Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security & Privacy Committee of State Bar of Texas

FRAUD 2.0
Overview and Update of the
Computer Fraud and Abuse Act and
A Few Lessons About Data Breaches
Privacy, Data Security, and eCommerce Committee
of the State Bar ofTexas
August 28, 2013

2
#fraud20
www.brittontuma.com

3
when is the last time you
heard of …
www.brittontuma.com #fraud20

4
NON COMPUTER
RELATED FRAUD?

5
2012 Cybercrime Statistics
• costs $110 billion annually
• 18 adults every second are victims
• 556,000,000 adults every year are victims
• 46% of online adults are victims
• mobile devices are trending
2012 Norton Cybercrime Report
www.brittontuma.com

6
What is fraud?
• Fraud is, in its simplest form, deception
• Black’s Law Dictionary
• all multifarious means which human ingenuity
can devise, and which are resorted to by one
individual to get advantage over another by
false suggestions or suppression of the truth

7
Traditional vehicles for fraud?
• verbal communication
• written communication
• in person
• through mail
• via wire

8
What do computers do?
EFFICIENCY!

9
FRAUD 2.0

10
Computer Fraud = Fraud 2.0
• Deception, through the use of a computer
• “old crimes committed in new ways … using computers
and the Internet to make the task[s] easier”
• computer hacking, data theft, theft of money, breaches
of data security, corporate espionage, privacy breaches,
computer worms,Trojan horses, viruses, malware, denial
of service attacks
• mouse and keyboard = modern fraudster tools of choice

11
Who knows the percentage of
businesses that suffered at least one act
of computer fraud in last year?
90%
(Ponemon Institute Study)

12
BRIEF HISTORY OF
THE COMPUTER FRAUD
AND ABUSE ACT
(CFAA)
#fraud20

13
Computer Fraud and Abuse Act
Federal Law – 18 U.S.C § 1030

14www.brittontuma.com #fraud20

16
 Primary Law for Misuse of Computers
 Computers …
Why is the Computer Fraud
and Abuse Act important?

17www.brittontuma.com
“Everything has a
computer in it nowadays.”
-Steve Jobs
#fraud20

18
WHAT IS A COMPUTER?
#fraud20

has a processor or stores data
“the term ‘computer’ means an electronic, magnetic, optical,
electrochemical, or other high speed data processing device
performing logical, arithmetic, or storage functions, and
includes any data storage facility or communications facility
directly related to or operating in conjunction with such device,
but …”
IMPORTANT! “such term does not include an automated
typewriter or typesetter, a portable hand held calculator, or other
similar device;”
The CFAA says
#fraud20

What about . . .
#fraud20

“’That category can include coffeemakers, microwave
ovens, watches, telephones, children’s toys, MP3
players, refrigerators, heating and air-conditioning
units, radios, alarm clocks, televisions, and DVD
players, . . . .”
-UnitedStates v. Kramer
The Fourth Circuit says
#fraud20

This may limit the problem of applying it to alarm
clocks, toasters, and coffee makers – for now?
The CFAA applies only to “protected” computers
Protected = connected to the Internet
Any situations where these devices are connected?
#fraud20

• TI-99
• 3.3 MHz Processor
• 16 KB of RAM
• Leap Frog Leapster
• 96 MHz Processor
• 128 MB of RAM
• iPhone 5
• 1.02GHz Processer
• 1 GB of RAM
#fraud20

66 MHz =
fastest
desktop in 80s
96 MHz = child’s
toy today
250 MHz =
fastest super
computer in 80s
1.02 GHz =
telephone today
#fraud20

no, I really mean seriously . . .
#fraud20

28
WHAT DOES THE CFAA
PROHIBIT?
#fraud20

29
CFAA prohibits the access of a protected
computer that is
 Without authorization, or
 Exceeds authorized access

30
Where the person accessing
 Obtains information
 Commits a fraud
 Obtains something of value
 Transmits damaging information
 Causes damage
 Traffics in passwords
 Commits extortion

31
 Overly simplistic list
 Very complex statute
 Appears deceptively straightforward
 Many pitfalls
www.brittontuma.com
“I am the wisest man alive,
for I know one thing, and that
is that I know nothing.”
-Socrates
#fraud20

32
Two Most Problematic Issues
 “Loss” Requirement
• Confuses lawyers and judges alike
 Unauthorized / Exceeding Authorized Access
• Evolving jurisprudence
• Interpreted by many Circuits
• New conflict on April 10, 2012

33
Limited civil remedy
 Procedurally complex with many cross-
references
 “damage” ≠ “damages”
 Must have $5,000 “loss” (i.e., cost)
 Loss requirement is jurisdictional threshold

34
What is a “loss”?
“any reasonable cost to any victim, including the cost of
responding to an offense, conducting a damage assessment, and
restoring the data, program, system, or information to its
condition prior to the offense, and any revenue lost, cost
incurred, or other consequential damages incurred because of
interruption of service.”
Loss = cost (unless interruption of service)

35
What can qualify as a “loss”?
 Investigation and response costs
• Forensics analysis and investigation
• Diagnostic measures
• Restoration of system
• Bartered services for investigation / restoration
 Value of employees’ time
 Attorneys’ fees if leading investigation
www.brittontuma.com

36
What is not a “loss”?
 Lost revenue (unless interruption of service)
 Value of trade secrets
 Lost profits
 Lost customers
 Lost business opportunities
 Privacy and Personally Identifiable Information
www.brittontuma.com

37
Privacy and Personally Identifiable Information
 iTracking
 Hacking / data breach
 Browser cookies
REMEMBER: Loss is only required for civil remedy –
not criminal violation
www.brittontuma.com

38
What would you advise?
• Wrongful access of your client’s computer
• Considering a CFAA claim
• Your advice would be to ________?
www.brittontuma.com

39
Remedies
• Available
• Economic damages
• Loss damage
• Injunctive relief
• Not Available
• Exemplary damages
• Attorneys’ fees

40
Elements of broadest CFAA Claim
1. Intentionally access computer;
2. Without authorization or exceeding authorized access;
3. Obtained information from any protected computer;
and
4. Victim incurred a loss to one or more persons during
any 1-year period of at least $5,000.

41
Elements of CFAA Fraud Claim
1. Knowingly and with intent to defraud;
2. Accesses a protected computer;
3. Without authorization or exceeding authorized access;
4. By doing so, furthers the intended fraud and obtains
anything of value; and
5. Victim incurred a loss to one or more persons during
any 1-year period of at least $5,000.

43
General Access Principles
 Access by informational / data use
 ≠ technician
 Must be knowing or intentional access
 ≠ accidental access

“without authorization”
 Outsiders
 No rights
 Not defined
 Only requires intent to
access, not harm
 Hacker!
“exceeds authorized”
 Insiders
 Some rights
 CFAA defines: access in
a way not entitled
 Necessarily requires
limits of authorization
 Employees, web users,
etc.
TwoTypes of Wrongful Access
#fraud20

45
When does authorization terminate?
Trilogy of AccessTheories
• AgencyTheory
• Intended-Use Theory
• Strict AccessTheory

46
AgencyTheory
International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006)
• Under common law agency principles, an employee’s right to access his
employer’s computer is premised on his serving the interests of his
employer. Should his loyalties to his employer change and his interests
become adverse, so to would his authorization change by becoming
unauthorized.
• Under this “agency theory” the authorization to access was based upon
the employee’s own subjective loyalties and interests and, if they
changed, his authorization to access the employer’s computer changed
with it.
• 7th Circuit only

47
Intended-UseTheory
United States v.John, 597 F.3d 263 (5th Cir. 2010)
• Access to a computer and data that can be obtained from that access may
be exceeded if the purposes for which access has been given is exceeded
and the employee is actually aware of those limitations on purpose
through policies or contractual agreements.
• The employer can implement restrictions on access and use of information
obtained thereby, in advance, by policies and agreements that are known
by the employee and, if the employee still violates those limitations by
accessing information and using it for improper purposes–not for its
intended use–that is unauthorized for purposes of the CFAA.
• 5th, 11th, 8th, 3rd, 1st (possibly)Circuits

48
Strict AccessTheory
United States v. Nosal (Nosal II), 676 F.3d 854 (9th Cir. 2012) (en banc)
• A strict interpretation of the CFAA prohibits unauthorized access to the
computer rather than unauthorized use of the information. If
authorization to access has been given, access will continue to be
authorized until it is explicitly revoked, regardless of how it is used.
• 9th and 4th Circuits

49
Establishing limits for Intended-Use
• Contractual
• Policies: computer use, employment & manuals
• WebsiteTerms of Service
• Technological
• Login and access restrictions
• System warnings
• Training and other evidence of notification
• Notices of intent to use CFAA

50
Contractual limits should
• Clearly notify of limits
• Limit authorization to access information
• Limit use of information accessed
• Terminate access rights upon violation
• Indicate intent to enforce by CFAA
Goal: limit or terminate authorization
www.brittontuma.com

51
Ways to terminate for Strict Access
Craigslist Inc. v. 3Taps Inc., 2013WL 447520 (ND Ca. Aug. 16, 2013)
 3Taps operates an online service that aggregates and republishes ads
from Craigslist.After learning, Craigslist took two important steps:
1. sent a cease-and-desist letter informing “[t]his letter notifies you that you
and your agents, employees, affiliates, and/or anyone acting on your behalf
are no longer authorized to access, and/or prohibited from accessing
Craigslist ‘s website or services for any reason” (clear and direct notice)
2. configured its website to block access from IP addresses associated with
3Taps (technological restrictions)
 Craigslist as owner of the website rescinded that permission for 3Taps and
further access by 3Taps after that rescission was “without authorization.”
 With active monitoring, access and use can be controlled with CFAA.

52
Remember Aaron Swartz?
 In 2008, downloaded and released approximately 20%
of the Public Access to Court Electronic Records
(PACER) database of United States federal court
documents which amounted to about 18,000,000
documents. He was investigated by the FBI but was
not charged.
 Tried to “liberate” all information in JSTOR’s database
by making it publicly available via file sharing
networks. Made several attempts by using MIT’s
network and account with a guest account he created,
each time circumventing the barriers that MIT and
JSTOR set up to stop him.
 Circumvented IP blocking, download limitations,
spoofed MAC address, bought new laptop to
circumvent, broke into network closet.

53
Who is SandraTeague?
United States v.Teague, 646 F.3d 1119 (8th Cir. 2011)
 Worked for a contractor that assists the Department
of Education with student loan inquiries via a call
center ; had been granted access to the National
Student Loan Data System which contains student
borrowers’ private information.
 Used their access to look up 1 record for an individual
even though they were not working on anything
related to that person. For this single act,Teague was
charged with violating the Computer Fraud and Abuse
Act, tried, and convicted.
 Can you guess whose student loan records are that
guarded?

54
Employment Situations
Most common scenario is employment
• Employee access and take customer account information
• Employee accesses and takes or emails confidential information
to competitor
• Employee improperly deletes data and email
• Employee deletes browser history 
• Employee accessing their Facebook, Gmail,Chase accounts at
work 

55
Family Law Situations
Have you ever logged into your significant
other’s email or Facebook to see what
they’re saying to others?
DON’TANSWERTHAT!
• Arkansas spouse after separation
• NTTA account?
• Bank account?
• Cancelling services via online accounts?
• Kate Gosselin v. Jon Gosselin alleges, post
separation:
• hack email, phone, bank account
• stole hard drive
• published info for tabloids and book
• $5,000 loss?

56
SharingWebsite Logins
Have you ever borrowed or shared website login credentials and
passwords for limited access sites (i.e., online accounts)?
DON’TANSWERTHAT!
• Recent case held that permitting others to use login credentials for
paid website was viable CFAA claim
• The key factor here was the conduct was prohibited by the website’s
agreed toTerms of Service

57
Misuse ofWebsites
Ever created a fake profile or used a website for
something other than its intended purpose?
DON’T ANSWERTHAT!
• Myspace Mom case – United States v. Drew
• Fake login to disrupt legitimate website sales
• Accessing website to gain competitive information when
prohibited byTOS
• Creating fake Facebook to research opposing parties
• Website scraping – Craigslist v. 3Taps

58
Hacking & Private Information
Hacking was original purpose forCFAA
• Hacking and obtaining private information
• United States v.Teague
• 8th Cir, employee looking up forbidden educ. records
• United States v.Tolliver
• 3rd Cir, employee looking up customer records without business purp.
• Tracking individuals through geo-tagging
• Website collection of private information
• All fit within the prohibitions of the CFAA
• Loss is the problem, from a civil standpoint
www.brittontuma.com

59
DATA BREACH
WHAT DO YOU DO?
#fraud20

60
Data Breach
• often a product of computer fraud
• on the rise
• major risk to virtually all businesses
• PII, PHI, financial data, cardholder data
• disruption and data loss
• claims from data subjects
• fines and penalties from govts, agencies, indust. groups
• impossible to prevent
• plan ahead to reduce harm

61
4 Phases of Data Breach
• Preparation
• Prevention
• Understanding
• Laws, Rules & Regulations
• Responding

62
Preparation
• Breach Response Plan
• Goal  Execute!
• Who,What,When, How
• Attorney – privilege
• Adopted Notification Form
• EducateTeam
• IT Security Audit / PenetrationTesting
• Compliance Prepare,Train, Audit
• HIPAA, ERISA, OSHA, PCI, FINRA
• Cyber Insurance

63
Prevention
• Software and Systems Updates
• RemediateVulnerabilities
• Encrypt, Encrypt, Encrypt
• Data Surveillance & IT Alerts
• Cyber CounterIntelligence / CounterEspionage
• ITAlerts

64
Understanding Laws, Rules & Regulations
• No Federal Breach Notification Law (yet)
• 46 States’ Have Laws
• ≠Alabama, Kentucky, New Mexico, South Dakota
• Massachusetts is an oddball
• 45 days (FL, OH,VT,WI) otherwise expeditious without
unreasonable delay
• Consumers + State Attorney General
• Agencies (FTC, HHS, OCR, DOL, SEC)
• Industries (FINRA, PCI)
• International

65
Responding to a Breach – Just Execute the Plan!
• ContactAttorney
• Assemble ResponseTeam
• Contact Forensics
• Investigate Breach
• Remediate ResponsibleVulnerabilities
• ContactVendor for Notification
• Reporting & Notification
• Law Enforcement First
• AGs,Admin. Agencies, Industries, Cred. Rpt, Consumers

66
OTHER LAWS FOR
COMBATING FRAUD 2.0
#fraud20

67
Federal Laws for Combating Fraud 2.0
• Electronic Communications Privacy Act - 18 U.S.C. § 2510
• Wiretap Act ≠ intercept communications
• Stored CommunicationsAct ≠ comm. at rest
• Fraud with Access Devices - 18 U.S.C. § 1029
• devices to obtain passwords, phishing, counterfeit
devices, scanning receivers, drive through swipe cards
• IdentityTheft – 18 U.S.C. § 1028

68
Texas Laws for Combating Fraud 2.0
• Breach of Computer Security Act (Tx. Penal Code § 33.02)
• knowingly access a computer without effective consent of owner
• Notification Required Following Breach of Security of Computerized
Data (Tex. Bus. Comm. Code sec. 521.053) amended by SB 1610 (eff.
6/14/13)
• Fraudulent Use or Possession of Identifying Info (TPC § 32.51)
• Unlawful Interception, Use, or Disclosure ofWire, Oral or Electronic
Communications (TPC § 16.02)
• UnlawfulAccess to Stored Communications (TPC § 16.04)
• IdentityTheft Enforcement and ProtectionAct (BCC § 48.001)
• Consumer ProtectionAgainstComputer SpywareAct (BCC § 48.051)
• Anti-PhishingAct (BCC § 48.003)

69
• Welcome to the world of Fraud 2.0!
• Why? Remember what Jobs said
• CFAA is very broad and covers all kinds of
computer fraud (sometimes) – evolving!
• Data Breaches – be prepared – it will happen!
• Many other Federal andTexas laws also available
for combating computer fraud
• Cyber Insurance

Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security & Privacy Committee of State Bar of Texas

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (12)

Similar to Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security & Privacy Committee of State Bar of Texas

Similar to Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security & Privacy Committee of State Bar of Texas (20)

More from Shawn Tuma

More from Shawn Tuma (20)

Recently uploaded

Recently uploaded (20)

Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security & Privacy Committee of State Bar of Texas

Editor's Notes