The Legal Aspects of Cyberspace

4,002 views
3,850 views

Published on

The Legal Aspects of Cyberspace

Published in: Business
2 Comments
2 Likes
Statistics
Notes
  • Impressive presentation of 'The Legal Aspects of Cyberspace'. You've shown your credibility on presentation with this slideshow. This one deserves thumbs up. I'm John, owner of www.freeringtones.ws/ . Hope to see more quality slides from you.

    Best wishes.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • hey there,could you please mail this across to me,it will really help me for my function.thank you really much.
    Anisa
    http://financejedi.com http://healthjedi.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
4,002
On SlideShare
0
From Embeds
0
Number of Embeds
201
Actions
Shares
0
Downloads
0
Comments
2
Likes
2
Embeds 0
No embeds

No notes for slide

The Legal Aspects of Cyberspace

  1. 1. The Legal Aspects of Cyberspace <ul><li>Presented by: </li></ul><ul><ul><ul><ul><li>William Cook </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Wildman Harrold Allen & Dixon </li></ul></ul></ul></ul>InfraGard Super Conference May 15, 2003
  2. 2. Bill Cook <ul><ul><li>V-P, Chicago InfraGard </li></ul></ul><ul><ul><li>Former Head of US DOJ Computer Crime Task Force; Counter-Espionage Coordinator and Counter-Terrorist Coordinator; DOJ FEMA Coordinator (Chicago) </li></ul></ul><ul><ul><li>Professor of Internet & Web law at U. of Illinois and Supercomputer Center </li></ul></ul><ul><ul><li>Lecturer at Purdue, John Marshall, Harvard, Yale & ITT </li></ul></ul><ul><ul><li>Partner, Wildman Harrold </li></ul></ul><ul><ul><li>90 trials </li></ul></ul><ul><ul><li>Intellectual property, Internet & Web law </li></ul></ul><ul><ul><li>Panel Counsel, AIG </li></ul></ul><ul><ul><li>NRC & NSF Committee on Critical Infrastructure Protection and the Law </li></ul></ul><ul><ul><li>Member of Ill. A.G. E-Commerce Commission </li></ul></ul>
  3. 3. Cyber Investigations
  4. 4. February 7, 2003 <ul><li>NASA servers hacked hours after Columbia was lost </li></ul><ul><li>19 charged in identity theft that netted $7 million in tax refunds </li></ul><ul><li>Alleged student hacker indicted in Massachusetts </li></ul><ul><li>Names of AIDS, STD sufferers found on state surplus PC </li></ul><ul><li>Korean group may sue Microsoft over Slammer virus </li></ul><ul><li>NetEase sued for copyright infringement </li></ul><ul><li>Feds pull suspicious .gov site </li></ul><ul><li>Suspects arrested for TK worm; up to £5.5 million in damages </li></ul><ul><li>Lawsuit filed over missing confidential information from Canadian data management company </li></ul>
  5. 5. January 31, 2003 <ul><li>Slammer worm hobbles Internet; hits Continental Airlines, Bank of America </li></ul><ul><li>Hacker steals personal information on 1,450 University of Kansas students </li></ul><ul><li>Denial of service attack forces DALnet to shutdown </li></ul><ul><li>Hacker insurance market boosted by cyberattacks </li></ul><ul><li>eBay sued for alleged online slander </li></ul><ul><li>Easyinternet cafe guilty of copyright infringement </li></ul><ul><li>Personal data pirated from Russian phone files </li></ul><ul><li>Music industry site hacked again </li></ul><ul><li>FAA warns: more attacks coming </li></ul>
  6. 6. Institutional intrusion response based on <ul><li>Damage done </li></ul><ul><li>Exposure created </li></ul><ul><li>minus </li></ul><ul><li>Perceived PR exposure </li></ul>
  7. 7. Institutional response based on <ul><li>Damages from </li></ul><ul><ul><li>Lost IP </li></ul></ul><ul><ul><li>Lost private information </li></ul></ul><ul><ul><li>Fraud on the e-commerce site </li></ul></ul><ul><ul><li>System shut down </li></ul></ul><ul><li>Compliance with regulations </li></ul><ul><li>Concern about litigation </li></ul>
  8. 8. Lost intellectual property
  9. 9. Loss of intellectual property: Disgruntled employees <ul><li>85 to 90 % of all computer incidents are caused by insiders </li></ul><ul><ul><li>employees </li></ul></ul><ul><ul><li>consultants </li></ul></ul><ul><ul><li>business partners </li></ul></ul><ul><li>Most difficult to detect </li></ul><ul><li>Most expensive to correct </li></ul><ul><li>Highly vulnerable to weak institution policies </li></ul>
  10. 10. Victim computer Web based access Industrial Espionage Consultant Former employee CFAA, T/S Laws & Trespass
  11. 11. Near North v. Cheley <ul><li>Currently pending </li></ul><ul><li>Former employees that established Website intranet security for company </li></ul><ul><li>Periodic remote access </li></ul><ul><li>Major access through Web intranet </li></ul><ul><li>$645,000 to resecure network </li></ul><ul><li>Third party employer issues </li></ul><ul><ul><li>negligent hiring </li></ul></ul><ul><ul><li>negligent supervision </li></ul></ul><ul><ul><li>negligent retention </li></ul></ul>CFAA, UASC, Fid. Duties &Trespass
  12. 15. Poor security dooms proprietary claim Weigh Systems v. Scales 3/7/02 <ul><li>Former employer sues competing former employer for trade secret theft </li></ul><ul><li>Took customer lists, vendor lists, pricing information, software, marketing info </li></ul><ul><li>Ruling for former employee </li></ul><ul><ul><li>Info on Internet </li></ul></ul><ul><ul><li>No confidentiality agreements </li></ul></ul><ul><ul><li>Passwords sometimes </li></ul></ul><ul><ul><li>Hardcopies of protected data available </li></ul></ul><ul><ul><li>Default passwords </li></ul></ul><ul><ul><li>Passwords shared with customers </li></ul></ul>
  13. 16. Ford Motor Co. v. Lane , Mich. Fed. Ct. 1999 Information theft as “free speech” <ul><li>Old rule: thief and accomplish not immunized under 1st Amendment </li></ul><ul><li>New concern: Trade secrets from employees hostile Website </li></ul><ul><li>Proprietary markings </li></ul><ul><li>Extortion attempt </li></ul><ul><li>Prior restraint precludes stopping Website disclosure </li></ul><ul><li>First Amendment over trade secrets </li></ul><ul><li>Court crafts unrecorded copyright remedy </li></ul>
  14. 17. Victim Website Trusted 3rd Party Network System Copyrights: Scraper / robot search CFAA, UASC, Copyright &Trespass
  15. 18. Lost private information
  16. 20. Compromise of private information: BIA Indian trust fund case 12/5/2001 to date <ul><li>Website & Internet shutdown due to inadequate security </li></ul><ul><li>Failure to comply with federal security regulations </li></ul><ul><li>Privacy of records threatened (but not realized) </li></ul><ul><li>Court ordered penetration tests </li></ul><ul><li>Contempt of Court proceedings </li></ul>
  17. 21. Stollenwack v. TriWest (Ariz. D.C. 1/30/2003) <ul><li>Federal class action lawsuit </li></ul><ul><li>562,000 military personnel, retirees & family files stolen from defense contractor </li></ul><ul><li>Allege negligence, breach of contract and violation of Privacy Act </li></ul><ul><li>Damages not specific </li></ul>
  18. 22. Clients of Merchant Law Group v. ISM Canada Feb. 3, 2003 <ul><li>Class action lawsuit </li></ul><ul><li>Hard drive with 180,000 customers Ids lost by ISM Canada on January 16 </li></ul><ul><li>Alleges violation of customer privacy and negligence in securing confidential information and notifying the public about the lost disk. </li></ul><ul><li>The customers &quot;have suffered significant loss and damages including personal injury and injury to their economic interests&quot; </li></ul><ul><li>The Saskatchewan government is considering its own lawsuit against ISM. </li></ul>
  19. 23. Compromise e-commerce site
  20. 24. Compromised e-commerce site <ul><li>Fake Websites </li></ul><ul><ul><li>ID theft </li></ul></ul><ul><li>Fake online payment systems (PayPal) </li></ul><ul><li>TM violation </li></ul>
  21. 25. Damage recovery
  22. 26. Damage recovery <ul><li>Loss of intellectual property </li></ul><ul><li>Investigation costs </li></ul><ul><li>Remediation costs </li></ul><ul><li>System updating </li></ul><ul><li>Costs of outside forensic consultant </li></ul><ul><li>Downtime related costs </li></ul><ul><ul><li>Rental on unused network systems </li></ul></ul><ul><ul><li>Under employed employees </li></ul></ul><ul><li>Pecuniary damages, legal fees, court costs in certain cases (CFAA, UASC, Copyright) </li></ul>
  23. 27. Damage broader picture <ul><li>Vendor & customer actual loss </li></ul><ul><li>Vendor & customer resulting loss (lost accounts) </li></ul><ul><li>Downstream damage on other systems </li></ul><ul><ul><li>Resulting litigation </li></ul></ul>
  24. 28. System shutdown
  25. 29. Victim network E-mail & spam attacks: Hamadi CFAA & Trespass
  26. 30. Victim computer Trusted 3rd Party Network System Smurf attack CFAA, Trespass, Contract claims & Tort claims
  27. 31. Hacker Masters Bots (Zombie ) Victim System Contract & Tort Liability Here ? DDoS attack 2/2000 DOS attacks- Estimated Damages: $1.2B CFAA, Trespass, Contract claims & Tort claims
  28. 32. Concern about regulations
  29. 33. The National Strategy to Secure Cyberspace February 2003 <ul><li>Large enterprises are encouraged to evaluate the security of their networks that impact the security of the Nation’s critical infrastructure. Such evaluations might include: (1) conducting audits to ensure effectiveness and use of best practices; (2) developing continuity plans which consider offsite staff and equipment; and (3) participating in industry wide information sharing and best practices dissemination. </li></ul>Actions and Recommendations 3-4
  30. 34. Concern about regulatory compliance <ul><li>ECPA (1986) </li></ul><ul><li>CFAA (1986 & 1996) </li></ul><ul><li>EEA (1996) </li></ul><ul><li>HIPAA (1996) </li></ul><ul><li>PPA </li></ul><ul><li>COPPA (1999) </li></ul><ul><li>GLB (2000) </li></ul><ul><li>DMCA (2000) </li></ul><ul><li>FCRA </li></ul><ul><li>GPEA </li></ul><ul><li>E-SIGN (2000) </li></ul><ul><li>ADA </li></ul><ul><li>OCC 7/2001 & 5/2000 </li></ul><ul><li>EU DPA (1998) </li></ul><ul><ul><li>Commerce “Safe Harbor” </li></ul></ul><ul><li>State privacy laws </li></ul><ul><li>Calif. Cyber-disclosure law (7/03) </li></ul>
  31. 35. Concern about litigation
  32. 36. Not responding to changing threat: Apex Global v. Cyberpromotions <ul><li>AGIS contracted to be ISP for CyberPromotions </li></ul><ul><li>Knew cyber was a spammer </li></ul><ul><li>Cyber adds T-1 lines to handle traffic </li></ul><ul><li>30 day termination provision </li></ul><ul><li>9/26/97 massive “ping” attack </li></ul><ul><li>AGIS terminates cyber immediately </li></ul><ul><li>Court ruling </li></ul>
  33. 37. The need for security standards <ul><li>Times and appropriate security change </li></ul><ul><li>AGIS only attempted to use screening program and removed cyber </li></ul><ul><li>AGIS did not hire a security expert or attempt to install a router </li></ul><ul><li>Other ISP’s were able to mitigate retaliatory attacks by pingers - why not you? </li></ul><ul><li>Cyberpromotions v. Apex Global Information Services </li></ul>
  34. 38. Information Security Legal Audit <ul><li>Objective & subjective risk assessment </li></ul><ul><li>Compliance evaluation </li></ul><ul><ul><li>ID regulations and relevant case law </li></ul></ul><ul><ul><li>IP property protection </li></ul></ul><ul><ul><li>Record retention </li></ul></ul><ul><ul><li>Privacy requirements </li></ul></ul><ul><ul><li>Investigations including e-mail monitoring </li></ul></ul><ul><ul><li>Cryptographic controls </li></ul></ul><ul><ul><li>Collection of evidence </li></ul></ul>
  35. 39. Information Security Legal Audit, con’t <ul><li>Third party access controls and contracts </li></ul><ul><li>Outsourcing contracts, includes Websites hosting, design, maintenance and electronic commerce requirements </li></ul><ul><li>Licensing agreements </li></ul>
  36. 40. Planning: proactive
  37. 41. Planning best practices 1 <ul><li>Create a comprehensive set of security policies. </li></ul><ul><li>Take a security inventory. </li></ul><ul><ul><li>determine what you need to protect based on it’s worth to your organization </li></ul></ul><ul><ul><li>what you need to protect it against </li></ul></ul><ul><li>Build an enforcement history </li></ul><ul><li>Separate internal systems and networks by business function and secure each from each other </li></ul><ul><li>Maintain a vigilant watch over threats, attack profiles, and countermeasures </li></ul>
  38. 42. Planning best practices 2 <ul><li>Monitor all perimeter and critical business systems for attacks and security anomalies. </li></ul><ul><li>Trust but verify; conduct periodic independent security reviews of key vendors, customers, part-time employee security standards. </li></ul><ul><li>Court provable: </li></ul><ul><ul><li>Network control policy </li></ul></ul><ul><ul><li>E-mail control & monitoring policy </li></ul></ul><ul><ul><li>Hiring, supervising & discharge policies </li></ul></ul><ul><ul><li>Privacy protection standards </li></ul></ul><ul><ul><li>Regulatory compliance </li></ul></ul>
  39. 43. Planning best practices 3 <ul><li>Counter the insider threat </li></ul><ul><ul><li>access controls </li></ul></ul><ul><ul><li>segregation of duties </li></ul></ul><ul><ul><li>effective policy enforcement </li></ul></ul><ul><li>Consider Website practices re: </li></ul><ul><ul><li>Contracts for content and security (privacy) </li></ul></ul><ul><ul><li>Reviewing posted materials </li></ul></ul><ul><ul><li>Insure that privacy statements follow practices </li></ul></ul><ul><ul><li>Don’t overstate privacy </li></ul></ul><ul><li>Determine what you will do with an “event” </li></ul><ul><ul><li>Prepare to recover damages and losses </li></ul></ul>
  40. 44. Planning: incident response
  41. 45. Best practices after it happens. <ul><li>Meet with incident response team </li></ul><ul><li>Identify the problem(s) specifically </li></ul><ul><ul><li>Inside or outside issue </li></ul></ul><ul><ul><li>ID the system </li></ul></ul><ul><li>Determine if still underway or if vulnerability still exists </li></ul><ul><li>Formulate an investigative plan </li></ul><ul><ul><li>preserve evidence, harvest data, analyze data, strategic searches, disk imaging & forensics </li></ul></ul><ul><li>Consider the need for outside help </li></ul><ul><li>Consider the benefits of Attorney-Client protection </li></ul><ul><li>Identify elements of proof required </li></ul><ul><li>Get “buy in” from highest level </li></ul>
  42. 46. Best practices after it happens <ul><li>Preserve current evidence </li></ul><ul><ul><li>Determine applicable company policies </li></ul></ul><ul><ul><li>Log files and audit trails </li></ul></ul><ul><ul><li>Interview critical personnel </li></ul></ul><ul><ul><li>Encrypted internal investigation </li></ul></ul><ul><ul><li>Chat rooms & BBS </li></ul></ul><ul><ul><li>Court ordered disclosures </li></ul></ul><ul><li>Proactive </li></ul><ul><ul><li>Determine & narrow investigative focus </li></ul></ul><ul><ul><li>Keystroke monitoring </li></ul></ul><ul><ul><li>Continue & monitor vulnerability </li></ul></ul><ul><ul><li>Honey pot </li></ul></ul><ul><ul><li>Assumed name e-mail to violator </li></ul></ul>
  43. 47. Best practices if an insider <ul><li>Define privacy expectations </li></ul><ul><li>Obtain passwords </li></ul><ul><li>Decrypt files </li></ul><ul><li>When to interview </li></ul><ul><li>Locate chat rooms & BBS </li></ul><ul><li>Obtain laptop </li></ul><ul><li>Obtain “office computer” at home </li></ul><ul><li>Work fast, work very very fast </li></ul>
  44. 48. <ul><li>Know the scope of computer forensics </li></ul><ul><ul><li>corporate systems </li></ul></ul><ul><ul><li>private e-mail content on network </li></ul></ul><ul><ul><li>private e-mail content on system files </li></ul></ul><ul><li>Counter-claim lawsuits by employees and former employees for illegal monitoring </li></ul><ul><li>Proof of “reasonable grounds” at each step </li></ul><ul><li>Penetration testing or not </li></ul><ul><li>Data sharing with other companies versus anti-trust guidelines </li></ul>Prepare to defend yourself
  45. 49. What do you do with the initial investigation? <ul><li>Three avenues </li></ul><ul><ul><li>Eat the loss </li></ul></ul><ul><ul><li>Criminal referral </li></ul></ul><ul><ul><li>Civil litigation </li></ul></ul>
  46. 50. Self examination before decision <ul><li>Due diligence standard of security met </li></ul><ul><li>Appropriate network, NDA and employee agreements and policies in place </li></ul><ul><li>Clean skirts </li></ul><ul><li>Website disclosures </li></ul><ul><li>Examine Website access </li></ul><ul><li>Examine company initiatives </li></ul><ul><li>Privacy rules complications </li></ul>
  47. 51. Criminal referral: good news <ul><li>Savings on civil litigation costs </li></ul><ul><li>Sends a message </li></ul><ul><li>Potential search warrant - immediate seizure </li></ul><ul><li>Wiretap/datatap </li></ul><ul><li>Law enforcement investigation </li></ul><ul><li>Grand jury subpoena </li></ul><ul><li>Trial subpoena </li></ul><ul><li>Professional investigators: FBI, USSS or local law enforcement </li></ul>
  48. 52. Criminal referral: bad news <ul><li>May request “open system” (honey pot) </li></ul><ul><li>Law enforcement backlog </li></ul><ul><li>Prosecutor’s backlog </li></ul><ul><li>Employee downtime </li></ul><ul><li>Loss of control </li></ul><ul><li>No “no publicity” guarantee </li></ul><ul><li>Complexity adds time </li></ul><ul><li>Prosecution inclination to add victims if an outside attack </li></ul><ul><li>Declination due to available civil remedy </li></ul>
  49. 53. Civil litigation: good news <ul><li>Immediate action </li></ul><ul><ul><li>TRO </li></ul></ul><ul><ul><li>Injunction </li></ul></ul><ul><ul><li>Recovery of property </li></ul></ul><ul><li>Control retained </li></ul><ul><li>Recovery of property through injunction </li></ul><ul><li>Attorney-Client privilege covers inquiry </li></ul><ul><li>Sophisticated forensic services for hire </li></ul><ul><li>Real time response </li></ul>
  50. 54. Civil litigation: bad news <ul><li>Attorney’s fees billed hourly or with flat rate </li></ul><ul><li>Discovery tedious </li></ul>
  51. 55. Contact information <ul><li>William J. Cook </li></ul><ul><li>Freeborn & Peters, Suite 3000 </li></ul><ul><li>311 S. Wacker Dr. </li></ul><ul><li>Chicago, Il. 60601 </li></ul><ul><li>312-360-6340 </li></ul><ul><li>312-360-6575 </li></ul><ul><li>[email_address] </li></ul>
  52. 56. What do you do with the investigation? <ul><li>Three avenues </li></ul><ul><ul><li>Eat the loss (90% found breaches, 34% reported to FBI) </li></ul></ul><ul><ul><li>Criminal referral </li></ul></ul><ul><ul><li>Civil litigation </li></ul></ul>
  53. 57. Conducting the investigation. <ul><li>Meet with incident response team </li></ul><ul><li>Identify the problem(s) specifically </li></ul><ul><ul><li>Inside or outside issue </li></ul></ul><ul><li>Determine if still underway or if vulnerability still exists </li></ul><ul><li>Formulate an investigative plan </li></ul><ul><li>Consider the need for outside help </li></ul><ul><li>Consider the benefits of Attorney-Client protection </li></ul><ul><li>Get “buy in” from highest level </li></ul>
  54. 58. Formulate investigative plan. <ul><li>Preserve current evidence </li></ul><ul><ul><li>Log files and audit trails </li></ul></ul><ul><ul><li>Interview critical personnel </li></ul></ul><ul><li>Proactive </li></ul><ul><ul><li>Determine & narrow investigative focus </li></ul></ul><ul><ul><li>Keystroke monitoring </li></ul></ul><ul><ul><li>Continue and monitor vulnerability </li></ul></ul><ul><ul><li>Honey pot </li></ul></ul><ul><ul><li>Assumed name e-mail to violator </li></ul></ul><ul><li>Prepare to defend yourself & your actions </li></ul>
  55. 59. If an insider. <ul><li>Begin documenting investigation </li></ul><ul><li>Determine company policies that apply </li></ul><ul><li>Determine applicable state law </li></ul><ul><li>Determine privacy expectation / search office space </li></ul><ul><li>Monitor outgoing and incoming e-mail </li></ul><ul><li>Look for ftp transmissions </li></ul><ul><li>Keystroke monitoring </li></ul>
  56. 60. If an insider. <ul><li>Obtain passwords </li></ul><ul><li>Decrypt files </li></ul><ul><li>When to interview </li></ul><ul><li>Locate chat rooms & BBS </li></ul><ul><li>Obtain laptop </li></ul><ul><li>Obtain “office computer” at home </li></ul>
  57. 61. How do you decide what to do with investigation? <ul><li>Damage done* </li></ul><ul><li>Potential loss of business relationships* </li></ul><ul><li>Potential for embarrassment </li></ul><ul><li>Nature of offender </li></ul><ul><ul><li>Insider </li></ul></ul><ul><ul><li>Competitor </li></ul></ul><ul><ul><li>Hacker </li></ul></ul><ul><li>Potential for repeated attacks </li></ul><ul><li>Strength of case </li></ul><ul><li>Lack of defenses </li></ul>
  58. 62. How do you decide? <ul><li>Downstream liability / 3rd party liability </li></ul><ul><ul><li>DDOS </li></ul></ul><ul><ul><li>Virus </li></ul></ul><ul><ul><li>Loss of 3rd parties software or licensed info </li></ul></ul><ul><ul><li>EEA exposure created by employee </li></ul></ul><ul><li>Dirty skirts </li></ul><ul><li>Statutory reporting requirements </li></ul><ul><li>O & D Liability issues </li></ul><ul><li>Public relations problem </li></ul><ul><li>Good corporate citizen </li></ul>
  59. 63. Definition of “damage or loss” will depend on nature of violation. <ul><li>CFAA </li></ul><ul><li>ECPA </li></ul><ul><li>EEA / trade secret theft </li></ul><ul><li>RICO </li></ul><ul><li>Access device fraud </li></ul><ul><li>Copyright infringement </li></ul><ul><li>TM infringement </li></ul><ul><li>Defamation </li></ul><ul><li>Statutory violation </li></ul>
  60. 64. e-Compliance (Alphabet Soup) <ul><li>ECPA (1986) </li></ul><ul><li>CFAA (1986 & 1996) </li></ul><ul><li>EEA (1996) </li></ul><ul><li>HIPAA (1996) </li></ul><ul><li>PPA </li></ul><ul><li>COPPA (1999) </li></ul><ul><li>GLB (2000) </li></ul><ul><ul><li>FTC </li></ul></ul><ul><ul><li>OCC </li></ul></ul><ul><ul><li>SEC </li></ul></ul><ul><li>DMCA (2000) </li></ul><ul><li>CDA (1998) </li></ul><ul><li>FCRA </li></ul><ul><li>EU DPA (1998) </li></ul><ul><li>Commerce “Safe Harbor” (1999) </li></ul><ul><li>GPEA </li></ul><ul><li>E-SIGN (2000) </li></ul><ul><li>ADA </li></ul><ul><li>OCC 7/2001 </li></ul>
  61. 65. Damage & Loss Calculations
  62. 66. Damage done “or loss suffered” CFAA <ul><li>Looking for $5,000 total </li></ul><ul><li>Downstream damage done (exposure created) </li></ul><ul><li>Cost of consultant and legal fees </li></ul><ul><li>Loss from Sysop time changing passwords </li></ul><ul><li>Loss from employee time reading unsolicited e-mail </li></ul><ul><li>Marketing expenses to recover reputation </li></ul>
  63. 67. Damage done “or loss suffered” EEA &/or State Trade Secret claims <ul><li>Research & development value of T/S </li></ul><ul><li>Book value of information </li></ul><ul><li>License value of T/S </li></ul><ul><li>Value to competitor </li></ul><ul><li>Broader impact on company (bet the farm technology?) </li></ul>
  64. 68. Poor security dooms proprietary claim Weigh Systems v. Scales 3/7/02 <ul><li>Former employer sues competing former employer for trade secret theft </li></ul><ul><li>Took customer lists, vendor lists, pricing information, software, marketing info </li></ul><ul><li>Ruling for former employee </li></ul><ul><ul><li>Info on Internet </li></ul></ul><ul><ul><li>No confidentiality agreements </li></ul></ul><ul><ul><li>Passwords sometimes </li></ul></ul><ul><ul><li>Hardcopies of protected data available </li></ul></ul><ul><ul><li>Default passwords </li></ul></ul><ul><ul><li>Passwords shared with customers </li></ul></ul>
  65. 69. Absence of a security standard: Apex v. Cyberpromotions <ul><li>AGIS contracted to be ISP for CyberPromotions </li></ul><ul><li>9/26/97 massive “ping” attack </li></ul><ul><li>AGIS terminates cyber immediately </li></ul><ul><li>Court sets standard; determines </li></ul><ul><ul><li>Times and appropriate security change </li></ul></ul><ul><ul><li>Other ISP’s were able to intercept pingers </li></ul></ul><ul><ul><li>Why not you? </li></ul></ul><ul><li>Competitors as witnesses </li></ul>
  66. 70. What do you do with the investigation? <ul><li>Three avenues </li></ul><ul><ul><li>Eat the loss </li></ul></ul><ul><ul><li>Criminal referral </li></ul></ul><ul><ul><li>Civil litigation </li></ul></ul>
  67. 71. Criminal referral: good news <ul><li>Savings on civil litigation costs </li></ul><ul><li>Sends a message </li></ul><ul><li>Potential search warrant - immediate seizure </li></ul><ul><li>Wiretap/datatap </li></ul><ul><li>Law enforcement investigation </li></ul><ul><li>Grand jury subpoena </li></ul><ul><li>Trial subpoena </li></ul><ul><li>Professional investigators: FBI, USSS or local law enforcement </li></ul>
  68. 72. Criminal referral: bad news <ul><li>May request “open system” (honey pot) </li></ul><ul><li>Law enforcement backlog </li></ul><ul><li>Prosecutor’s backlog </li></ul><ul><li>Employee downtime </li></ul><ul><li>Loss of control </li></ul><ul><li>No “no publicity” guarantee </li></ul><ul><li>Complexity adds time </li></ul><ul><li>Prosecution inclination to add victims if an outside attack </li></ul><ul><li>Declination due to available civil remedy </li></ul>
  69. 73. Civil litigation
  70. 74. Civil litigation: good news <ul><li>Immediate action </li></ul><ul><ul><li>TRO </li></ul></ul><ul><ul><li>Injunction </li></ul></ul><ul><ul><li>Recovery of property </li></ul></ul><ul><li>Control retained </li></ul><ul><li>Recovery of property through injunction </li></ul><ul><li>Attorney-Client privilege covers inquiry </li></ul><ul><li>Sophisticated investigative services </li></ul><ul><li>Real time response </li></ul>
  71. 75. Civil litigation: bad news <ul><li>Attorney’s fees billed hourly or with flat rate </li></ul><ul><li>Consultant fees </li></ul><ul><li>Discovery tedious </li></ul><ul><li>Option to stop </li></ul>
  72. 76. Self examination before decision <ul><li>Due diligence standard of security met </li></ul><ul><li>Appropriate network, NDA and employee agreements and policies in place </li></ul><ul><li>Clean skirts </li></ul><ul><li>Website disclosures </li></ul><ul><li>Examine Website access </li></ul><ul><li>Examine company initiatives </li></ul><ul><li>Privacy rules complications </li></ul>
  73. 77. Website practices & the CFAA <ul><li>Prohibits unauthorized access of a computer, either by someone acting knowingly, or exceeding authorized access that was already granted </li></ul>
  74. 78. The new CFAA, Linking Practices & Trespass to Websites: <ul><li>Trespass by deep linking to Website - Ticketmaster </li></ul><ul><li>Trespass by degrading use of another’s Website - eBay </li></ul><ul><li>Trespass via e-mail - CompuServe (spam) & Hamidi (incoming e-mail to employees) </li></ul>Risk of loss: E-commerce Liability Exposures
  75. 79. <ul><li>New hires & their former company’s information </li></ul><ul><ul><li>EEA </li></ul></ul><ul><li>Chat rooms </li></ul><ul><li>Employee only Websites </li></ul><ul><li>Discharged employees </li></ul>hiring & firing
  76. 80. the insider <ul><li>Old rule: thief and accomplish not immunized under 1st Amendment </li></ul><ul><li>New concern: Trade secrets from employees hostile Website </li></ul><ul><li>Proprietary markings </li></ul><ul><li>Extortion attempt </li></ul><ul><li>Prior restraint precludes stopping Website disclosure </li></ul><ul><li>First Amendment over trade secrets </li></ul><ul><li>Court crafts unrecorded copyright remedy </li></ul><ul><li>Ford Motor Co. v. Lane , Mich. Fed. Ct. 1999 </li></ul>
  77. 81. <ul><li>Counter-claim lawsuits by employees and former employees for illegal monitoring </li></ul><ul><li>Proof of “reasonable grounds” at each step </li></ul><ul><li>Penetration testing or not </li></ul><ul><li>Data sharing with other companies versus anti-trust guidelines </li></ul>I nternal investigator liability
  78. 82. Cyber Security & Liability Practice <ul><li>Cyber liability risk exposure evaluated based upon security standard ISO/IE 17799, including regulatory and privacy compliance </li></ul><ul><li>Incident response counseling </li></ul><ul><li>Internal investigations </li></ul><ul><li>HR policy evaluations </li></ul><ul><li>E-commerce & Website liability exposure </li></ul><ul><li>Civil litigation </li></ul><ul><li>Law enforcement presentation </li></ul>
  79. 83. Contact information <ul><li>William J. Cook </li></ul><ul><li>Wildman Harrold Allen & Dixon </li></ul><ul><li>225 W. Wacker Dr. </li></ul><ul><li>Chicago, Il. 60606-1229 </li></ul><ul><li>312-201-2399 </li></ul><ul><li>312-360-2555 F </li></ul><ul><li>[email_address] </li></ul>

×