CFAA prohibits.
  • Not too long ago I was talking with someone about a case they had involving criminal indictment for the CFAA.I offered help but was rebuffed – told: “I’ve read the statute, I’ve got it”Ok – best of luck to you (and your clients!)!
  • What would your advice, as a lawyer, be in this situation?
  • Why? (Remember what Steve Jobs said last December – everything has a computer in it nowadays!)The CFAA is what is most commonly used to deal with misuse of computers.
  • Why? (Remember what Steve Jobs said last December – everything has a computer in it nowadays!)The CFAA is what is most commonly used to deal with misuse of computers.
  • Fraud 2.0 - The Laws that Help Businesses Combat Computer Fraud

    1. 1. FRAUD 2.0An Overview of the Laws that HelpBusinesses and Individuals Combat Computer Fraud Association of Certified Fraud Examiners November 8, 2012
    2. 2. THINK ABOUT THIS …www.brittontuma.com 2
    3. 3. [SEE FOLLOING VIDEO] https://vimeo.com/2030361www.brittontuma.com 3
    4. 4. WHAT DOES THAT MEAN TO YOU?www.brittontuma.com 4
    5. 5. STUXNET?www.brittontuma.com 5
    6. 6. NON COMPUTER RELATED FRAUD?www.brittontuma.com 6
    7. 7. As of September 2012, cybercrime • costs $110 billion annually • 18 adults every second are victims • 556,000,000 adults every year are victims • 46% of online adults are victims • mobile devices are trending 2012 Norton Cybercrime Reportwww.brittontuma.com 7
    8. 8. What is fraud? • Fraud is, in its simplest form, deception • Black’s Law Dictionary • all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by false suggestions or suppression of the truthwww.brittontuma.com 8
    9. 9. Traditional vehicles for fraud? • verbal communication • written communication • in person • through mail • over wirewww.brittontuma.com 9
    10. 10. What do computers do? EFFICIENCY!www.brittontuma.com 10
    11. 11. FRAUD 2.0www.brittontuma.com 11
    12. 12. Computer Fraud = Fraud 2.0 • Deception, through the use of a computer • “old crimes committed in new ways … using computers and the Internet to make the task[s] easier” • computer hacking, data theft, theft of money, breaches of data security, privacy breaches, computer worms, Trojan horses, viruses, malware, denial of service attacks • mouse and keyboard = modern fraudster tools of choicewww.brittontuma.com 12
    13. 13. Who knows the percentage of businesses that suffered at least one act of computer fraud in last year? 90% (Ponemon Institute Study)www.brittontuma.com 13
    14. 14. Computer Fraud and Abuse Act Federal Law – 18 U.S.C § 1030www.brittontuma.com 14
    15. 15. BRIEF HISTORY OF THE CFAA 15
    16. 16. www.brittontuma.com 16
    17. 17. www.brittontuma.com 17
    18. 18. Why is the Computer Fraud and Abuse Act important?  Primary Law for Misuse of Computers  Computers …www.brittontuma.com 18
    19. 19. “Everything has a computer in it nowadays.” -Steve Jobswww.brittontuma.com 19
    20. 20. WHAT IS A COMPUTER? 20
    21. 21. The CFAA says has a processor or stores data “the term ‘computer’ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but …” IMPORTANT! “such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;”www.brittontuma.com 21
    22. 22. What aboutwww.brittontuma.com 22
    23. 23. The Fourth Circuit says “’Just think of the common household items that include microchips and electronic storage devices, and thus will satisfy the statutory definition of “computer.”’ “’That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, . . . .” -United States v. Kramerwww.brittontuma.com 23
    24. 24. The CFAA applies only to “protected” computers This may limit the problem of applying it to alarm clocks, toasters, and coffee makers Protected = connected to the Internet Any situations where these devices are connected?www.brittontuma.com 24
    25. 25. • TI-99 • Leap Frog Leapster • iPhone 5 • 3.3 MHz Processor • 96 MHz Processor • 1.02 GHz Processer • 16 KB of RAM • 128 MB of RAM • 1 GB of RAMwww.brittontuma.com 25
    26. 26. 66 MHz = fastest desktop in 80s 96 MHz = child’s toy today 250 MHz = fastest super computer in 80s 1.02 GHz = telephone todaywww.brittontuma.com 26
    27. 27. WHAT DOES THE CFAA PROHIBIT? 27
    28. 28. CFAA prohibits the access of a protected computer that is  Without authorization, or  Exceeds authorized accesswww.brittontuma.com 28
    29. 29. Where the person accessing  Obtains information  Commits a fraud  Obtains something of value  Transmits damaging information  Causes damage  Traffics in passwords  Commits extortionwww.brittontuma.com 29
    30. 30. “I am the wisest man alive, for I know one thing, and that is that I know nothing.” -Socrates  Overly simplistic list  Very complex statute  Superficially it appears deceptively straightforward  Many pitfallswww.brittontuma.com 30
    31. 31. Two Most Problematic Issues  “Loss” Requirement • Confuses lawyers and judges alike  Unauthorized / Exceeding Authorized Access • Evolving jurisprudence • Interpreted by many Circuits • New conflict on April 10, 2012www.brittontuma.com 31
    32. 32. Limited civil remedy  Procedurally complex with many cross- references  “damage” ≠ “damages”  Must have $5,000 “loss”  Loss requirement is jurisdictional thresholdwww.brittontuma.com 32
    33. 33. What is a “loss”? “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Loss = cost (unless interruption of service)www.brittontuma.com 33
    34. 34. What can qualify as a “loss”?  Investigation and response costs • Forensics analysis and investigation • Diagnostic measures • Restoration of system • Bartered services for investigation / restoration  Value of employees’ time  Attorneys’ fees if leading investigationwww.brittontuma.com 34
    35. 35. What is not a “loss”?  Lost revenue (unless interruption of service)  Value of trade secrets  Lost profits  Lost customers  Lost business opportunities  Privacy and Personally Identifiable Informationwww.brittontuma.com 35
    36. 36. Privacy and Personally Identifiable Information  iTracking  Hacking / data breach  Browser cookies REMEMBER: Loss is only required for civil remedy – not criminal violationwww.brittontuma.com 36
    37. 37. What would you advise?  Wrongful access of your client’s computer  Considering a CFAA claim  Your advice would be to ________?www.brittontuma.com 37
    38. 38. Remedies  Available • Economic damages • Loss damage • Injunctive relief  Not Available • Exemplary damages • Attorneys’ feeswww.brittontuma.com 38
    39. 39. Elements of broadest CFAA Claim 1. Intentionally access computer; 2. Without authorization or exceeding authorized access; 3. Obtained information from any protected computer; and 4. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.www.brittontuma.com 39
    40. 40. Elements of CFAA Fraud Claim 1. Knowingly and with intent to defraud; 2. Accesses a protected computer; 3. Without authorization or exceeding authorized access; 4. By doing so, furthers the intended fraud and obtains anything of value; and 5. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.www.brittontuma.com 40
    41. 41. WRONGFUL ACCESS 41
    42. 42. General Access Principles  Access by informational / data use  ≠ technician  Must be knowing or intentional access  ≠ accidental accesswww.brittontuma.com 42
    43. 43. Two Types of Wrongful Access “without authorization” “exceeds authorized”  Outsiders  Insiders  No rights  Some rights  Not defined  CFAA defines: access in  Only requires intent to a way not entitled access, not harm  Necessarily requires  Hacker! limits of authorization  Employees, web users, etc.www.brittontuma.com 43
    44. 44. When does authorization terminate? As of April 10, 2012, there are (once again) three general lines of cases: Trilogy of Access Theories • Agency Theory • Intended-Use Analysis • Access Means Accesswww.brittontuma.com 44
    45. 45. Ways to establish limits for Intended-Use  Contractual • Policies: computer use, employment & manuals • Website Terms of Service  Technological • Login and access restrictions • System warnings  Training and other evidence of notification  Notices of intent to use CFAAwww.brittontuma.com 45
    46. 46. Contractual limits should  Clearly notify of limits  Limit authorization to access information  Limit use of information accessed  Terminate access rights upon violation  Indicate intent to enforce by CFAA Goal: limit or terminate authorizationwww.brittontuma.com 46
    47. 47. Employment Situations Most common scenario is employment • Employee access and take customer account information • Employee accesses and takes or emails confidential information to competitor • Employee improperly deletes data and email • Employee deletes browser history  • Employee accessing their Facebook, Gmail, Chase accounts at work www.brittontuma.com 47
    48. 48. Family Law Situations Have you ever logged into your significant other’s email or Facebook to see what they’re saying to others? DON’T ANSWER THAT! • Estranged spouse in Arkansas did after separation • NTTA account? • Bank account? • Cancelling services via online accounts?www.brittontuma.com 48
    49. 49. Sharing Website Logins Have you ever borrowed or shared website login credentials and passwords for limited access sites (i.e., online accounts)? DON’T ANSWER THAT! • Recent case held that permitting others to use login credentials for paid website was viable CFAA claim • The key factor here was the conduct was prohibited by the website’s agreed to Terms of Servicewww.brittontuma.com 49
    50. 50. Misuse of Websites Ever created a fake profile or used a website for something other than its intended purpose? DON’T ANSWER THAT! • Myspace Mom case • Fake login to disrupt legitimate website sales • Accessing website to gain competitive information when prohibited by TOS • Creating fake Facebook to research opposing partieswww.brittontuma.com 50
    51. 51. Hacking & Private Information Hacking was original purpose for CFAA • Hacking and obtaining private information • (president’s educational records) • Tracking individuals through geo-tagging • Website collection of private information • All fit within the prohibitions of the CFAA • Loss is the problem, from a civil standpointwww.brittontuma.com 51
    52. 52. What about … • Hacking a car? • Hacking a person? • What else?www.brittontuma.com 52
    53. 53. What about … • Denial of Service Attacks • Password Traffickingwww.brittontuma.com 53
    54. 54. OTHER LAWS FORCOMBATING FRAUD 2.0 54
    55. 55. Federal Laws for Combating Fraud 2.0 • Electronic Communications Privacy Act - 18 U.S.C. § 2510 • Wiretap Act ≠ intercept communications • Stored Communications Act ≠ comm. at rest • Fraud with Access Devices - 18 U.S.C. § 1029 • devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards • Identity Theft – 18 U.S.C. § 1028www.brittontuma.com 55
    56. 56. Texas Laws for Combating Fraud 2.0 • Breach of Computer Security Act (Tx. Penal Code § 33.02) • knowingly access a computer without effective consent of owner • Fraudulent Use or Possession of Identifying Info (TPC § 32.51 • Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02) • Unlawful Access to Stored Communications (TPC § 16.04) • Identity Theft Enforcement and Protection Act (BCC § 48.001) • Consumer Protection Against Computer Spyware Act (BCC § 48.051) • Anti-Phishing Act (BCC § 48.003)www.brittontuma.com 56
    57. 57. • Welcome to the world of Fraud 2.0! • Why? Remember what Jobs said • CFAA is very broad and covers all kinds of computer fraud (sometimes) • Courts’ interpretation of the CFAA is changing all the time – you must stay updated! • Many other Federal and Texas laws also available for combating computer fraudwww.brittontuma.com 57
    58. 58. www.brittontuma.com 58

    ×