FRAUD 2.0
Overview and Update of the
Computer Fraud and Abuse Act and
A Few Lessons About Data Breaches
Privacy, Data Secu...
2
#fraud20
www.brittontuma.com
3
when is the last time you
heard of …
www.brittontuma.com #fraud20
4
NON COMPUTER
RELATED FRAUD?
www.brittontuma.com #fraud20
5
2012 Cybercrime Statistics
• costs $110 billion annually
• 18 adults every second are victims
• 556,000,000 adults every...
6
What is fraud?
• Fraud is, in its simplest form, deception
• Black’s Law Dictionary
• all multifarious means which human...
7
Traditional vehicles for fraud?
• verbal communication
• written communication
• in person
• through mail
• via wire
www...
8
What do computers do?
EFFICIENCY!
www.brittontuma.com #fraud20
9
FRAUD 2.0
www.brittontuma.com #fraud20
10
Computer Fraud = Fraud 2.0
• Deception, through the use of a computer
• “old crimes committed in new ways … using compu...
11
Who knows the percentage of
businesses that suffered at least one act
of computer fraud in last year?
90%
(Ponemon Inst...
12
BRIEF HISTORY OF
THE COMPUTER FRAUD
AND ABUSE ACT
(CFAA)
#fraud20
13
Computer Fraud and Abuse Act
Federal Law – 18 U.S.C § 1030
www.brittontuma.com #fraud20
14www.brittontuma.com #fraud20
15www.brittontuma.com #fraud20
16
 Primary Law for Misuse of Computers
 Computers …
Why is the Computer Fraud
and Abuse Act important?
www.brittontuma....
17www.brittontuma.com
“Everything has a
computer in it nowadays.”
-Steve Jobs
#fraud20
18
WHAT IS A COMPUTER?
#fraud20
19www.brittontuma.com
has a processor or stores data
“the term ‘computer’ means an electronic, magnetic, optical,
electroc...
20www.brittontuma.com
What about . . .
#fraud20
21www.brittontuma.com
“’That category can include coffeemakers, microwave
ovens, watches, telephones, children’s toys, MP3...
22www.brittontuma.com
This may limit the problem of applying it to alarm
clocks, toasters, and coffee makers – for now?
Th...
23www.brittontuma.com
• TI-99
• 3.3 MHz Processor
• 16 KB of RAM
• Leap Frog Leapster
• 96 MHz Processor
• 128 MB of RAM
•...
24www.brittontuma.com
66 MHz =
fastest
desktop in 80s
96 MHz = child’s
toy today
250 MHz =
fastest super
computer in 80s
1...
25www.brittontuma.com #fraud20
26www.brittontuma.com #fraud20
27www.brittontuma.com
no, I really mean seriously . . .
#fraud20
28
WHAT DOES THE CFAA
PROHIBIT?
#fraud20
29
CFAA prohibits the access of a protected
computer that is
 Without authorization, or
 Exceeds authorized access
www.b...
30
Where the person accessing
 Obtains information
 Commits a fraud
 Obtains something of value
 Transmits damaging in...
31
 Overly simplistic list
 Very complex statute
 Appears deceptively straightforward
 Many pitfalls
www.brittontuma.c...
32
Two Most Problematic Issues
 “Loss” Requirement
• Confuses lawyers and judges alike
 Unauthorized / Exceeding Authori...
33
Limited civil remedy
 Procedurally complex with many cross-
references
 “damage” ≠ “damages”
 Must have $5,000 “loss...
34
What is a “loss”?
“any reasonable cost to any victim, including the cost of
responding to an offense, conducting a dama...
35
What can qualify as a “loss”?
 Investigation and response costs
• Forensics analysis and investigation
• Diagnostic me...
36
What is not a “loss”?
 Lost revenue (unless interruption of service)
 Value of trade secrets
 Lost profits
 Lost cu...
37
Privacy and Personally Identifiable Information
 iTracking
 Hacking / data breach
 Browser cookies
REMEMBER: Loss is...
38
What would you advise?
• Wrongful access of your client’s computer
• Considering a CFAA claim
• Your advice would be to...
39
Remedies
• Available
• Economic damages
• Loss damage
• Injunctive relief
• Not Available
• Exemplary damages
• Attorne...
40
Elements of broadest CFAA Claim
1. Intentionally access computer;
2. Without authorization or exceeding authorized acce...
41
Elements of CFAA Fraud Claim
1. Knowingly and with intent to defraud;
2. Accesses a protected computer;
3. Without auth...
42
WRONGFUL ACCESS
#fraud20
43
General Access Principles
 Access by informational / data use
 ≠ technician
 Must be knowing or intentional access
...
“without authorization”
 Outsiders
 No rights
 Not defined
 Only requires intent to
access, not harm
 Hacker!
“exceed...
45
When does authorization terminate?
Trilogy of AccessTheories
• AgencyTheory
• Intended-Use Theory
• Strict AccessTheory...
46
AgencyTheory
www.brittontuma.com #fraud20
International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. ...
47
Intended-UseTheory
www.brittontuma.com #fraud20
United States v.John, 597 F.3d 263 (5th Cir. 2010)
• Access to a comput...
48
Strict AccessTheory
www.brittontuma.com #fraud20
United States v. Nosal (Nosal II), 676 F.3d 854 (9th Cir. 2012) (en ba...
49
Establishing limits for Intended-Use
• Contractual
• Policies: computer use, employment & manuals
• WebsiteTerms of Ser...
50
Contractual limits should
• Clearly notify of limits
• Limit authorization to access information
• Limit use of informa...
51
Ways to terminate for Strict Access
Craigslist Inc. v. 3Taps Inc., 2013WL 447520 (ND Ca. Aug. 16, 2013)
 3Taps operate...
52
Remember Aaron Swartz?
 In 2008, downloaded and released approximately 20%
of the Public Access to Court Electronic Re...
53
Who is SandraTeague?
United States v.Teague, 646 F.3d 1119 (8th Cir. 2011)
 Worked for a contractor that assists the D...
54
Employment Situations
Most common scenario is employment
• Employee access and take customer account information
• Empl...
55
Family Law Situations
Have you ever logged into your significant
other’s email or Facebook to see what
they’re saying t...
56
SharingWebsite Logins
Have you ever borrowed or shared website login credentials and
passwords for limited access sites...
57
Misuse ofWebsites
Ever created a fake profile or used a website for
something other than its intended purpose?
DON’T AN...
58
Hacking & Private Information
Hacking was original purpose forCFAA
• Hacking and obtaining private information
• United...
59
DATA BREACH
WHAT DO YOU DO?
#fraud20
60
Data Breach
• often a product of computer fraud
• on the rise
• major risk to virtually all businesses
• PII, PHI, fina...
61
4 Phases of Data Breach
• Preparation
• Prevention
• Understanding
• Laws, Rules & Regulations
• Responding
www.britton...
62
Preparation
• Breach Response Plan
• Goal  Execute!
• Who,What,When, How
• Attorney – privilege
• Adopted Notification...
63
Prevention
• Software and Systems Updates
• RemediateVulnerabilities
• Encrypt, Encrypt, Encrypt
• Data Surveillance & ...
64
Understanding Laws, Rules & Regulations
• No Federal Breach Notification Law (yet)
• 46 States’ Have Laws
• ≠Alabama, K...
65
Responding to a Breach – Just Execute the Plan!
• ContactAttorney
• Assemble ResponseTeam
• Contact Forensics
• Investi...
66
OTHER LAWS FOR
COMBATING FRAUD 2.0
#fraud20
67
Federal Laws for Combating Fraud 2.0
• Electronic Communications Privacy Act - 18 U.S.C. § 2510
• Wiretap Act ≠ interce...
68
Texas Laws for Combating Fraud 2.0
• Breach of Computer Security Act (Tx. Penal Code § 33.02)
• knowingly access a comp...
69
• Welcome to the world of Fraud 2.0!
• Why? Remember what Jobs said
• CFAA is very broad and covers all kinds of
comput...
70www.brittontuma.com
Upcoming SlideShare
Loading in …5
×

Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security & Privacy Committee of State Bar of Texas

16,154 views

Published on

This is a presentation by Shawn Tuma, an attorney in Plano, Texas who has expertise with the Computer Fraud and Abuse Act. Tuma provides an overview and update on recent cases and legal issues involving the Computer Fraud and Abuse Act -- otherwise known as the CFAA.

Published in: Technology, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
16,154
On SlideShare
0
From Embeds
0
Number of Embeds
9,850
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • What would your advice, as a lawyer, be in this situation?
  • Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security & Privacy Committee of State Bar of Texas

    1. 1. FRAUD 2.0 Overview and Update of the Computer Fraud and Abuse Act and A Few Lessons About Data Breaches Privacy, Data Security, and eCommerce Committee of the State Bar ofTexas August 28, 2013
    2. 2. 2 #fraud20 www.brittontuma.com
    3. 3. 3 when is the last time you heard of … www.brittontuma.com #fraud20
    4. 4. 4 NON COMPUTER RELATED FRAUD? www.brittontuma.com #fraud20
    5. 5. 5 2012 Cybercrime Statistics • costs $110 billion annually • 18 adults every second are victims • 556,000,000 adults every year are victims • 46% of online adults are victims • mobile devices are trending 2012 Norton Cybercrime Report www.brittontuma.com
    6. 6. 6 What is fraud? • Fraud is, in its simplest form, deception • Black’s Law Dictionary • all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by false suggestions or suppression of the truth www.brittontuma.com #fraud20
    7. 7. 7 Traditional vehicles for fraud? • verbal communication • written communication • in person • through mail • via wire www.brittontuma.com #fraud20
    8. 8. 8 What do computers do? EFFICIENCY! www.brittontuma.com #fraud20
    9. 9. 9 FRAUD 2.0 www.brittontuma.com #fraud20
    10. 10. 10 Computer Fraud = Fraud 2.0 • Deception, through the use of a computer • “old crimes committed in new ways … using computers and the Internet to make the task[s] easier” • computer hacking, data theft, theft of money, breaches of data security, corporate espionage, privacy breaches, computer worms,Trojan horses, viruses, malware, denial of service attacks • mouse and keyboard = modern fraudster tools of choice www.brittontuma.com #fraud20
    11. 11. 11 Who knows the percentage of businesses that suffered at least one act of computer fraud in last year? 90% (Ponemon Institute Study) www.brittontuma.com #fraud20
    12. 12. 12 BRIEF HISTORY OF THE COMPUTER FRAUD AND ABUSE ACT (CFAA) #fraud20
    13. 13. 13 Computer Fraud and Abuse Act Federal Law – 18 U.S.C § 1030 www.brittontuma.com #fraud20
    14. 14. 14www.brittontuma.com #fraud20
    15. 15. 15www.brittontuma.com #fraud20
    16. 16. 16  Primary Law for Misuse of Computers  Computers … Why is the Computer Fraud and Abuse Act important? www.brittontuma.com #fraud20
    17. 17. 17www.brittontuma.com “Everything has a computer in it nowadays.” -Steve Jobs #fraud20
    18. 18. 18 WHAT IS A COMPUTER? #fraud20
    19. 19. 19www.brittontuma.com has a processor or stores data “the term ‘computer’ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but …” IMPORTANT! “such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;” The CFAA says #fraud20
    20. 20. 20www.brittontuma.com What about . . . #fraud20
    21. 21. 21www.brittontuma.com “’That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, . . . .” -UnitedStates v. Kramer The Fourth Circuit says #fraud20
    22. 22. 22www.brittontuma.com This may limit the problem of applying it to alarm clocks, toasters, and coffee makers – for now? The CFAA applies only to “protected” computers Protected = connected to the Internet Any situations where these devices are connected? #fraud20
    23. 23. 23www.brittontuma.com • TI-99 • 3.3 MHz Processor • 16 KB of RAM • Leap Frog Leapster • 96 MHz Processor • 128 MB of RAM • iPhone 5 • 1.02GHz Processer • 1 GB of RAM #fraud20
    24. 24. 24www.brittontuma.com 66 MHz = fastest desktop in 80s 96 MHz = child’s toy today 250 MHz = fastest super computer in 80s 1.02 GHz = telephone today #fraud20
    25. 25. 25www.brittontuma.com #fraud20
    26. 26. 26www.brittontuma.com #fraud20
    27. 27. 27www.brittontuma.com no, I really mean seriously . . . #fraud20
    28. 28. 28 WHAT DOES THE CFAA PROHIBIT? #fraud20
    29. 29. 29 CFAA prohibits the access of a protected computer that is  Without authorization, or  Exceeds authorized access www.brittontuma.com #fraud20
    30. 30. 30 Where the person accessing  Obtains information  Commits a fraud  Obtains something of value  Transmits damaging information  Causes damage  Traffics in passwords  Commits extortion www.brittontuma.com #fraud20
    31. 31. 31  Overly simplistic list  Very complex statute  Appears deceptively straightforward  Many pitfalls www.brittontuma.com “I am the wisest man alive, for I know one thing, and that is that I know nothing.” -Socrates #fraud20
    32. 32. 32 Two Most Problematic Issues  “Loss” Requirement • Confuses lawyers and judges alike  Unauthorized / Exceeding Authorized Access • Evolving jurisprudence • Interpreted by many Circuits • New conflict on April 10, 2012 www.brittontuma.com #fraud20
    33. 33. 33 Limited civil remedy  Procedurally complex with many cross- references  “damage” ≠ “damages”  Must have $5,000 “loss” (i.e., cost)  Loss requirement is jurisdictional threshold www.brittontuma.com #fraud20
    34. 34. 34 What is a “loss”? “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Loss = cost (unless interruption of service) www.brittontuma.com #fraud20
    35. 35. 35 What can qualify as a “loss”?  Investigation and response costs • Forensics analysis and investigation • Diagnostic measures • Restoration of system • Bartered services for investigation / restoration  Value of employees’ time  Attorneys’ fees if leading investigation www.brittontuma.com
    36. 36. 36 What is not a “loss”?  Lost revenue (unless interruption of service)  Value of trade secrets  Lost profits  Lost customers  Lost business opportunities  Privacy and Personally Identifiable Information www.brittontuma.com
    37. 37. 37 Privacy and Personally Identifiable Information  iTracking  Hacking / data breach  Browser cookies REMEMBER: Loss is only required for civil remedy – not criminal violation www.brittontuma.com
    38. 38. 38 What would you advise? • Wrongful access of your client’s computer • Considering a CFAA claim • Your advice would be to ________? www.brittontuma.com
    39. 39. 39 Remedies • Available • Economic damages • Loss damage • Injunctive relief • Not Available • Exemplary damages • Attorneys’ fees www.brittontuma.com #fraud20
    40. 40. 40 Elements of broadest CFAA Claim 1. Intentionally access computer; 2. Without authorization or exceeding authorized access; 3. Obtained information from any protected computer; and 4. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000. www.brittontuma.com #fraud20
    41. 41. 41 Elements of CFAA Fraud Claim 1. Knowingly and with intent to defraud; 2. Accesses a protected computer; 3. Without authorization or exceeding authorized access; 4. By doing so, furthers the intended fraud and obtains anything of value; and 5. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000. www.brittontuma.com #fraud20
    42. 42. 42 WRONGFUL ACCESS #fraud20
    43. 43. 43 General Access Principles  Access by informational / data use  ≠ technician  Must be knowing or intentional access  ≠ accidental access www.brittontuma.com #fraud20
    44. 44. “without authorization”  Outsiders  No rights  Not defined  Only requires intent to access, not harm  Hacker! “exceeds authorized”  Insiders  Some rights  CFAA defines: access in a way not entitled  Necessarily requires limits of authorization  Employees, web users, etc. 44www.brittontuma.com TwoTypes of Wrongful Access #fraud20
    45. 45. 45 When does authorization terminate? Trilogy of AccessTheories • AgencyTheory • Intended-Use Theory • Strict AccessTheory www.brittontuma.com #fraud20
    46. 46. 46 AgencyTheory www.brittontuma.com #fraud20 International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) • Under common law agency principles, an employee’s right to access his employer’s computer is premised on his serving the interests of his employer. Should his loyalties to his employer change and his interests become adverse, so to would his authorization change by becoming unauthorized. • Under this “agency theory” the authorization to access was based upon the employee’s own subjective loyalties and interests and, if they changed, his authorization to access the employer’s computer changed with it. • 7th Circuit only
    47. 47. 47 Intended-UseTheory www.brittontuma.com #fraud20 United States v.John, 597 F.3d 263 (5th Cir. 2010) • Access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given is exceeded and the employee is actually aware of those limitations on purpose through policies or contractual agreements. • The employer can implement restrictions on access and use of information obtained thereby, in advance, by policies and agreements that are known by the employee and, if the employee still violates those limitations by accessing information and using it for improper purposes–not for its intended use–that is unauthorized for purposes of the CFAA. • 5th, 11th, 8th, 3rd, 1st (possibly)Circuits
    48. 48. 48 Strict AccessTheory www.brittontuma.com #fraud20 United States v. Nosal (Nosal II), 676 F.3d 854 (9th Cir. 2012) (en banc) • A strict interpretation of the CFAA prohibits unauthorized access to the computer rather than unauthorized use of the information. If authorization to access has been given, access will continue to be authorized until it is explicitly revoked, regardless of how it is used. • 9th and 4th Circuits
    49. 49. 49 Establishing limits for Intended-Use • Contractual • Policies: computer use, employment & manuals • WebsiteTerms of Service • Technological • Login and access restrictions • System warnings • Training and other evidence of notification • Notices of intent to use CFAA www.brittontuma.com #fraud20
    50. 50. 50 Contractual limits should • Clearly notify of limits • Limit authorization to access information • Limit use of information accessed • Terminate access rights upon violation • Indicate intent to enforce by CFAA Goal: limit or terminate authorization www.brittontuma.com
    51. 51. 51 Ways to terminate for Strict Access Craigslist Inc. v. 3Taps Inc., 2013WL 447520 (ND Ca. Aug. 16, 2013)  3Taps operates an online service that aggregates and republishes ads from Craigslist.After learning, Craigslist took two important steps: 1. sent a cease-and-desist letter informing “[t]his letter notifies you that you and your agents, employees, affiliates, and/or anyone acting on your behalf are no longer authorized to access, and/or prohibited from accessing Craigslist ‘s website or services for any reason” (clear and direct notice) 2. configured its website to block access from IP addresses associated with 3Taps (technological restrictions)  Craigslist as owner of the website rescinded that permission for 3Taps and further access by 3Taps after that rescission was “without authorization.”  With active monitoring, access and use can be controlled with CFAA. www.brittontuma.com #fraud20
    52. 52. 52 Remember Aaron Swartz?  In 2008, downloaded and released approximately 20% of the Public Access to Court Electronic Records (PACER) database of United States federal court documents which amounted to about 18,000,000 documents. He was investigated by the FBI but was not charged.  Tried to “liberate” all information in JSTOR’s database by making it publicly available via file sharing networks. Made several attempts by using MIT’s network and account with a guest account he created, each time circumventing the barriers that MIT and JSTOR set up to stop him.  Circumvented IP blocking, download limitations, spoofed MAC address, bought new laptop to circumvent, broke into network closet. www.brittontuma.com #fraud20
    53. 53. 53 Who is SandraTeague? United States v.Teague, 646 F.3d 1119 (8th Cir. 2011)  Worked for a contractor that assists the Department of Education with student loan inquiries via a call center ; had been granted access to the National Student Loan Data System which contains student borrowers’ private information.  Used their access to look up 1 record for an individual even though they were not working on anything related to that person. For this single act,Teague was charged with violating the Computer Fraud and Abuse Act, tried, and convicted.  Can you guess whose student loan records are that guarded? www.brittontuma.com #fraud20
    54. 54. 54 Employment Situations Most common scenario is employment • Employee access and take customer account information • Employee accesses and takes or emails confidential information to competitor • Employee improperly deletes data and email • Employee deletes browser history  • Employee accessing their Facebook, Gmail,Chase accounts at work  www.brittontuma.com #fraud20
    55. 55. 55 Family Law Situations Have you ever logged into your significant other’s email or Facebook to see what they’re saying to others? DON’TANSWERTHAT! • Arkansas spouse after separation • NTTA account? • Bank account? • Cancelling services via online accounts? • Kate Gosselin v. Jon Gosselin alleges, post separation: • hack email, phone, bank account • stole hard drive • published info for tabloids and book • $5,000 loss? www.brittontuma.com #fraud20
    56. 56. 56 SharingWebsite Logins Have you ever borrowed or shared website login credentials and passwords for limited access sites (i.e., online accounts)? DON’TANSWERTHAT! • Recent case held that permitting others to use login credentials for paid website was viable CFAA claim • The key factor here was the conduct was prohibited by the website’s agreed toTerms of Service www.brittontuma.com #fraud20
    57. 57. 57 Misuse ofWebsites Ever created a fake profile or used a website for something other than its intended purpose? DON’T ANSWERTHAT! • Myspace Mom case – United States v. Drew • Fake login to disrupt legitimate website sales • Accessing website to gain competitive information when prohibited byTOS • Creating fake Facebook to research opposing parties • Website scraping – Craigslist v. 3Taps www.brittontuma.com #fraud20
    58. 58. 58 Hacking & Private Information Hacking was original purpose forCFAA • Hacking and obtaining private information • United States v.Teague • 8th Cir, employee looking up forbidden educ. records • United States v.Tolliver • 3rd Cir, employee looking up customer records without business purp. • Tracking individuals through geo-tagging • Website collection of private information • All fit within the prohibitions of the CFAA • Loss is the problem, from a civil standpoint www.brittontuma.com
    59. 59. 59 DATA BREACH WHAT DO YOU DO? #fraud20
    60. 60. 60 Data Breach • often a product of computer fraud • on the rise • major risk to virtually all businesses • PII, PHI, financial data, cardholder data • disruption and data loss • claims from data subjects • fines and penalties from govts, agencies, indust. groups • impossible to prevent • plan ahead to reduce harm www.brittontuma.com #fraud20
    61. 61. 61 4 Phases of Data Breach • Preparation • Prevention • Understanding • Laws, Rules & Regulations • Responding www.brittontuma.com #fraud20
    62. 62. 62 Preparation • Breach Response Plan • Goal  Execute! • Who,What,When, How • Attorney – privilege • Adopted Notification Form • EducateTeam • IT Security Audit / PenetrationTesting • Compliance Prepare,Train, Audit • HIPAA, ERISA, OSHA, PCI, FINRA • Cyber Insurance www.brittontuma.com #fraud20
    63. 63. 63 Prevention • Software and Systems Updates • RemediateVulnerabilities • Encrypt, Encrypt, Encrypt • Data Surveillance & IT Alerts • Cyber CounterIntelligence / CounterEspionage • ITAlerts www.brittontuma.com #fraud20
    64. 64. 64 Understanding Laws, Rules & Regulations • No Federal Breach Notification Law (yet) • 46 States’ Have Laws • ≠Alabama, Kentucky, New Mexico, South Dakota • Massachusetts is an oddball • 45 days (FL, OH,VT,WI) otherwise expeditious without unreasonable delay • Consumers + State Attorney General • Agencies (FTC, HHS, OCR, DOL, SEC) • Industries (FINRA, PCI) • International www.brittontuma.com #fraud20
    65. 65. 65 Responding to a Breach – Just Execute the Plan! • ContactAttorney • Assemble ResponseTeam • Contact Forensics • Investigate Breach • Remediate ResponsibleVulnerabilities • ContactVendor for Notification • Reporting & Notification • Law Enforcement First • AGs,Admin. Agencies, Industries, Cred. Rpt, Consumers www.brittontuma.com #fraud20
    66. 66. 66 OTHER LAWS FOR COMBATING FRAUD 2.0 #fraud20
    67. 67. 67 Federal Laws for Combating Fraud 2.0 • Electronic Communications Privacy Act - 18 U.S.C. § 2510 • Wiretap Act ≠ intercept communications • Stored CommunicationsAct ≠ comm. at rest • Fraud with Access Devices - 18 U.S.C. § 1029 • devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards • IdentityTheft – 18 U.S.C. § 1028 www.brittontuma.com #fraud20
    68. 68. 68 Texas Laws for Combating Fraud 2.0 • Breach of Computer Security Act (Tx. Penal Code § 33.02) • knowingly access a computer without effective consent of owner • Notification Required Following Breach of Security of Computerized Data (Tex. Bus. Comm. Code sec. 521.053) amended by SB 1610 (eff. 6/14/13) • Fraudulent Use or Possession of Identifying Info (TPC § 32.51) • Unlawful Interception, Use, or Disclosure ofWire, Oral or Electronic Communications (TPC § 16.02) • UnlawfulAccess to Stored Communications (TPC § 16.04) • IdentityTheft Enforcement and ProtectionAct (BCC § 48.001) • Consumer ProtectionAgainstComputer SpywareAct (BCC § 48.051) • Anti-PhishingAct (BCC § 48.003) www.brittontuma.com #fraud20
    69. 69. 69 • Welcome to the world of Fraud 2.0! • Why? Remember what Jobs said • CFAA is very broad and covers all kinds of computer fraud (sometimes) – evolving! • Data Breaches – be prepared – it will happen! • Many other Federal andTexas laws also available for combating computer fraud • Cyber Insurance www.brittontuma.com #fraud20
    70. 70. 70www.brittontuma.com

    ×