Your SlideShare is downloading. ×

The Evolving Computer Fraud and Abuse Act

8,789

Published on

The slides from Shawn Tuma's presentation to the Computer Law Section of the Dallas Bar Association entitled The Evolving Computer Fraud and Abuse Act. Dated April 23, 2012.

The slides from Shawn Tuma's presentation to the Computer Law Section of the Dallas Bar Association entitled The Evolving Computer Fraud and Abuse Act. Dated April 23, 2012.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
8,789
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Good afternoon, thank you all very much for having me here to speak today. My name is Shawn Tuma and I am an attorney at BrittonTuma in Plano – excited to announce in a few weeks we will be moving in to the Shops at Legacy so anyone who needs to come have an excuse for happy hour on a patio – I mean a meeting with some attorneys – please let us know! I have a peculiar interest in the Computer Fraud and Abuse Act and have been watching as it has developed over the last several years and then, within the last 6 mos. or so has become one of the most relevant laws anywhere.
  • Who knows what movie this was from?Anyone remember?Early 80s – 1983
  • Movie War Games!
  • The first stab at the CFAA was this.Began to fear that with advancing technology the wire and mail fraud laws wouldn’t be sufficient.
  • Then we get the CFAA
  • Why? Because this is the primary law that is used to pursue those who misuse a computer to commit crimes, defraud, etc. Computers are everywhere and are involved in virtually everything!
  • CFAA’s definition of computer:Remember the “But”!!!
  • Protected Computer – more narrowLimits – some, for nowThink of homes where everything is automated via connection to the internet.
  • TI-99 was my first computer in early 80s.Daughter Clara (who started kindergarten today) has a Leapster!
  • To put it into perspective, compare the fastest desktop of the 80s withClara’s LeapsterCray SupercomputeriPhone 4!Now you see why, what seem silly to us today, clearly falls within the technical criteria for what the drafters initially considered to be a computer.
  • Now that we know what it applies to, let’s take about what the CFAA prohibits.
  • This is an overly broad generalization but, generally speaking, the CFAA prohibits wrongfully accessing a computer where the person
  • Not too long ago I was talking with someone about a case they had involving criminal indictment for the CFAA.I offered help but was rebuffed – told: “I’ve read the statute, I’ve got it”Ok – best of luck to you (and your clients!)!
  • What would your advice, as a lawyer, be in this situation?
  • Why? (Remember what Steve Jobs said last December – everything has a computer in it nowadays!)The CFAA is what is most commonly used to deal with misuse of computers.
  • Presentation slides – available at www.brittontuma.comThis was taken from an article coming out in Fall 2011 in the University of South Carolina Law Review – the article will also be available once it is published.
  • Transcript

    • 1. THE EVOLVING COMPUTER FRAUD AND ABUSE ACT An Overview and Update of Recent Activity Dallas Bar Association Computer Law Section April 23, 2012
    • 2.  Civil Litigation Lawyers  Criminal Lawyers  Employment Lawyers  Family Lawyers  In-house Counsel  Business & Transactional Lawyers  Technology & Privacy Lawyerswww.brittontuma.com 2
    • 3.  History and Original Purpose of CFAA  Why?  What Does the CFAA Prohibit?  Examples of Most Common CFAA Violations  Most Controversial Issues Under CFAA  Recent CFAA Developmentswww.brittontuma.com 3
    • 4. BRIEF HISTORY OF THE CFAA 4
    • 5. www.brittontuma.com 5
    • 6. www.brittontuma.com 6
    • 7. Comprehensive Crime Control Act of 1984  Criminal statute  Wire & mail fraud  Response to movie War Gameswww.brittontuma.com 7
    • 8. Computer Fraud and Abuse Act of 1986  Hacking of “Government interest” computers  Criminal only  3 major amendments (9 total)  Added private cause of action in ’94  2008 most recentwww.brittontuma.com 8
    • 9. Why is the Computer Fraud and Abuse Act important?  Primary Law for Misuse of Computers  Computers …www.brittontuma.com 9
    • 10. “Everything has a computer in it nowadays.” -Steve Jobswww.brittontuma.com 10
    • 11. WHAT IS A COMPUTER? 11
    • 12. The CFAA says has a processor or stores data “the term ‘computer’ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but …” “such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;”www.brittontuma.com 12
    • 13. The Fourth Circuit says “If a device is ‘an electronic … or other high speed data processing device performing logical, arithmetic, or storage functions,’ it is a computer. This definition captures any device that makes use of an electronic data processor, examples of which are legion.” -United States v. Kramerwww.brittontuma.com 13
    • 14. What aboutwww.brittontuma.com 14
    • 15. The Fourth Circuit says “’Just think of the common household items that include microchips and electronic storage devices, and thus will satisfy the statutory definition of “computer.”’ “’That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, . . . .” -United States v. Kramerwww.brittontuma.com 15
    • 16. The CFAA applies only to “protected” computers This may limit the problem of applying it to alarm clocks, toasters, and coffee makers Protected = connected to the Internet Any situations where these devices are connected?www.brittontuma.com 16
    • 17. • TI-99 • Leap Frog Leapster • iPhone 4 • 3.3 MHz Processor • 96 MHz Processor • 800 MHz Processer • 16 KB of RAM • 128 MB of RAM • 512 MB of RAMwww.brittontuma.com 17
    • 18. 66 MHz = fastest desktop in 80s 96 MHz = child’s toy today 250 MHz = fastest super computer in 80s 800 MHz = standard telephone todaywww.brittontuma.com 18
    • 19. WHAT DOES THE CFAA PROHIBIT? 19
    • 20. CFAA prohibits the access of a protected computer that is  Without authorization, or  Exceeds authorized accesswww.brittontuma.com 20
    • 21. Where the person accessing  Obtains information  Commits a fraud  Obtains something of value  Transmits damaging information  Causes damage  Traffics in passwords  Commits extortionwww.brittontuma.com 21
    • 22. “I am the wisest man alive, for I know one thing, and that is that I know nothing.” -Socrates  Overly simplistic list  Very complex statute  Superficially it appears deceptively straightforward  Many pitfallswww.brittontuma.com 22
    • 23. Two Most Problematic Issues  “Loss” Requirement • Confuses lawyers and judges alike  Unauthorized / Exceeding Authorized Access • Evolving jurisprudence • Interpreted by many Circuits • New conflict on April 10, 2012www.brittontuma.com 23
    • 24. Limited civil remedy  Procedurally complex with many cross- references  “damage” ≠ “damages”  Must have $5,000 “loss”  Loss requirement is jurisdictional thresholdwww.brittontuma.com 24
    • 25. What is a “loss”? “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Loss = cost (unless interruption of service)www.brittontuma.com 25
    • 26. What can qualify as a “loss”?  Investigation and response costs • Forensics analysis and investigation • Diagnostic measures • Restoration of system • Bartered services for investigation / restoration  Value of employees’ time  Attorneys’ fees if leading investigationwww.brittontuma.com 26
    • 27. What is not a “loss”?  Lost revenue (unless interruption of service)  Value of trade secrets  Lost profits  Lost customers  Lost business opportunities  Privacy and Personally Identifiable Informationwww.brittontuma.com 27
    • 28. Privacy and Personally Identifiable Information  iTracking  Hacking / data breach  Browser cookies REMEMBER: Loss is only required for civil remedy – not criminal violationwww.brittontuma.com 28
    • 29. What would you advise?  Wrongful access of your client’s computer  Considering a CFAA claim  Your advice would be to ________?www.brittontuma.com 29
    • 30. Remedies  Available • Economic damages • Loss damage • Injunctive relief  Not Available • Exemplary damages • Attorneys’ feeswww.brittontuma.com 30
    • 31. Elements of broadest CFAA Claim 1. Intentionally access computer; 2. Without authorization or exceeding authorized access; 3. Obtained information from any protected computer; and 4. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.www.brittontuma.com 31
    • 32. Procedural Points  2 year limitations  Concurrent jurisdiction  No preemption  No Rule 9 heightened pleadingwww.brittontuma.com 32
    • 33. WRONGFUL ACCESS 33
    • 34. General Access Principles  Access by informational / data use  ≠ technician  Must be knowing or intentional access  ≠ accidental accesswww.brittontuma.com 34
    • 35. Two Types of Wrongful Access “without authorization” “exceeds authorized”  Outsiders  Insiders  No rights  Some rights  Not defined  CFAA defines: access in  Only requires intent to a way not entitled access, not harm  Necessarily requires  Hacker! limits of authorization  Employees, web users, etc.www.brittontuma.com 35
    • 36. First step should be “which is it”? Instead, confusion of the two  Lawyers plead both  Courts don’t usually indicate which – or care – go straight to the outcome  Case outcomes do not reflect Congressional frameworkwww.brittontuma.com 36
    • 37. “without authorization”  Clear when hacker  Question is whether “exceeds” morphs into “without”  Insider authorized for some computers  Insider authorized for some locations  Insider authorized for intended use  United States v. Morris  Unauthorized system and intended usewww.brittontuma.com 37
    • 38. When does authorization terminate? As of April 10, 2012, there are (once again) three general lines of cases: Trilogy of Access Theories • Agency Theory • Intended-Use Analysis • Access Means Accesswww.brittontuma.com 38
    • 39. Agency Theory Employee’s breach of duty of loyalty to his employer terminated his right to access the computer based on common law agency principles.  International Airport Centers, LLC v. Citrin (7th Cir. 2006) • Seventh Circuit • Earlier casewww.brittontuma.com 39
    • 40. Intended-Use Analysis Authorization continues until terminated by the grantor but exceeding prior contractual access and use limitations exceeds authorized access.  United States v. Teague (8th Cir. 2011); United States v. Tolliver (3rd Cir. 2011); United States v. Rodriguez (11th Cir. 2010); United States v. John (5th Cir. 2010), EF Cultural Travel BV v. Explorica, Inc. (1st Cir. 2001), United States v. Morris (2nd Cir. 1991) • Majority view (overly simplified) • Prior notice of limits is vital • Emphasizes need for contractual limitswww.brittontuma.com 40
    • 41. Access Means Access Once authorization to access is granted, the authorization continues until expressly terminated by the grantor, regardless of how it is used.  United States v. Nosal (9th Cir. 2012); LVRC Holdings LLC v. Brekka (9th Cir. 2009) • Ninth Circuit + trending with district courts • April 28, 2011  moved away in Nosal I • April 10, 2012  moved back in Nosal IIwww.brittontuma.com 41
    • 42. Ways to establish limits for Intended-Use  Contractual • Policies: computer use, employment & manuals • Website Terms of Service  Technological • Login and access restrictions • System warnings  Training and other evidence of notification  Notices of intent to use CFAAwww.brittontuma.com 42
    • 43. Contractual limits should  Clearly notify of limits  Limit authorization to access information  Limit use of information accessed  Terminate access rights upon violation  Indicate intent to enforce by CFAA Goal: limit or terminate authorizationwww.brittontuma.com 43
    • 44. The following examples are situations that may constitute a wrongful access under the CFAA  I say “may” because … • We’re talking about law! • Evolving jurisprudence • Access limits are huge factor • Facts can vary greatlywww.brittontuma.com 44
    • 45. Employment Situations Most common scenario is employment • Employee access and take customer account information • Employee accesses and takes or emails confidential information to competitor • Employee improperly deletes data and email • Employee deletes browser history  • Employee accessing their Facebook, Gmail, Chase accounts at work www.brittontuma.com 45
    • 46. Family Law Situations Have you ever logged into your significant other’s email or Facebook to see what they’re saying to others? DON’T ANSWER THAT! • Estranged spouse in Arkansas did after separation • NTTA account? • Bank account? • Cancelling services via online accounts?www.brittontuma.com 46
    • 47. Sharing Website Logins Have you ever borrowed or shared website login credentials and passwords? DON’T ANSWER THAT! • Recent case held that permitting others to use login credentials for paid website was viable CFAA claim • The key factor here was the conduct was prohibited by the website’s agreed to Terms of Servicewww.brittontuma.com 47
    • 48. Misuse of Websites Ever created a fake profile or used a website for something other than its intended purpose? DON’T ANSWER THAT! • Myspace Mom case • Fake login to disrupt legitimate website sales • Accessing website to gain competitive information when prohibited by TOS • Creating fake Facebook to research opposing partieswww.brittontuma.com 48
    • 49. Hacking & Private Information Hacking was original purpose for CFAA • Hacking and obtaining private information • Tracking individuals through geo-tagging • Website collection of private information • All fit within the prohibitions of the CFAA • Loss is the problem, from a civil standpointwww.brittontuma.com 49
    • 50. Employee Social Media Passwords How about asking an employee or prospective employee for the login and password to their Facebook account? • Is this unauthorized access? • Coerced? • Facebook’s terms of service prohibit sharing of password with anyone else, or anything else that may jeopardize the security of the account • The CFAA prohibits aiding and abetting! • In the 5th, 1st, 2nd, 3rd, 8th, and 11th Circuits this could be a problemwww.brittontuma.com 50
    • 51. What about … • Hacking a car? • Hacking a person? • What else?www.brittontuma.com 51
    • 52. “ACCESS” &THE NEW (OLD)CIRCUIT SPLIT 52
    • 53. Three Main Cases • United States v. John (5th Cir. 2010) • United States v. Rodriguez (11th Cir. 2010) • United States v. Nosal (9th Cir. 2012) And Two Minor Ones • United States v. Tolliver (3rd Cir. 2011) • United States v. Teague (8th Cir. 2011)www.brittontuma.com 53
    • 54. United States v. John (5th Cir. 2010) • Intended-Use Analysis / “exceeding authorized access” case • Citigroup had policies that clearly prohibited the unlawful use of information obtained from computer system • Employee used her access to customer accounts to obtain information to give to others to commit fraud • Rule: access to a computer may be exceeded if the purposes for which access have been given are exceeded and the employee is actually aware of those limitations on purpose through policies or contractual agreements. • Rodriguez: similar but obtained info to be a creeper to womenwww.brittontuma.com 54
    • 55. Recent Intended-Use Cases United States v. Tolliver (3rd Cir. 2011) • Exceeded authorized access case • Bank employee looking up customer account information to aid and abet a fraud scheme – the bank’s policies prohibited looking up info without a business purpose United States v. Teague (8th Cir. 2011) • Exceeding authorized access case • Employee of contractor for Dept. of Education with privileged access to National Student Loan Data System used that access to look up Barak Obama’s recordswww.brittontuma.com 55
    • 56. United States v. Nosal (9th Cir. 2012) • Access Means Access / “exceeding authorized access” case • Company had a policy that restricted use and disclosure of information to legitimate company business • Former employee encouraged others still there to steal trade secret info for them to use in starting competing business (charged with aiding and abetting) • Rule: “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.”www.brittontuma.com 56
    • 57. United States v. Nosal (9th Cir. 2012) • Why? Nosal had clear unequivocal notice that what he was doing was wrong and prohibited by the policies and he was not entitled to obtain that information for that purpose • Court found the language “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter” to be ambiguous • Reverted to Rule of Lenity • Looked to all the fears of hypothetical potential crimeswww.brittontuma.com 57
    • 58. John v. Nosal Split – What Can We Do? • John will prohibit misuse of information accessed or obtained • Nosal will only prohibit an unauthorized access • Conditional Authorization? • In addition to having “John Policies” that prohibit misuse of the information obtained, • Provision that makes authorization to access the computer conditional on that access being for proper purposes and not for improper purposes, and retroactively revoking that authorization if for an improper purpose • Supreme Court?www.brittontuma.com 58
    • 59. Pulte Homes, Inc. v. Laborers’ International Union of North America (6th Cir. 2011) • An “intentional transmission” case – not unauthorized access • After Pulte fired a union employee the union orchestrated a barrage of emails, telephone calls, and faxes that were so voluminous that it shut down Pulte’s computer system and telephones, interfering with its business • Violated § 1030(a)(5)(A): “knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause damage without authorization, to a protected computer.” • Think about the implications: emails, calls, faxes?www.brittontuma.com 59
    • 60. PROPOSED AMENDMENTS 60
    • 61. Hacking, Data Breach & Privacy • Hacking = biggest news event of 2011 • 46 States  Breach Notification Laws • Administration & Congress want to act • Employers asking for social media logins • Vehicle of choice is to amend the CFAA – but has lost a lot of steam since 2011www.brittontuma.com 61
    • 62. Unauthorized Access Amendment • Proposed Amendment in Senate last Fall • Resolve disagreements about Unauthorized Access • Felony-level unauthorized access can’t be solely premised on violation of a contractual obligation or agreement • This proposal would narrow the CFAAwww.brittontuma.com 62
    • 63.  Why? Remember what Jobs said  CFAA is very broad and covers all kinds of computer misuse (sometimes)  CFAA is complex with lots of pitfalls  Proposed Amendments to broaden and tighten the CFAA  Courts’ interpretation of the CFAA is changing all the time – you must stay updated!www.brittontuma.com 63
    • 64. 64

    ×