Successfully reported this slideshow.
Computer Fraud andAbuse Act<br />A Lunch Sampler With A Little Something For Everyone<br />Dallas Bar Association<br />Com...
2<br />Wouldn’t be the first time<br />
3<br />Enjoy!<br />
4<br />Something for every practice<br /><ul><li>Civil Litigation Lawyers
Criminal Lawyers
Employment Lawyers
Family Lawyers
In-house Counsel
Business & Transactional Lawyers
Technology & Privacy Lawyers</li></ul>www.shawnetuma.com<br />
5<br />Topics to be covered<br /><ul><li>History and Original Purpose of CFAA
Why?
What Does the CFAA Prohibit?
Most Controversial Issues Under CFAA
Examples of Most Common CFAA Violations
Proposed Amendments to the CFAA</li></ul>www.shawnetuma.com<br />
6<br />Brief history of the cfaa<br />www.shawnetuma.com<br />
7<br />History of CFAA<br />www.shawnetuma.com<br />
8<br />History of CFAA<br />www.shawnetuma.com<br />
9<br />History of CFAA<br />Comprehensive Crime Control Act of 1984<br /><ul><li>Criminal statute
Wire & mail  fraud
Response to movie War Games</li></ul>www.shawnetuma.com<br />
10<br />History of CFAA<br />Computer Fraud and Abuse Act of 1986<br /><ul><li>Hacking of “Government interest” computers
Criminal only
3 major amendments (9 total)
Added private cause of action in ’94
2008 most recent</li></ul>www.shawnetuma.com<br />
11<br />Why?<br />Why is the Computer Fraud and Abuse Act important?<br /><ul><li>Primary Law for Misuse of Computers
Computers … </li></ul>www.shawnetuma.com<br />
12<br />Steve Jobs says …<br />Do you know who Steve Jobs is?<br />Do you know what Steve Jobs recently said?<br />“Everyt...
13<br />What is a Computer?<br />www.shawnetuma.com<br />
14<br />What is a computer?<br />The CFAA says<br />“the term ‘computer’ means an electronic, magnetic, optical, electroch...
15<br />What is a computer?<br />The Fourth Circuit says<br />“If a device is ‘an electronic … or other high speed data pr...
16<br />What is a computer?<br />What about<br />www.shawnetuma.com<br />
17<br />Anything with a microchip<br />The Fourth Circuit says<br />“’Just think of the common household items that includ...
18<br />What is a “protected” computer?<br />The CFAA applies only to “protected” computers<br />This may limit the proble...
19<br />Perspective<br /><ul><li>TI-99
3.3 MHz Processor
16 KB of RAM
Leap Frog Leapster
96 MHz Processor
128 MB of RAM
iPhone 4
800 MHz Processer
512 MB of RAM</li></ul>www.shawnetuma.com<br />
20<br />Perspective<br />66 MHz = fastest desktop in 80s<br />96 MHz = child’s toy today<br />250 MHz = fastest super comp...
21<br />What does the cfaa prohibit?<br />www.shawnetuma.com<br />
22<br />Statutory Language<br />CFAA prohibits the access of a protected computer that is<br /><ul><li>Without authorizati...
Exceeds authorized access</li></ul>www.shawnetuma.com<br />
23<br />Statutory Language<br />Where the person accessing<br /><ul><li>Obtains information
Commits a fraud
Obtains something of value
Transmits damaging information
Causes damage
Traffics in passwords
Commits extortion</li></ul>www.shawnetuma.com<br />
24<br />Very Complex Statute<br />“I am the wisest man alive, for I know one thing, and that is that I know nothing.”<br /...
Very complex statute
Superficially it appears deceptively straightforward
Many pitfalls</li></ul>www.shawnetuma.com<br />
Upcoming SlideShare
Loading in …5
×

Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)

12,144 views

Published on

The slides are from a Continuing Legal Education seminar entitled "Computer Fraud and Abuse Act: A Lunch Sampler With A Little Something for Everyone"

I presented to the Dallas Bar Association on August 22, 2011.

If you have any questions please feel free to contact me at www.shawnetuma.com

Published in: Technology
  • Be the first to comment

Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)

  1. 1. Computer Fraud andAbuse Act<br />A Lunch Sampler With A Little Something For Everyone<br />Dallas Bar Association<br />Computer Law Section<br />August 22, 2011<br />Shawn E. Tuma<br />www.shawnetuma.com<br />
  2. 2. 2<br />Wouldn’t be the first time<br />
  3. 3. 3<br />Enjoy!<br />
  4. 4. 4<br />Something for every practice<br /><ul><li>Civil Litigation Lawyers
  5. 5. Criminal Lawyers
  6. 6. Employment Lawyers
  7. 7. Family Lawyers
  8. 8. In-house Counsel
  9. 9. Business & Transactional Lawyers
  10. 10. Technology & Privacy Lawyers</li></ul>www.shawnetuma.com<br />
  11. 11. 5<br />Topics to be covered<br /><ul><li>History and Original Purpose of CFAA
  12. 12. Why?
  13. 13. What Does the CFAA Prohibit?
  14. 14. Most Controversial Issues Under CFAA
  15. 15. Examples of Most Common CFAA Violations
  16. 16. Proposed Amendments to the CFAA</li></ul>www.shawnetuma.com<br />
  17. 17. 6<br />Brief history of the cfaa<br />www.shawnetuma.com<br />
  18. 18. 7<br />History of CFAA<br />www.shawnetuma.com<br />
  19. 19. 8<br />History of CFAA<br />www.shawnetuma.com<br />
  20. 20. 9<br />History of CFAA<br />Comprehensive Crime Control Act of 1984<br /><ul><li>Criminal statute
  21. 21. Wire & mail fraud
  22. 22. Response to movie War Games</li></ul>www.shawnetuma.com<br />
  23. 23. 10<br />History of CFAA<br />Computer Fraud and Abuse Act of 1986<br /><ul><li>Hacking of “Government interest” computers
  24. 24. Criminal only
  25. 25. 3 major amendments (9 total)
  26. 26. Added private cause of action in ’94
  27. 27. 2008 most recent</li></ul>www.shawnetuma.com<br />
  28. 28. 11<br />Why?<br />Why is the Computer Fraud and Abuse Act important?<br /><ul><li>Primary Law for Misuse of Computers
  29. 29. Computers … </li></ul>www.shawnetuma.com<br />
  30. 30. 12<br />Steve Jobs says …<br />Do you know who Steve Jobs is?<br />Do you know what Steve Jobs recently said?<br />“Everything has a computer in it nowadays.” <br />www.shawnetuma.com<br />
  31. 31. 13<br />What is a Computer?<br />www.shawnetuma.com<br />
  32. 32. 14<br />What is a computer?<br />The CFAA says<br />“the term ‘computer’ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but …”<br />“such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;”<br />www.shawnetuma.com<br />
  33. 33. 15<br />What is a computer?<br />The Fourth Circuit says<br />“If a device is ‘an electronic … or other high speed data processing device performing logical, arithmetic, or storage functions,’ it is a computer. This definition captures any device that makes use of an electronic data processor, examples of which are legion.”<br />-United States v. Kramer<br />www.shawnetuma.com<br />
  34. 34. 16<br />What is a computer?<br />What about<br />www.shawnetuma.com<br />
  35. 35. 17<br />Anything with a microchip<br />The Fourth Circuit says<br />“’Just think of the common household items that include microchips and electronic storage devices, and thus will satisfy the statutory definition of “computer.”’<br />“’That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, . . . .”<br />-United States v. Kramer<br />www.shawnetuma.com<br />
  36. 36. 18<br />What is a “protected” computer?<br />The CFAA applies only to “protected” computers<br />This may limit the problem of applying it to alarm clocks, toasters, and coffee makers<br />Protected = connected to the Internet<br />Any situations where these devices are connected?<br />www.shawnetuma.com<br />
  37. 37. 19<br />Perspective<br /><ul><li>TI-99
  38. 38. 3.3 MHz Processor
  39. 39. 16 KB of RAM
  40. 40. Leap Frog Leapster
  41. 41. 96 MHz Processor
  42. 42. 128 MB of RAM
  43. 43. iPhone 4
  44. 44. 800 MHz Processer
  45. 45. 512 MB of RAM</li></ul>www.shawnetuma.com<br />
  46. 46. 20<br />Perspective<br />66 MHz = fastest desktop in 80s<br />96 MHz = child’s toy today<br />250 MHz = fastest super computer in 80s<br />800 MHz = standard telephone today<br />www.shawnetuma.com<br />
  47. 47. 21<br />What does the cfaa prohibit?<br />www.shawnetuma.com<br />
  48. 48. 22<br />Statutory Language<br />CFAA prohibits the access of a protected computer that is<br /><ul><li>Without authorization, or
  49. 49. Exceeds authorized access</li></ul>www.shawnetuma.com<br />
  50. 50. 23<br />Statutory Language<br />Where the person accessing<br /><ul><li>Obtains information
  51. 51. Commits a fraud
  52. 52. Obtains something of value
  53. 53. Transmits damaging information
  54. 54. Causes damage
  55. 55. Traffics in passwords
  56. 56. Commits extortion</li></ul>www.shawnetuma.com<br />
  57. 57. 24<br />Very Complex Statute<br />“I am the wisest man alive, for I know one thing, and that is that I know nothing.”<br />-Socrates<br /><ul><li>Overly simplistic list
  58. 58. Very complex statute
  59. 59. Superficially it appears deceptively straightforward
  60. 60. Many pitfalls</li></ul>www.shawnetuma.com<br />
  61. 61. 25<br />Very Complex Statute<br />Two Most Problematic Issues<br /><ul><li>Unauthorized / Exceeding Authorized Access
  62. 62. Evolving jurisprudence
  63. 63. Interpreted by 5th, 7th, 9th and 11th Circuits
  64. 64. Still no unanimous approach
  65. 65. “Loss” Requirement
  66. 66. Confuses lawyers and judges alike</li></ul>www.shawnetuma.com<br />
  67. 67. 26<br />Civil Remedy<br />Limited civil remedy<br /><ul><li>Procedurally complex with many cross-references
  68. 68. “damage” ≠ “damages”
  69. 69. Must have $5,000 “loss”
  70. 70. Loss requirement is jurisdictional threshold</li></ul>www.shawnetuma.com<br />
  71. 71. 27<br />Civil Remedy<br />What is a “loss”?<br />“any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”<br />Loss = cost (unless interruption of service)<br />www.shawnetuma.com<br />
  72. 72. 28<br />Civil Remedy<br />What can qualify as a “loss”?<br /><ul><li>Investigation and response costs
  73. 73. Forensics analysis and investigation
  74. 74. Diagnostic measures
  75. 75. Restoration of system
  76. 76. Bartered services for investigation / restoration
  77. 77. Value of employees’ time
  78. 78. Attorneys’ fees if leading investigation</li></ul>www.shawnetuma.com<br />
  79. 79. 29<br />Civil Remedy<br />What is not a “loss”?<br /><ul><li>Lost revenue (unless interruption of service)
  80. 80. Value of trade secrets
  81. 81. Lost profits
  82. 82. Lost customers
  83. 83. Lost business opportunities
  84. 84. Privacy and Personally Identifiable Information</li></ul>www.shawnetuma.com<br />
  85. 85. 30<br />Civil Remedy<br />Privacy and Personally Identifiable Information<br /><ul><li>iTracking
  86. 86. Hacking / data breach
  87. 87. Browser cookies</li></ul>REMEMBER: Loss is only required for civil remedy – not criminal violation<br />www.shawnetuma.com<br />
  88. 88. 31<br />Civil Remedy<br />What would you advise?<br /><ul><li>Wrongful access of your client’s computer
  89. 89. Considering a CFAA claim
  90. 90. Your advice would be to ________?</li></ul>www.shawnetuma.com<br />
  91. 91. 32<br />Civil Remedy<br />Remedies<br /><ul><li>Available
  92. 92. Economic damages
  93. 93. Loss damage
  94. 94. Injunctive relief
  95. 95. Not Available
  96. 96. Exemplary damages
  97. 97. Attorneys’ fees
  98. 98. Privacy and Personally Identifiable Information</li></ul>www.shawnetuma.com<br />
  99. 99. 33<br />Basic Elements<br />Elements of broadest CFAA Claim<br />Intentionally access computer;<br />Without authorization or exceeding authorized access;<br />Obtained information from any protected computer; and<br />Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.<br />www.shawnetuma.com<br />
  100. 100. 34<br />Civil Remedy<br />Procedural Points<br /><ul><li>2 year limitations
  101. 101. Concurrent jurisdiction
  102. 102. No preemption
  103. 103. Not Available
  104. 104. No Rule 9 heightened pleading</li></ul>www.shawnetuma.com<br />
  105. 105. 35<br />Wrongful Access<br />www.shawnetuma.com<br />
  106. 106. 36<br />Wrongful Access<br />General Access Principles<br /><ul><li>Access by informational / data use
  107. 107. ≠ technician
  108. 108. Must be knowing or intentional access
  109. 109. ≠ accidental access</li></ul>www.shawnetuma.com<br />
  110. 110. Wrongful Access<br />Two Types of Wrongful Access<br />“without authorization”<br />Outsiders<br />No rights<br />Not defined<br />Only requires intent to access, not harm<br />Hacker!<br />“exceeds authorized”<br />Insiders<br />Some rights<br />CFAA defines: use in a way not entitled<br />Necessarily requires limits of authorization<br />Employees, web users, etc.<br />37<br />www.shawnetuma.com<br />
  111. 111. 38<br />Wrongful Access<br />First step should be “which is it”?<br />Instead, confusion of the two<br /><ul><li>Lawyers plead both
  112. 112. Courts don’t usually indicate which – or care – go straight to the outcome
  113. 113. Case outcomes do not reflect Congressional framework</li></ul>www.shawnetuma.com<br />
  114. 114. 39<br />Wrongful Access<br />“without authorization” <br /><ul><li>Clear when hacker
  115. 115. Question is whether “exceeds” becomes “without”
  116. 116. Insider authorized for some computers
  117. 117. Insider authorized for some locations
  118. 118. Insider authorized for intended use
  119. 119. United States v. Morris
  120. 120. Unauthorized system and intended use</li></ul>www.shawnetuma.com<br />
  121. 121. 40<br />Wrongful Access<br />When does authorization terminate?<br /><ul><li>Now there are two general lines of cases
  122. 122. Agency Theory
  123. 123. Intended-Use Analysis</li></ul>www.shawnetuma.com<br />
  124. 124. 41<br />Wrongful Access<br />Agency Theory<br />Employee’s breach of duty of loyal to his employer terminated his right to access the computer based on common law agency principles.<br /><ul><li>International Airport Centers, LLC v. Citrin (7th Cir. 2006)
  125. 125. Earlier case
  126. 126. Minority view</li></ul>www.shawnetuma.com<br />
  127. 127. 42<br />Wrongful Access<br />Intended-Use Analysis<br />Authorization continues until terminated by the grantor but exceeding prior contractual access and use limitations exceeds authorized access.<br /><ul><li>United States v. Nosal(9th Cir. 2011); United States v. Rodriguez (11th Cir. 2010); United States v. John (5th Cir. 2010), LVRC Holdings LLC v. Brekka (9th Cir. 2009)
  128. 128. Majority view (overly simplified)
  129. 129. Prior notice of limits is vital
  130. 130. Emphasizes need for contractual limits</li></ul>www.shawnetuma.com<br />
  131. 131. 43<br />Wrongful Access<br />Ways to establish limits<br /><ul><li>Contractual
  132. 132. Policies: computer use, employment & manuals
  133. 133. Website Terms of Service
  134. 134. Technological
  135. 135. Login and access restrictions
  136. 136. System warnings
  137. 137. Training and other evidence of notification
  138. 138. Notices of intent to use CFAA</li></ul>www.shawnetuma.com<br />
  139. 139. 44<br />Wrongful Access<br />Contractual limits should<br /><ul><li>Clearly notify of limits
  140. 140. Limit access to information
  141. 141. Limit use of information accessed
  142. 142. Terminate access rights upon violation
  143. 143. Indicate intent to enforce by CFAA</li></ul>Goal: limit or terminate authorization<br />www.shawnetuma.com<br />
  144. 144. 45<br />Wrongful AccessExamples<br />The following examples are situations that may constitute a wrongful access under the CFAA<br /><ul><li>I say “may” because …
  145. 145. We’re talking about law!
  146. 146. Evolving jurisprudence
  147. 147. Access limits are huge factor
  148. 148. Facts can vary greatly</li></ul>www.shawnetuma.com<br />
  149. 149. 46<br />Wrongful AccessExamples<br />Employment Situations<br />Most common scenario is employment<br /><ul><li>Employee access and take customer account information
  150. 150. Employee accesses and takes or emails confidential information to competitor
  151. 151. Employee improperly deletes data and email
  152. 152. Employee deletes browser history 
  153. 153. Employee accessing their Facebook, Gmail, Chase accounts at work </li></ul>www.shawnetuma.com<br />
  154. 154. 47<br />Wrongful AccessExamples<br />Family Law Situations<br />Have you ever logged into your significant other’s email or Facebook to see what they’re saying to others? <br />DON’T ANSWER THAT!<br /><ul><li>Estranged spouse in Arkansas did after separation
  155. 155. NTTA account?
  156. 156. Bank account?
  157. 157. Cancelling services via online accounts?</li></ul>www.shawnetuma.com<br />
  158. 158. 48<br />Wrongful AccessExamples<br />Sharing Website Logins<br />Have you ever borrowed or shared website login credentials and passwords? <br />DON’T ANSWER THAT!<br /><ul><li>Recent case held that permitting others to use login credentials for paid website was viable CFAA claim
  159. 159. The key factor here was the conduct was prohibited by the website’s agreed to Terms of Service</li></ul>www.shawnetuma.com<br />
  160. 160. 49<br />Wrongful AccessExamples<br />Misuse of Websites<br />Ever created a fake profile or used a website for something other than its intended purpose?<br />DON’T ANSWER THAT!<br /><ul><li>Myspace Mom case
  161. 161. Fake login to disrupt legitimate website sales
  162. 162. Accessing website to gain competitive information when prohibited by TOS
  163. 163. Creating fake Facebook to research opposing parties</li></ul>www.shawnetuma.com<br />
  164. 164. 50<br />Wrongful AccessExamples<br />Hacking & Private Information<br />Hacking was original purpose for CFAA<br /><ul><li>Hacking and obtaining private information
  165. 165. Tracking individuals through geo-tagging
  166. 166. Website collection of private information
  167. 167. All fit within the prohibitions of the CFAA
  168. 168. Loss is the problem, from a civil standpoint</li></ul>www.shawnetuma.com<br />
  169. 169. 51<br />Proposed amendments<br />www.shawnetuma.com<br />
  170. 170. 52<br />Proposed Amendments<br />Hacking<br />Data Breach<br />Privacy<br />www.shawnetuma.com<br />
  171. 171. 53<br />Proposed Amendments<br />Hacking, Data Breach & Privacy<br /><ul><li>Biggest news event of year?
  172. 172. 46 States  Breach Notification Laws
  173. 173. Administration & Congress want to act
  174. 174. Protect Personal Information (“PI”)
  175. 175. Name + address, SS#, DL#, or financial acct #
  176. 176. Health data
  177. 177. Vehicle of choice is to amend the CFAA</li></ul>www.shawnetuma.com<br />
  178. 178. 54<br />Proposed Amendments<br />Proposed Amendments<br /><ul><li>Several bills
  179. 179. Proposals generally seek
  180. 180. National standard breach notification law
  181. 181. Preempt State laws
  182. 182. Regulate businesses handling PI
  183. 183. Limit PI businesses retain
  184. 184. Stronger criminal penalties for hacking</li></ul>www.shawnetuma.com<br />
  185. 185. 55<br />Proposed Amendments<br />Will tougher criminal penalties help?<br />The Real Question:<br />Is it possible to keep data secure from being breached?<br />www.shawnetuma.com<br />
  186. 186. 56<br />Proposed Amendments<br />www.shawnetuma.com<br />
  187. 187. 57<br />Proposed Amendments<br />Who’s gonna get it?<br />Cost – benefit analysis<br /><ul><li>$11 per vehicle
  188. 188. Cheaper to defend wrongful death lawsuits
  189. 189. The “Ford Pinto Memo”
  190. 190. Actual damages: $2.5 million
  191. 191. Punitive damages: $125 million </li></ul>www.shawnetuma.com<br />
  192. 192. 58<br />Proposed Amendments<br />Ford got the message!<br />Deterrence: civil v. criminal?<br />Amend CFAA to permit more civil claims<br /><ul><li>Give owner of PI a cause of action against
  193. 193. Hacker
  194. 194. Breached entity
  195. 195. Include breach of PI as a “loss”
  196. 196. Permit recovery of costs and attorneys’ fees
  197. 197. Likelihood of civil greater than criminal</li></ul>www.shawnetuma.com<br />
  198. 198. 59<br />Conclusion<br /><ul><li>Why? Remember what Jobs said
  199. 199. CFAA is very broad and covers all kinds of computer misuse
  200. 200. CFAA is complex with lots of pitfalls
  201. 201. Proposed Amendments will broaden CFAA
  202. 202. Data breach
  203. 203. Privacy</li></ul>www.shawnetuma.com<br />
  204. 204. 60<br />THE END<br />www.shawnetuma.com<br />

×