As breaches continue to occur and affected organizations determine whether and how to disclose these breaches, breaches and disclosure continue to be the subject of reports as well as media, legislative, and regulatory attention. See, for example, Melissa J. Krasnow, Securities and Exchange Commission Issues Guidance on Cybersecurity and Cyber Incident Disclosure (Dec. 2011).

by Melissa J. Krasnow
Partner, Dorsey & Whitney LLP

The 2011 Verizon Data Breach Investigations Report examined breaches that Verizon, the U.S. Secret Service, and the Dutch National High Tech Crime Unit investigated in 2010. This report classified and tallied the types of cyber threats that contributed to breaches. Hacking and malware were utilized in the majority of the breaches, at 50 percent and 49 percent, respectively. Social engineering was involved in 11 percent of the breaches. Many times, these three types of cyber threats from the report and related terms are used but not defined.

This article provides definitions of and statistics from the report about hacking, malware, and social engineering as well as the related terms pretexting, phishing, and spear phishing.

Hacking

Hacking is a broad term that describes all attempts to intentionally access or harm information assets without or in excess of authorization by thwarting logical security mechanisms. The three methods of hacking utilized most commonly in hacking breaches were exploitation of back doors or command/control functionality, exploitation of default or guessable credentials, and brute force and dictionary attacks, at 73 percent, 67 percent, and 52 percent, respectively. With a back door installed, an attacker can bypass security mechanisms and obtain access without using legitimate channels. Regarding the other two methods, an attacker tries a few well-known combinations of default credentials used on various types of systems and, if necessary, then runs a brute force attack to crack the system.

Malware

Malware is short for malicious software and means any software or code developed or used for compromising or harming information assets without the owner’s informed consent. Malware enables or prolongs access, captures data, and/or furthers the attack. The most common means of infection for malware is installation or injection by a remote attacker, constituting 81 percent of malware infections. One example is an attacker breaching a system and then deploying malware or injecting code via SQL injection or other Web application input functionality. Web-based malware, the second most common means of infection, comprises code that is auto-executed (also known as drive-by downloads) and code that requires additional user interaction beyond the page visit (e.g., fake audiovisuals scaring users to “click here to scan and clean your infected system”).

Sending data to an external site/entity, back door, and keylogger/form-grabber/spyware were the three most common functions found in malware breaches, at 79 percent, 78 percent, and 66 percent, respectively. A back door allows an attacker unauthorized access to infected devices, and an attacker can install additional malware, use the device as a launch point for further attacks, or retrieve captured data. A keylogger allows an attacker to build a preconfigured remote installation package that will be deployed on a target system that can capture data from user activity.

When malware captures sensitive information, it must be taken out of the organization’s environment: Either the malware sends it out of the organization (in almost 8 out of 10 incidents involving malware) or the attacker reenters the network to retrieve it. The general rule is that smaller packets are sent out (i.e., credentials captured by keyloggers) while larger amounts of data are retrieved (i.e., the contents of a network file share transmitted through a back door’s file transfer capabilities).

Social Engineering

In a social engineering attack, an attacker uses human interaction (i.e., social skills) to obtain or compromise information about an organization or its computer systems. Social engineering tactics include deception, manipulation, and intimidation to exploit the human element or users of information assets. An attacker may be able to put together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, the attacker may contact a source within the same organization and rely on the information from the first source to add to his or her credibility. Often, these actions are used together with other types of cyber threats and can be conducted through both technical and nontechnical means.

Solicitation and bribery were the most common type of social engineering tactic, used in 74 percent of social engineering breaches. Solicitation and bribery frequently entail collusion between an external agent and an insider. One party uses petitions, promises, and payments to get another to participate in the crime.

Pretexting

Pretexting was used in 44 percent of social engineering breaches. Pretexting is the practice of getting an individual’s personal information under false pretenses using a variety of tactics. The pretexter may be able to obtain personal information including a Social Security number, bank and credit card account numbers, information in a credit report, and the existence and size of savings and investment portfolios. However, some information about an individual may be a matter of public record, including whether they own a house, pay their real estate taxes, or have ever filed for bankruptcy. It is not pretexting for another person to collect this kind of information.

Counterfeiting and forgery were used in 16 percent of social engineering breaches and can involve everything from websites to documents (e.g., the use of fake credentials (driver’s licenses, birth certificates, etc.)).

Phishing

Phishing attacks were used in 11 percent of social engineering breaches. Phishing attacks use e-mail or malicious websites to solicit personal information by posing as a trustworthy organization. For instance, an attacker may send e-mail appearing to be from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, an attacker can use it to gain access to the accounts. Phishing attacks may also appear to come from other types of organizations, like charities. Attackers often take advantage of current events and certain times of the year, including: (1) natural disasters (e.g., Hurricane Katrina), (2) epidemics and health scares (e.g., H1N1), (3) economic concerns (e.g., Internal Revenue Service scams), (4) major political elections, and (5) holidays. Interestingly, phishing attacks are being used more often to gain a toehold in the victim’s environment through attached malware.

Spear Phishing

Spear phishing involves targeted e-mails that typically are used as a catalyst for individuals to click on hyperlinks or open attachments, allowing the downloading of malicious content to the user’s device and the unauthorized entry into an organization’s network. Business activities and products that could be leveraged by an attacker to develop targeted e-mails addressed to individuals within an organization include:

• media releases,
• business mergers and acquisitions,
• business reports/stock reports/financial statements,
• competing for contracts,
• awarded contracts,
• technological breakthroughs,
• international dealings,
• other public information of interest to malicious actors,
• natural disasters,
• referred to by other parties in their public release statements,
• government/industry events,
• government or industry work stoppages,
• and international or political events.

Then, Westrick allegedly sought a $300,000 payment to reveal the changed access codes and new passwords.

The Court Said, “No!”

The ploy did not work. The court issued a temporary restraining order requiring the immediate return of the laptop and directing Westrick to maintain its integrity, and directed him not to disclose the passwords and access codes to third parties.

What to Do to if This Happens to You

There are a couple of ways to handle this type of theft. One approach is to go to the Department of Justice or the FBI and file a criminal complaint. No guarantees – there is no way to predict whether the criminal authorities will investigate and prosecute the case because of competing priorities and limited resources. If they do, there is no way to predict when they will do it. In short, you have no control over what, if anything, happens.

Another approach is to do what this company did. It wisely filed its complaint alleging various violations of the Computer Fraud and Abuse Act (“CFAA”). By doing so, it exercised self-help under a law designed to protect against computer crimes, including extortion in relation to computers. Rather than dealing in a protracted court proceeding, it brought a laser directed court action that resulted in the return of its property and the end to the extortion. This of course does not mean that while you are prosecuting your CFAA action, you should not file a complaint with the authorities. Just understand that what you and your attorney do may likely result in quicker and more efficient justice.

Act Fast

Employees have access to the keys to your kingdom. Most, when terminated or leave, do the right thing. When they do not, you need to recognize it and act fast. A court will not grant emergency relief such as a temporary restraining order unless you treat the matter as the emergency it is. You need to be prepared immediately to –

• Investigate and gather admissible evidence to prove the theft of the data and the extortion that can be presented to a court to justify the entry of an immediate injunction.

• Hire expert counsel who is familiar with the CFAA who can coordinate the investigation with an eye to filing the appropriate court papers.

In many instances, as demonstrated by the Westrick case, taking the civil route as opposed to the criminal route is the best course of action.

The facts in the Eagle case will sound familiar to all social media mavens who use sites like LinkedIn to promote their businesses and professional careers. The plaintiff Linda Eagle, a Ph.D. in communications and psychology, established her LinkedIn account in 2008 after she and others founded Edcomm, Inc., (“Edcomm”) to train individuals to work in the financial services industry. Like others who sign up for a free account with LinkedIn, Dr. Eagle’s complaint alleges she had to assent to a user agreement “which constitutes “a legally binding agreement with LinkedIn Corporation” and, as such, “information provided to LinkedIn is owned by the LinkedIn user, subject to the other terms of the User Agreement.” Id. at *1.

According to LinkedIn’s terms of use, “[u]sers can maintain only one LinkedIn account at a time” and “Dr. Eagle [as alleged in her complaint] used her account to promote Edcomm’s banking education services; foster her reputation as a businesswoman; reconnect with family, friends, and colleagues; and build social and professional relationships.” Id.

In October 2010 Sawabeh Information Services Company (“SISCOM”) purchased Edcomm. Dr. Eagle initially remained employed by SISCOM as its CEO, but approximately 6 months later Edcomm involuntarily terminated her employment. According to Dr. Eagle’s complaint, Edcomm then hijacked her LinkedIn account using her LinkedIn password. Her complaint alleges that Edcomm used her password “to gain unauthorized access” to her account, “changed the password,” and “then changed Dr. Eagle’s account profile to display” Edcomm’s new CEO’s “name and photograph” “but Dr. Eagle’s honors and awards, recommendations and connections.” Id. at *2. The complaint alleges that Edcomm “used Dr. Eagle’s account both to prevent her connections from reaching her, and to acquire business connections for the benefit of . . . [the new CEO] and Edcomm. Id.

In response Edcomm filed a counterclaim alleging facts that Dr. Eagle’s LinkedIn account had been established and used for the benefit of Edcomm at Edcomm’s expense. Thus, the counterclaim alleges “that Edcomm, while under Dr. Eagle’s management, implemented a policy requiring Edcomm’s employees to create and maintain LinkedIn accounts.” Id at 3. All Edomm executive employees, as a matter of company policy, were required “to: (a) utilize their Edcomm email address for LinkedIn accounts; (b) utilize a specific form template, created and approved by Edcomm, for their description of Edcomm, work history, and professional activities, as well as photographs taken by a professional photographer hired by Edcomm; (c) contain links to Edcomm’s website on LinkedIn accounts and the Banker’s Academy webpage, as well as Edcomm’s telephone number; and (d) utilize Edcomm’s template for replying to individuals through LinkedIn.” Id. The counterclaim further alleges that “[c]ertain Edcomm employees monitored these LinkedIn accounts, corrected any violations of Edcomm policy, and maintained accounts for several employees for the benefit of Edcomm” and that “all discussions, connections, and content were added by” Edcomm employees.” Id

In short, Edcomm alleges that “Dr. Eagle’s LinkedIn account was used for Edcomm business and Edcomm personnel developed and maintained all connections and much of the content on her account” and that Dr. Eagle, who regained control of her LinkedIn account after initiating her lawsuit, had “wrongfully misappropriated both Edcomm’s connections on the LinkedIn account and Edcomm’s telephone number constituting Edcomm’s proprietary information on the account.” Id.

Based on these dueling allegations both sides filed numerous claims against each other. Dr. Eagle alleges violations of the Computer Fraud and Abuse Act (“CFAA”), Title 18, U.S.C. §1030, violation of Section 43(a) of the Lanham Act, 15 U.S.C. § 1125(a)(1)(A), unauthorized use of name in violation of 42 Pa.C.S. § 8316, invasion of privacy by misappropriation of identity, misappropriation of publicity, identity theft under 42 Pa.S.C. § 8315, conversion, tortious interference with contract, civil conspiracy and civil aiding and abetting. Id. at. *2. Edcomm also alleges violations of the CFAA, misappropriation, conversion, tortious interference with contract but added claims for unfair competition and a violation of the Pennsylvania trade secret law.

Dr. Eagle moved to dismiss all of Edcomm’s claims on the ground that they do not, as a matter of law, allege facts constituting proper claims for relief. The court granted Dr. Eagle’s motion to dismiss all of Edcomm’s claims except for two Pennsylvania law causes of action, 1) misappropriation of an idea and 2) unfair competition that is essentially based on the same elements of the misappropriation claim. Under Pennsylvania law misappropriation of an idea requires the plaintiff to prove that 1) the plaintiff had an idea that was novel and concrete and 2) the idea was misappropriated by the defendant. Id. at *13. As the court explained,

[t]o determine whether an idea has been misappropriated, Pennsylvania courts look to the three elements of common law misappropriation:
(1) the plaintiff “has made substantial investment of time, effort, and money into creating the thing misappropriated such that the court can characterize the ‘thing’ as a kind of property right,” (2) the defendant “has appropriated the ‘thing’ at little or no cost such that the court can characterize the defendant’s actions as ‘reaping where it has not sown,’ “ and (3) the defendant “has injured the plaintiff by the misappropriation.”

Id.

In refusing to dismiss the misappropriation and unfair competition counts the court relied on the allegations in Edcomm’s counterclaim that “Edcomm personnel, not Dr. Eagle, developed and maintained all connections and much of the content on the LinkedIn Account, actions that were taken solely at Edcomm’s expense and exclusively for its own benefit.” Id. The court stated, ‘[w]hile Plaintiff argues that Edcomm fails to allege facts that would show that it made a substantial investment of time, effort, and money into creating the cell phone number or LinkedIn account, Edcomm counters that its employees developed the accounts and maintained the connections, which are the route through which Edcomm contacts instructors and specific personnel within its clients.” Thus, the court held that “these conflicting allegations create an issue of fact requiring further discovery.” Id.

With businesses like Edcomm actively encouraging their employees to use social media as a marketing tool, there can be little doubt that litigation over the ownership of social media accounts is likely to increase. Just last July PhoneDog.com, a popular mobile phone site, sued in federal district court in California a former employee who had amassed approximately 17,000 followers on Twitter claiming that the followers constituted a company-owned customer list entitling it to $2.50 per month per follower or $350,000 in total damages. The only way to avoid the inevitable lawsuits over the ownership of these accounts is for both employers and employees to be proactive in establishing ownership rights prior to using individual social media accounts as a marketing tool.

From the employer’s standpoint this ownership issue is a prime reason why employers should adopt social media policies clarifying who owns the social media accounts and ownership rights when the employment relationship is terminated. For example, it may make sense to allow employees using LinkedIn to keep their accounts but cleanse them of information that belongs to the employer because of the employer’s financial investment in the site and to ensure the employee is no longer associated as a spokesperson for his former employer. As a strategy to minimize, and perhaps avoid litigation altogether, an agreement between the employer and employee delineating the post employment rights of both the employee and employer to the account would seem the most efficient way to deal with this issue.

The CFAA makes it a crime to gain unauthorized access to a computer. The questioning was premised on Facebook’s terms of service that prohibit a member of the public from providing false information in signing up for a Facebook account. The concern expressed by another Judge in the argument is that a violation of Facebook’s rules such as lying about one’s age would mean that access to Facebook is unauthorized and thus the person is subject to criminal prosecution under the CFAA. For a number of reasons this is a non-issue and, to the extent there is any issue, it is up to Congress, not the 9th Circuit, to remedy it.

First, it should be pointed out that the Nosal case does not involve a criminal defendant accessing Facebook. David Nosal, a Korn/Ferry International executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. The issue before the 9th Circuit is limited to whether Nosal exceeded his authorized access to his employer’s computers when he violated Korn/Ferry’s computer policies that restricted the scope of its employees’ access to the company computers to “legitimate Korn/Ferry business.” Id.

Second, the fear that a minor offense such as lying on Facebook could be prosecuted is not unique to the CFAA. The wire fraud statute, for example, makes it a crime to engage in a scheme to defraud using interstate wires in furtherance of the scheme. On its face the wire fraud statute could theoretically not only be used against someone who lies on Facebook but could be applied against a college student who calls home asking his parents to wire him money for books, when in fact he intentionally lied, planning to use the money to buy beer.

No one has ever seriously argued that this potential misuse of prosecutorial discretion makes the wire fraud statute unconstitutional. Not only has no one ever been prosecuted for simply lying about their age on Facebook, the concern raised over the misuse of federal criminal statutes is totally overblown as evidenced by the fact that Department of Justice does not bring frivolous wire fraud prosecutions based on common lies that have no meaningful harmful impact. Nor is the CFAA unconstitutionally vague. The only Circuit case that has addressed this issue, U.S. v. Mitra, 405 F.3d 492, 496 (8th Cir. 2005), held that “[t]here is no constitutional obstacle to enforcing broad but clear statutes” and that “[t]he statute gives all the notice that the Constitution requires.”

The only government prosecution under the CFAA predicated, in part, on lying about one’s age in signing up for a social networking site, was brought against Lori Drew in the federal court in Los Angeles. Judge Kozinski referenced this prosecution in the oral argument. The Drew case, however, was not a prosecution predicated solely on Drew lying about her age. Drew was a 49-year-old woman who, according to the government’s indictment, used a MySpace account to harass and torment a 13-year-old girl, who, as a result, committed suicide. Drew perpetrated what has been referred to as cyberbullying by posing as a fictitious 16-year-old boy in violation of MySpace’s terms of service that required her, among other things, to provide truthful information on MySpace and not use MySpace to harass, abuse or harm other people or solicit personal information from anyone younger than 18.

No one can seriously argue that the allegations in the indictment were not serious conduct worthy of a criminal prosecution. In that case the jury convicted Drew of a misdemeanor for unauthorized access to MySpace’s website and did not convict her of the felony for doing so with the purpose of intentionally inflicting emotional distress on the young girl. The Department of Justice chose not to appeal that decision to the 9th Circuit.

Third and finally, it is not up to the courts to decide whether the CFAA is good or bad policy. Judge Kozinski responded to the government attorney at the argument stating that it “would be exceedingly bad policy to give the hands of the government the ability to prosecute everybody who has access to a computer” who might violate Facebook’s terms of service. Whether it is or is not bad policy, is not within the purview of the courts. Under the Constitution it is Congress that writes the laws, and it is the court’s obligation to enforce them.

The bottom line – someone who does nothing more than lie about their age on Facebook and violates Facebook’s terms of service could theoretically be prosecuted under the CFAA, but that does not make it unconstitutional or even a realistic concern.

Brekka had been predicated on the simplistic proposition that employees have permission to access the company computers and, thus, by definition cannot access the company computers without authorization. David Nosal, a Korn/Ferry Internation­al executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. Nosal had allegedly recruited “three Korn/Ferry employees to help him start a competing business.” Id. at 782. The indictment charged these employees with “using their user accounts to access the Korn/Ferry computer system.” They then “transferred to Nosal source lists, names, and contact information from the ‘Searcher’ database—a ‘highly confidential and proprietary database of executives and companies’—which was considered by Korn/Ferry ‘to be one of the most comprehensive databases of executive candidates in the world.’” Id. 


The district court had initially rejected Nosal’s motion to dismiss the CFAA counts but reversed its decision after the Brekka decision. The government appealed, citing Korn/Ferry’s computer policies that restricted the scope of its employees’ access to the company computers including one that “restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business.” Id. The government argued that, based on these policies, Nosal had exceeded authorized access.

The court agreed, citing the statutory definition of “exceeds authorized access,” which is “to access a computer with ­authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The court held that the word “so” “refers to an accesser who is not entitled to access information in a certain manner.” Id. at 785. Thus, the court held that “an employee ‘exceeds authorized access’ under § 1030 when he or she violates the employer’s computer access restrictions—including use restrictions.” Id. The government stressed this interpretation in its argument to the 9th Circuit.


Nosal distinguished Brekka on the lack of computer policies governing Brekka’s right to access the company computers: “Because LVRC [the employer] had not notified Brekka of any restrictions on his access to the computer, Brekka had no way to know whether—or when—his access would have become unauthorized.” Id at 787. The court concluded that “as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations.” Id at 788. The full 9th Circuit, however, on October 27, 2011, granted en banc re-consideration to its opinion on October 28, 2011.

The primary argument advanced by Nosal’s counsel was that the CFAA only applies to hacking and that access cannot be unauthorized unless the employee circumvents the technology of the computer. In response to questioning by the court, Nosal’s counsel stated that using another’s password would qualify as a circumvention of the computer’s technology. This argument dismisses as irrelevant any written policies or agreements that limit the scope of an employee’s access to the employer’s computers and the First Circuit’s recognition without reference to the computer’s technology that the “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003).

In rebuttal the government rightly pointed out that there is nothing in the language of the statute that limits the definition of authorized access to the circumvention of technology. Given the Supreme Court’s recent admonition to the lower courts in Morrison v. National Australia Bank, Ltd. 130 S.Ct. 2869, 2881(2010) not to add requirements to a statute that are not on its face, this should be a losing argument. The Court in Morrison expressly warned against such “judicial-speculation-made-law-divining what Congress would have wanted if it had thought of the situation before the court.” Id.

Based on the questioning by various members of the court, it appears that its decision in Nosal will not be reversed. You can decide for yourself. The full argument from last week can be heard at the following link: http://www.ca9.uscourts.gov/media/view_video_subpage.php?pk_vid=0000006176

To print or view this article as a pdf go to: link

By Nick Akerman


Four recent decisions handed down by four different federal courts of appeals during the past year have, in combination, greatly enhanced the ability of businesses to use the Computer Fraud and Abuse Act (CFAA) as a tool to protect competitively sensitive data and personal information stored in company computers. The CFAA is the federal computer crime statute that permits companies that have been victimized by theft or destruction of data to file a civil action against the perpetrator for damages and injunctive relief. 18 U.S.C. 1030(g).


The U.S. Court of Appeals for the 9th Circuit settled the issue of an employer’s ability to use the CFAA against employees, although just last week it granted an en banc rehearing of its decision; the 6th Circuit permitted the statute to be used against a labor union that shut down an employer’s computer system through a massive spam attack; the 3d Circuit broadened the definition of unauthorized access to the company computer to mean accessing without a business purpose; and the 8th Circuit expanded the definition of what it means to obtain information from the computer to include the simple viewing of data as opposed to physically taking or copying data.


The most significant of these decisions is U.S. v. Nosal, 642 F.3d 781 (9th Cir. 2011), reh’g en banc granted (Oct. 27, 2011). In Nosal, the 9th Circuit clarified its earlier decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir. 2009), which up until now had been relied upon by numerous district courts in and out of the 9th Circuit as a bar to using the CFAA against employees who stole their employer’s computer data. A key element to prove either a civil or criminal violation of the CFAA is that the employee accessed the company computer “without authorization” or “exceed-[ed] authorized access.”

Brekka had been predicated on the simplistic proposition that employees have permission to access the company computers and, thus, by definition cannot access the company computers without authorization. David Nosal, a Korn/Ferry Internation­al executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. Nosal had allegedly recruited “three Korn/Ferry employees to help him start a competing business.” Id. at 782. The indictment charged these employees with “using their user accounts to access the Korn/Ferry computer system.” They then “transferred to Nosal source lists, names, and contact information from the ‘Searcher’ database—a ‘highly confidential and proprietary database of executives and companies’—which was considered by Korn/Ferry ‘to be one of the most comprehensive databases of executive candidates in the world.’” Id.


The district court had initially ­rejected Nosal’s motion to dismiss the CFAA counts but reversed its decision after the Brekka decision. The government appealed, citing Korn/Ferry’s computer policies that restricted the scope of its employees’ access to the company computers including one that “restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business.” Id. The government argued that, based on these policies, Nosal had exceeded authorized access.

The court agreed, citing the statutory definition of “exceeds authorized access,” which is “to access a computer with ­authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The court held that the word “so” “refers to an accesser who is not entitled to access information in a certain manner.” Id. at 785. Thus, the court held that “an employee ‘exceeds authorized access’ under § 1030 when he or she violates the employer’s computer access restrictions—including use restrictions.” Id.


The 9th Circuit distinguished its decision in Brekka on the lack of computer policies governing Brekka’s right to access the company computers: “Because LVRC [the employer] had not notified Brekka of any restrictions on his access to the computer, Brekka had no way to know whether—or when—his access would have become unauthorized.” Id at 787. The court concluded that “as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations.” Id at 788. After Nosal it is now universally accepted among the federal circuit courts that have addressed this issue that the CFAA applies to employees who violate company computer policies limiting the scope of their access to the company computers.

The 6th Circuit in Pulte Homes Inc. v. Laborers’ International Union of North America, 648 F.3d 295, 299 (6th Cir. 2011), went one step further and upheld a CFAA complaint against not a single employee but a labor union that in the course of a labor dispute had “bombarded” the computer systems of the employer’s sales and executive offices with e-mails and voicemails, making it impossible for the company to communicate with its customers and vendors. 
The complaint alleged that “[t]o generate a high volume of calls,…[the union] both hired an auto-dialing service and requested its members to call Pulte [Homes, a homebuilder]. It also encouraged its members, through postings on its website, to ‘fight back’ by using…[the union’s] server to send e-mails to specific Pulte executives. Most of the calls and e-mails concerned Pulte’s purported unfair labor practices, though some communications included threats and obscene language.” Id. 


The CFAA claim charged the union with “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” 18 U.S.C. 1030(a)(5)(A). The CFAA defines damage as “any impairment to the integrity or availability of data, a program, a system, or information.” § 1030(e)(8). M The court found the CFAA allegations sufficient in that “the transmissions diminished Pulte’s ability to use its systems and data because they prevented Pulte from receiving at least some calls and accessing or sending at least some e-mails,” and the complaint showed that the union acted “with the conscious purpose of causing damage (in a statutory sense) to Pulte’s computer system.” Id. at 301, 303.


The 3d Circuit’s decision in U.S. v. Tolliver, 2011 WL 4090472 at *1 (3d Cir. Sept. 15, 2011), made clear that company policies, such as those relied upon in Nosal, are not the only way to prove that an employee accessed the company computer “without authorization.” The court upheld the CFAA conviction of Regina Tolliver, a former bank teller for Citizens Bank who provided confidential customer account information to “check runners” who “cashed fraudulent checks against the accounts of seven Citizens Bank customers in branches in upstate New York, western Pennsylvania, and Delaware.” Id. Without reference to any bank policies the court held that “there was sufficient evidence” upon which “the government established that Tolliver exceeded her authorized access” because “she did not have a business purpose” to access the customers’ accounts. Id. at *5. 


While Tolliver actually removed data from her employer’s computer to facilitate the writing of fraudulent checks, the employee in U.S. v. Teague, 646 F.3d 1119 (8th Cir. 2011), only viewed data in the computer, did not remove it and did not use it. Yet the 8th Circuit applied the CFAA to these facts and, in doing, upheld the criminal conviction of Sandra Teague, an employee of a government contractor for the U.S. Department of Education, for accessing President Obama’s record in the National Student Loan Data System.

She had been convicted of violating the CFAA for exceeding unauthorized access to a computer in violation of 18 U.S.C. 1030 (a)(2)(B). This section of the CFAA makes it a crime to intentionally exceed authorized access to a computer and obtain information from the computer. Based solely on her viewing the Obama student loan data, the court found the government had proved the critical CFAA element of having obtained information. 


Although not acknowledged by the 8th Circuit, this decision is at odds with the 1st Circuit’s ruling 14 years ago in U.S. v. Czubinski, 106 F.3d 1069, 1078 (1st Cir. 1997), in which the court overturned the CFAA conviction of Richard Czubinski, an Internal Revenue Service employee, who had exceeded his authorized access to an IRS computer by “merely” viewing restricted tax information relating to “friends, acquaintances, and political rivals.” The court held that the proof was insufficient because there must be a “showing of some additional end—to which the unauthorized access is a means.” Id. However, given the CFAA’s plain language, which does not require the physical removal or copying of data, the obvious privacy concerns resulting from viewing data, and the universal recognition that memorizing information can be as detrimental as taking a physical copy of the data itself, the 8th Circuit view is likely to prevail as the accepted standard.

In sum, four circuit courts independently rendered decisions this year that have greatly facilitated and expanded an employer’s ability to use the CFAA against employees who engage in computer crime directed at the company’s computers. The state of the law of course could drastically change in the near future if the 9th Circuit reverses itself on Nosal in its en banc re-consideration, thus leaving it to the Supreme Court to determine the applicability of the CFAA in the employer/employee context.

Background
The U.S. Securities and Exchange Commission on occasion provides disclosure guidance on topics of interest to the business and investment communities. The SEC said recently that it has observed ‘‘an increased level of attention focused on cyberattacks.’’

The rash of costly cyberattacks against companies like Epsilon and Sony, among others, gave the SEC cause to implement new cybersecurity disclosure requirements.

On Oct. 13 the SEC Division of Corporation Finance issued guidance for public companies regarding their disclosure obligations relating to cybersecurity (i.e., the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access) risks and cyber incidents in light of a public company’s specific facts and circumstances. The guidance is not a rule, regulation or statement of the SEC.

The federal securities laws are designed in part for disclosure of timely, comprehensive and accurate information about risks and events that a reasonable investor would consider important to an investment decision. Although no disclosure requirement specifically refers to cybersecurity risks and cyber incidents, the guidance provides an overview of the following particular disclosure obligations that may require discussion of cybersecurity risks and cyber incidents: (1) risk factors, (2) management’s discussion and analysis of financial condition and results of operations (MD&A), (3) description of business, (4) legal proceedings, (5) financial statement disclosure and (6) disclosure controls and procedures.

Risk factors

A public company should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. A cybersecurity risk disclosure made by a company must adequately describe the nature of the material risks and specify how each risk affects the particular public company. Generic risk factor disclosure should be avoided.

A public company should evaluate its cybersecurity risks and consider previous cyber incidents (including severity and frequency), the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks (including the potential costs and other consequences). In evaluating whether risk factor disclosure should be provided, a public company also should consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which it operates and risks to that security (including threatened attacks it is not aware of).

Examples of disclosures may include: (1) discussion of aspects of the public company’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences; (2) to the extent the public company outsources functions that have material cybersecurity risks, a description of those functions and how the public company addresses those risks; (3) a description of cyber incidents experienced by the public company that are individually, or in the aggregate, material, including a description of the costs and other consequences; (4) risks related to cyber incidents that may remain undetected for an extended period and (5) a description of relevant insurance coverage.

The federal securities laws do not require disclosure that itself would compromise a public company’s cybersecurity. Instead, a public company should provide sufficient disclosure to allow investors to appreciate the nature of the risks that it faces in a manner that would not have that consequence.

Management’s discussion and analysis (MD&A) of
financial condition and results of operations

A public company should address cybersecurity risks and cyber incidents in MD&A if the costs or other consequences associated with known incidents or the risk of potential incidents represent a material event, trend or uncertainty that is reasonably likely to have a material effect on its results of operations, liquidity or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.

Description of business

In ‘‘Description of Business’’ a public company should provide disclosure if one or more cyber incidents materially affect its products, services, relationships with customers or suppliers or competitive conditions. In determining whether to provide disclosure, a public company should consider the impact on each of its reportable segments.

Legal proceedings

In ‘‘Legal Proceedings’’ a public company may need to provide disclosure if it or any subsidiary is a party to a material pending legal proceeding that involves a cyber incident. By way of example, if a significant amount of customer information is stolen, resulting in material litigation, the public company should disclose the name of the court in which the proceedings are pending, the date instituted, the principal parties, a description of the factual basis alleged to underlie the litigation and the relief sought.

Financial statement disclosure

Before a cyber incident, a public company may incur substantial costs to prevent cyber incidents. During and after a cyber incident, a public company may seek to mitigate damages by providing customers with incentives to maintain the business relationship. In addition, cyber incidents may result in losses from asserted and unasserted claims, including warranties, breach of contract, product recall and replacement and indemnification of counterparty losses from their remediation efforts. If losses are probable and reasonably estimable, a public company should determine when to recognize a liability. Also, a public company must provide certain disclosures of losses that are at least reasonably possible.

Cyber incidents may also result in diminished future cash flows, requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software and inventory. A public company may not immediately know the impact of a cyber incident and may be required to develop estimates to account for the various financial implications. A public company should subsequently reassess the assumptions that underlie the estimates made in preparing the financial statements. A public company must explain any risk or uncertainty of a reasonably possible change in its estimates in the near-term that would be material to the financial statements. Estimates that may be affected by cyber incidents include estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation and deferred revenue.

To the extent a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, a public company should consider whether disclosure of a recognized or nonrecognized subsequent event is necessary. If the incident is a material nonrecognized subsequent event, the financial statements should disclose the nature of the incident and an estimate of its financial effect or a statement that such an estimate cannot be made.

Disclosure controls and procedures

Where cyber incidents pose a risk to a public company’s ability to record, process, summarize, and report information that is required to be disclosed in SEC filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective. By way of example, if it is reasonably possible that information would not be recorded properly due to a cyber incident affecting a public company’s information systems, a public company may conclude that its disclosure controls and procedures are ineffective.

Steps to take

Public companies should review the adequacy of their disclosure relating to cybersecurity risks and cyber incidents at present and on an ongoing basis. This review could implicate different areas, including legal, accounting, privacy, information technology, risk management/insurance and corporate communications. SEC disclosure considerations should be taken into account in terms of company preparation for cyber incidents and in applicable company policies, procedures and practices. Finally, a public company should review its insurance coverage relating to cybersecurity and cyber incidents, if any, in light of the guidance (e.g., risk factor disclosure).

Melissa J. Krasnow, a partner in the Corporate
Group of Dorsey & Whitney LLP in Minneapolis,
is a Certified Information Privacy
Professional and serves on the International
Association of Privacy Professionals Publication
Advisory Board.

Reproduced with permission from BNA’s Privacy & Security Law Report, Vol. 10, No. 43, (Oct. 31, 2011). Copyright 2011 The Bureau of National Affairs, Inc. (800-372-1033) www.bna.com.

The proof at trial was wholly circumstantial, but, as the court found, was sufficient for the jury to convict. As the court explained, “the government introduced evidence establishing that on August 27, 2008, Teague’s user ID accessed Obama’s records, as well as the records of Marc Martin, Teague’s nephew. Critically, Teague admitted to conducting the Marc Martin search. Furthermore, the government introduced testimony that there was no timeout between the Obama search and the Marc Martin search. Based on this cumulative evidence, the jury could reasonably conclude the Obama search, which was part of one continuous session with the Marc Martin search, was also conducted by Teague.” Id. at 1122. In affirming the conviction the court also relied on Teague’s trial testimony that “was not particularly credible” and her false exculpatory statements to Department of Education Agents. Id.

What is significant about the proof in this case is the lack of any evidence that Teague did anything with the information she accessed. The proof at trial only showed that she had viewed Obama’s student loan records, not that she published it, used it or did anything with it. Based solely on her viewing the Obama student loan data, the court found the government had proved the critical CFAA element of having obtained information. Obtaining information is not only a critical element to prove unauthorized access to a government computer but is also a critical element to prove both certain criminal and civil violations of the CFAA for unauthorized access to private computers.

While not acknowledged by Teague, this decision is at odds with the First Circuit’s ruling 14 years ago in U.S. v. Czubinski, 106 F.3d 1069, 1078 (1st Cir. 1997) in which the court held that that there was insufficient proof to affirm a CFAA conviction when Czubinski, an IRS employee, had exceeded his authorized access to the IRS computer but “merely” viewed restricted tax information relating to “friends, acquaintances, and political rivals.” There must be a “showing of some additional end-to which the unauthorized access is a means.” Id.

Ultimately, the U.S. Supreme Court may have to resolve this split in the two circuit opinions. Based on recent precedent, most notably Morrison v. National Australia Bank, Ltd.,130 S.Ct. 2869 (2010), the Supreme Court, having warned against judicial legislating by engrafting requirements on a statute that are not supported by the plain language of the statute, is likely to side with Teague. There is nothing in the plain language of the CFAA that requires proof of “some additional end to which the unauthorized access is a means.” It simply requires proof of obtaining information.

Also, in light of privacy concerns and the dangers posed by the use of memorized data taken from the unauthorized access to computers, there is no good policy reason not to interpret “obtaining information” as simply viewing it. By adopting the 1st Circuit’s limitation on the CFAA, there is nothing to stop the low-tech computer thief — someone who uses a cellphone to record the viewed data or copies it down with pen and paper with no evidentiary traces left on the computer. In short, this case correctly broadens the reach of the CFAA beyond the 1st Circuit’s view in 1997 and is the likely view to be adopted by the Supreme Court.

In March 2011, a Final Judgment by Consent was issued in Massachusetts v. Briar Group, LLC, which involves a 2009 Massachusetts data breach and implicates the Massachusetts privacy regulation and the Payment Card Industry Data Security Standard (“PCI DSS”).1

The Massachusetts privacy regulation applies to a person or entity that owns or licenses personal information about a Massachusetts resident, meaning their first and last name or first initial and last name in combination with a (i) Social Security Number, (ii) driver’s license or state‐issued identification card number or (iii) financial account number or credit card or debit card number. Such person or entity must implement and maintain a comprehensive, written information security program. The MassachusettsAttorney General enforces the Massachusetts privacy regulation. The deadline for compliance with the Massachusetts privacy regulation was March 1, 2010.2

The Payment Card Industry Security Standards Council (including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.) sets and enforces PCI DSS, which contains requirements for a secure payments environment framework for any business that stores, processes or transmits payment cardholder data. For example, a business that accepts or processes payment cards must comply with PCI DSS. Interestingly, the following three states have laws addressing compliance with PCI DSS – Minnesota (which is based on, but does not specifically reference, PCI DSS) and Nevada and Washington (which each specifically reference PCI DSS).3

The Briar Group, a Boston restaurant chain owner and operator, reported a data breach to the Massachusetts Attorney General on or around November 24, 2009. In April 2009, the Briar Group experienced a data breach when malcode was installed on its computer systems and allowed hackers access to customers’ credit card and debit card information, including names and account numbers. The malcode was not removed from the Briar Group’s computers until December 2009.

The Briar Group entered into an agreement to resolve the alleged claims of the Massachusetts Attorney General that the Briar Group engaged in unfair or deceptive acts or practices in violation of the Massachusetts consumer protection law by accepting credit card and debit cards from consumers for transactions at their restaurants but failing to protect their personal information.4 Hackers using malware were possibly able to gain access the computer system of the Briar Group and extract cus-tomer credit card and debit card information due to the failure of the Briar Group to implement basic data security measures.

Specifically, this included (i) failing to comply with PCI DSS, (ii) failing to change default user names and passwords on its Micros Point of Sale computer system, (iii) failing to change passwords in its computer network for more than five years, (iv) allowing multiple employees to share common usernames and passwords, (v) failing to modify passwords after employee termination or resignation, (vi) failing to adequately control the number of employees with administrative access to the Briar Group’s computer network, (vii) failing to properly secure remote access utilities and wireless network, (viii) continuing to accept consumer credit cards and debit cards when the Briar Group knew of a data breach and failing to alert its patrons to the data breach while malcode remained on its computer system and (ix) storing payment card information in clear text on its servers.

The Briar Group agreed to (i) comply with and verify its compliance with PCI DSS with the Massachusetts Attorney General’s Office, (ii) not knowingly maintain on its network after the authorization process the full contents of the magnetic stripe of a credit card or debit card, or of any single track of such stripe, or the CVC2/CVV2/CID of any such card or the PIN or PIN block of any such card, (iii) implement, maintain and adhere and produce to the Massachusetts Attorney General’s Office a written information security program under 201 CMR § 17.00, (iv) review the scope of its security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information under 201 CMR § 17.03(i), (v) implement security password management for portions of its computer system that store, process or transmit personal information (including its Micros Point of Sale computer systems), (vi) implement security password management where each person with access to its computer networks is assigned a unique ID and (vii) segment appropriately from the rest of its computer system the network‐based portions that store, process or transmit personal information, by firewalls, access controls or other appropriate measures. The Briar Group also was required to pay $110,000 in civil penalties to Massachusetts.

Finally, the Briar Group must contact a Qualified Incident Response Assessor to investigate a suspected data compromise if it receives notice from a credit card company, payment card processing company, bank or law enforcement agency requiring a forensic audit of its Point of Sale Systems and related infrastructure because a Common Point of Purchase or similar analysis linked fraudulent transactions to Briar Group establishments. If the Briar Group is unable to conclude whether a data compromise has occurred within 14 days of retaining a Qualified Incident Response Assessor, the Briar Group will (i) post conspicuous notice in each of its potentially affected establishments alerting customers that that their debit cards and credit cards might be at risk due to a suspected data compromise and (ii) provide a copy of this consumer notice to the Massachusetts Attorney General’s Office.

Melissa J. Krasnow is a partner in the Corporate Group of Dorsey & Whitney LLP who also is a Certified Information Privacy Professional and serves on the International Association of Privacy Professionals Publication Advisory Board.

1 Commonwealth of Massachusetts v. Briar Group, LLC, Civ. No. 11‐1185B, Consent Judgment (Mass. Sup. Ct. Mar. 28, 2011).
2 201 CMR § 17.00 et seq. (For additional information about the Massachusetts privacy regulation, please see Melissa J. Krasnow, Final Massachusetts Privacy Regulation: What is Required and How to Comply, Bloomberg Law Reports ‐ Risk & Compliance, Vol. 2, No. 12 (Dec. 2009).
3 Minn. Stat. § 325E.64; Nev. Rev. Stat. § 603A.215; Rev. Code Wash. § 19.255.020. (For additional information about the Nevada and Washington laws, please see Melissa J. Krasnow, Revised Nevada Privacy Law Furthers Encryption and Payment Card Law Trends, Bloomberg Law Reports ‐ Technology Law, Vol. 1, No. 3 (Aug. 24, 2009), and Washington Continues the Trend of Encryption and Payment Card Laws, Bloomberg Law Reports ‐ Privacy Law, Vol. 3, No. 5 (June 2010).
4 Mass. Gen. Laws ch. 93A § 2.

“To generate a high volume of calls, . . . [the Union] both hired an auto-dialing service and requested its members to call Pulte [Homes, a homebuilder]. It also encouraged its members, through postings on its website, to “fight back” by using . . . [the Union’s] server to send e-mails to specific Pulte executives. Most of the calls and e-mails concerned Pulte’s purported unfair labor practices, though some communications included threats and obscene language.” Id. at *1.
 
As the court pointed out, “it was the volume of the communications, and not their content, that injured Pulte. The calls clogged access to Pulte’s voicemail system, prevented its customers from reaching its sales offices and representatives, and even forced one Pulte employee to turn off her business cell phone. The e-mails wreaked more havoc: they overloaded Pulte’s system, which limits the number of e-mails in an inbox; and this, in turn, stalled normal business operations because Pulte’s employees could not access business-related e-mails or send e-mails to customers and vendors.” Id.
 
“Four days” into the onslaught, “Pulte’s general counsel contacted” the union and requested that they “stop the attack because it prevented Pulte’s employees from doing their jobs.” Id. When the Union ignored his request, the company filed suit for, among other things, a violation of the CFAA for “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” 18 U.S.C. § 1030(a)(5)(A). The CFAA defines damage as “”any impairment to the integrity or availability of data, a program, a system, or information.” Id. § 1030(e)(8).

The court, relying on the plain meaning of the terms “impairment,” “integrity,” and “availability,” concluded “that a transmission that weakens a sound computer system–or, similarly, one that diminishes a plaintiff’s ability to use data or a system–causes damage.” Id. at *4. Here, the court found that the complaint alleged “just that” – “the transmissions diminished Pulte’s ability to use its systems and data because they prevented Pulte from receiving at least some calls and accessing or sending at least some e-mails.” Id.

The court also found that the complaint alleged that the Union acted with the requisite intent under the statute to intentionally cause damage. The court summed up the allegations in the complaint that showed that the Union acted “with the conscious purpose of causing damage (in a statutory sense) to Pulte’s computer system”:

(1) The union “instructed its members to send thousands of e-mails to three specific Pulte executives; (2) many of these e-mails came from . . . [the union’s] server; (3) . . . [the Union] encouraged its members to “fight back” after Pulte terminated several employees; (4) . . . [the union] used an auto-dialing service to generate a high volume of calls; and (5) some of the messages included threats and obscenity. And although Pulte appears to use an idiosyncratic e-mail system, it is plausible . . . [the union] understood the likely effects of its actions–that sending transmissions at such an incredible volume would slow down Pulte’s computer operations. . . . [The Union’s] rhetoric of “fighting back,” in particular, suggests that such a slow-down was at least one of its objectives.
Id. at *6.

This case is reflective of the pattern that has emerged over the past few years in the judicial interpretation of the CFAA. The district courts have interpreted the CFAA narrowly, sometimes limiting it only to outside computer hacking, while the appeals courts have continued to interpret the statute broadly as a true federal omnibus computer crime statute outlawing all criminal activity directed at computers and computer systems.

“In this exclusive LegalMinds® interview, Akerman discusses recent developments related to data security, identity theft, workplace and customer privacy issues, discloseure obligations and compliance with state laws and federal statues, as well as several recent Supreme Court decisions that can have a significant impact on your internal policies and procedures.”

Starts on Page 17.

“While an old adage has been that companies’ greatest assets walk out the door at the end of each day, now in the Digital Age they can easily take other vital and proprietary assets in their pocket with them. Read the blog post at LegalMinds TV”

The CFAA is the omnibus federal computer crime statute that, among other things, makes it a crime for anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” §1030(a)(2)(C). There is little doubt that the information News Corp.’s reporters allegedly obtained, the voices mails and telephone records, were data files from computers, and there is also no question that the access to the computers through which the News Corp. reporters allegedly obtained the voice mails and telephone information was not authorized.

The CFAA’s definition of a “computer” covers every conceivable type of computer. §1030(e)(1). As the defendant correctly claimed in U.S. v. Mitra, 405 F.3d 492, 495 (8th Cir. 2005), “[e]very cell phone and cell tower is a ‘computer’ under this statute’s definition; so is every iPod, every wireless base station in the corner coffee shop, and many another gadget.” Thus, it is highly likely that from whatever type of computer the News Corp.’s reporters retrieved the voices mails and other personal information, it almost certainly came from what the CFAA would recognize as a computer.

As stated above, to be guilty of the crime the reporter must not only have accessed a computer, but that the information be obtained from a “protected computer,” defined by the CFAA as a computer “used in interstate or foreign commerce or communication.” §1030(a)(2)(B). But what is of particular relevance to the News Corp. situation is that this definition extends to any computer “located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” In other words, any computer anywhere in the world that communicates with the United States through email is subject to the CFAA and can form the basis for a criminal prosecution in the United States.

While it is theoretically possible that a News Corp. reporter could be charged with criminal violations of the CFAA for accessing a computer in the UK, it is highly unlikely that the Department of Justice would prosecute a case that thus far appears to be solely a UK crime. However, to the extent the current FBI investigation uncovers evidence of any U.S. connection such as the alleged retrieval of voices mails from 9/11 victims, the CFAA is likely to be the Justice Department’s criminal statute of choice for the News Corp. reporters and executives who initiated the hacking.

`

Yesterday, ICANN approved the launch of its new generic top level domain name (gTLD) plan.  It will accept applications for new gTLDs from January 12, 2012, to April 12, 2012.  Under ICANN’s plan, anyone can apply to own and manage a gTLD, the part after the dot.  However, the expense for doing so is expected to exceed $500,000 over the first eighteen to twenty-four months, with significant yearly expenses thereafter.

This move follows years of ICANN wrangling with brand owners and governments over opposition to the plan.  It is expected that the new gTLDs will not be functioning until 2013.  Even if brand owners do not want to acquire their own gTLD, there will be several relevant periods for defensively protecting their brands.  The first will be protecting their brands from being registered as gTLDs by others.  The second will involve defensively protecting their brands as second level domain names in the new gTLDs. The final ICANN plan includes a trademark clearinghouse, a uniform rapid suspension system (URS) and a post-delegation dispute resolution procedure (PDDRP), all of which can be used by brand owners to help protect their brands. One controversial aspect of the draft plan that would require brand owners to prove use of their trademarks before they could be included in the trademark clearinghouse was maintained in the final plan approved by the ICANN Board.

Dorsey & Whitney’s Trademark, Copyright and Brand Management Group would be pleased to assist your company in planning for the new gTLD launch. If you have questions, please contact Jamie M. Nafziger at nafziger.jamie@dorsey.com.

What does a company do if it is faced with a possible or actual breach of customer, employee or shareholder personal data? California enacted the first state data breach notification law in 2003, obligating companies to notify individuals whose personal data had been compromised in a data breach. Since then, 45 more states have followed California’s lead in responding to the national epidemic of identity theft. This article provides an overview of these laws, describes some best practices that have developed in response to them and addresses the calls for a federal data-breach law.

The 46 state laws generally require companies to notify individuals if there is a reasonable basis to believe that there has been a compromise of their personal data. See, e.g., Calif. Civ. Code §1798.82. Some states also necessitate determining whether there is a “risk of harm” from the breach to such individuals. See, e.g., Conn. Gen. Stat. §36a-701b(b). These state laws typically cover such nonpublic personal information as name, together with a social security number, driver’s license number or account, credit or debit card number information that would permit access to an individual’s financial account. A handful of states also cover name plus medical information. See, e.g., Calif. Civ. Code §1798.82(e)-(f). When medical information is involved, companies should also review the federal Health Information Technology for Economic and Clinical Health (HITECH) Act data breach rule, which covers protected health information. 45 CFR Parts 160 and 164, Subpart D. The state laws require that affected individuals be provided with adequate timely notice so they can take steps to protect their personal information and prevent identity theft.

Enforcement of these state laws varies. The California law provides for lawsuits by private individuals who have been injured by virtue of not being notified. Calif. Civ. Code §1798.84(b). A number of states like New York and Minnesota charge the State Attorney General with enforcement. N.Y. Gen. Bus. Law §899-aa6(a); M.S.A. §325E.61. Finally, some state laws provide for fines of varying amounts. N.Y. Gen. Bus. Law §899-aa6(a); Fla. Stat. Ann §817.5681(1)(b).

There is no foolproof way to guard against computer hackers or the theft of an employee laptop. One preventative measure to minimize the risk of a data breach is to establish a data compliance program, which a recent Massachusetts privacy regulation requires. 201 CMR 17.00 et seq. Such a program mandates appointing a security coordinator, establishing security policies, minimizing risks to employees and third parties that have contact with the company’s personal data, training the workforce, regularly auditing the program and enforcing the policies and protocols to data incidents and breaches.

A key component of this proactive approach is encrypting personal data so if it is compromised, it is not automatically exposed and cannot be easily deciphered. The state laws generally do not apply when the personal data involved in a breach are encrypted. Also, the Massachusetts privacy regulation requires all personal data to be encrypted if transmitted via the Internet or wirelessly or stored on laptops or portable devices. 201 CMR 17.04.

A company must stand ready to respond once aware or informed of a possible or actual data incident or breach. There should be a mechanism for reporting a possible or actual data incident or breach, and employees should be sensitized to its importance. Time is of the essence in determining whether a data breach has occurred or is likely to occur, whether notification is required or advisable. If notification is required or advisable, then providing it must also be done quickly. Although a number of states, such as California, provide leeway by requiring that notice be provided in the “most expedient time possible and without unreasonable delay,” other states such as Wisconsin, define a more precise time period. Calif. Civ. Code §1789.82(a); Wis. Stat. §134.98.

Suspicion that a data breach may have occurred and having a “reasonable basis” to believe a data breach actually occurred requiring notification is a distinction with practical consequences. For example, that two Web site customers complain within 24 hours that someone used their credit card information to buy merchandise on other Web sites does not mean that your company’s Web site was necessarily breached. It is suspicious and should cause your company to investigate whether the site was breached or whether it was simply a coincidence having nothing to do with the integrity of the company’s Web site.

For that reason, it is critical your company be investigative-ready before the issue arises. Investigative-ready means selecting in advance a person or firm who will conduct the investigation of a company’s computer network and equipment. That computer investigator should be forensically trained and experienced in testifying in court and have credibility with the government agencies the company may ultimately have to convince that it acted properly and reasonably, particularly if it is determined that there is no factual basis to conclude that a data breach occurred.

State laws generally permit notification to “be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.” See, e.g., Calif. Civ. Code §1798.82(c). Notifying law enforcement of a data breach has three practical effects: It may delay when notification must be made; it is a common element of notifications to state attorney generals, regulators and affected individuals; it sends a message to affected individuals that your company is taking an important step to protect them.

If a data breach is determined to have occurred and it is determined that notification of affected individuals is required or advisable, the different state law requirements for notification must be considered. One notable example is that the Massachusetts law does not permit notification of affected individuals of “the nature of the breach.” Instead, the notification must advise about “the consumer’s right to obtain a police report, how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze, and any fees required to be paid to any of the consumer reporting agencies.” Mass. Gen. Laws, Ch. 93H, §3(a). For a breach involving medical information that also is determined to be a breach of protected heath information under the HITECH Act, those requirements also must be addressed.

In addition to notifying affected individuals, a company must also notify state attorney generals, state regulators or consumer reporting agencies under some state laws. New York and North Carolina each requires a particular notification to the State AG, and New York also requires a particular notification to the New York Consumer Protection Board and Office of Cyber Security. N.C. Gen. Stat. § 75-65(f); N.Y. Gen. Bus. Law §899-aa8(a). New Jersey requires notification to the state police. N.J. Stat. §56:8-163(12.c.).

Because these notifications are likely to be publicized in the press and via the Internet, they should be drafted accordingly. For example, notifications sent to the New Hampshire Attorney General are automatically posted on the state attorney general’s Web site (http://doj.nh.gov/consumer/breaches.html). Although not required by law, it is common to include an offer in the notifications for free identity-theft services. Public companies should also consider whether disclosure should be made in their filings with the U.S. Securities and Exchange Commission.

Finally, a company’s responsive actions to the data incident or breach should be carefully documented. If asked by any regulator or sued, a company must be able to credibly explain the cause of the incident or breach and the basis for determining whether notification be made. The Massachusetts regulation and best practices also dictate that a company conduct a post-incident review to analyze lessons learned to prevent future incidents and breaches and to make any changes to the company’s practices for protecting personal data, including becoming aware of and responding to a data incident or breach.

There have been calls for data-breach notification to be more uniform and the subject of a federal law. Recently, the U.S. Department of Commerce issued a green paper on privacy recommending consideration of a comprehensive commercial data-breach framework for electronic records that includes notification provisions; encourages companies to implement strict data-security protocols; and allows states to build upon the existing framework in limited ways, tracking the effective protections from state laws. Department of Commerce Internet Policy Task Force, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework (Dec. 16, 2010). But until a federal data-breach law that pre-empts the state laws is enacted, the state laws must continue to be followed.

The CFAA, while primarily a criminal statute, permits victims of computer crime, including companies, to bring civil actions for damages and injunctive relief based on violations of the statute. Title 18, U.S.C. §1030. A key element in proving either a civil or criminal violation of the CFAA is that the employee accessed the company computer “without authorization” or “exceed [ed] authorized access.” Brekka has been cited for the simplistic proposition that employees have permission to access the company computers and, thus, by definition cannot access the company computers without authorization.

David Nosal, a Korn/Ferry executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. Nosal had allegedly recruited “three Korn/Ferry employees to help him start a competing business.” Id. at *2. According to the Indictment, these employees, “using their user accounts to access the Korn/Ferry computer system” “transferred to Nosal source lists, names, and contact information from the ‘Searcher’ database – a ‘highly confidential and proprietary database of executives and companies’ – which was considered by Korn/Ferry ‘to be one of the most comprehensive databases of executive candidates in the world.’” Id.

The district court had originally upheld the CFAA counts against Nosal based on precedent in other Circuits but changed its decision and dismissed the counts after the Brekka decision. The government appealed, relying on Korn/Ferry’s computer policies that restricted the scope of employees’ access to the company computers including one that “restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business.” Id. The government argued that based on these policies, Nosal had exceeded authorized access.

The court agreed with the government, citing the statutory definition of ‘exceeds authorized access” which means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The court held that the word “so” in the statutory definition “refers to an accesser who is not entitled to access information in a certain manner. Id. at *4. Thus, the court held that “an employee ‘exceeds authorized access’ under §1030 when he or she violates the employer’s computer access restrictions – including use restrictions.” Id.

Nosal distinguished its prior decision in Brekka on the facts — “[b]ecause LVRC [the employer] had not notified Brekka of any restrictions on his access to the computer, Brekka had no way to know whether – or when – his access would have become unauthorized.” Id at *6. The key difference was the Korn/Ferry computer policies. The court concluded “as long as an employee has some permission to use the computer for some purpose, that employee accesses the computer with authorization even if the employee acts with a fraudulent intent.” Id. Thus, “as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations.” The court emphasized, “[i]t is as simple as that.” Id.

Finally, the court directly responded to Nosal’s argument that its decision “will make criminals out of millions of employees who might use their work computers for personal use, for example to access their personal email accounts or to check the latest college basketball scores.” Id. at *7. The court pointed out that the CFAA “does not criminalize the mere violation of an employer’s use restrictions.” Id. Rather, the employee must evince an intent to defraud and take something of value. Thus, there must be more than “[s]imply using a work computer in a manner that violates an employer’s use restrictions.” Id.

This case is all about instituting clear and conspicuous computer use policies. (“Korn/Ferry employees were subject to a computer use policy that placed clear and conspicuous restrictions on the employee’s access to the system in general and to the Searcher database in particular” Id). The major take away from the Nosal decision is that every company that is serious about protecting its computer data should have comprehensive computer policies that clearly spell out the scope of their employees’ authorization to access the company computers. It is no longer a viable option to do nothing.

The underlying facts of the case are not atypical. Lawrence Hoffman, the owner of a manufacturer and distributor of after-market auto parts known as the Hoffman Group, discovered on eBay that JES Suppliers, LLC was offering to sell one of his products. A corporate records check revealed that JES Suppliers had been incorporated by a former Hoffman employee and two current employees, including Shegbao Wu who worked for a Hoffman Group subsidiary in China where he managed the design and manufacture of products. Id. at * 1.

As part of his investigation, Hoffman asked Wu to return from China to company headquarters in the U.S. under the pretext of discussing company business. While Wu was at the company office, Hoffman asked Wu to leave his company-owned laptop computer in order to replace it with an upgraded computer. The individual who took possession of Wu’s computer was an outside computer analyst hired to examine Wu’s computer. In examining the computer, “the computer analyst opened a folder named “private” [in Wu’s laptop containing documents allegedly relating to JES Suppliers, LLC] and moved it to the laptop desktop” from which he “copied selected parts of the “private” folder onto a USB external hard drive device using” regular business software that was not one of the standard forensic softwares. Id. at *2.

Thereafter, “Hoffman took the laptop home and, over the course of two days, periodically booted it up and looked around.” Id. Hoffman later “testified he “could have” moved files, but did not delete files and did not run the defragmentation utility” and “made “screen shots” of a chat program contact list, which he saved to a subfolder in the “private” folder he named ‘QQ.’” Id.

Hoffman provided both the laptop and the software backup of the private file to the FBI. As a result, Wu and the other two incorporators of JES Suppliers were indicted for various federal crimes including conspiracy, wire fraud, theft of trade secrets and computer fraud. As part of their pretrial motions, the defendants moved to exclude the back up of the personal file and the laptop from evidence to be offered by the government at their criminal trial. The court held a pre-trial evidentiary hearing on the motion.

The defendants attacked the software backup of the private files copied from Wu’s computer on two grounds. First, they claimed “that computer data can be changed or deleted, and a savvy computer user can cover up such work.” Id. at *5. From that premise the defendants asserted that the computer analyst “and Hoffman could have uploaded incriminating information onto Wu’s computer, altered the dates associated with that information’s uploading, installed . . . [the business software] to overwrite the data associated with that change, and then made a selective digital image of the hard drive to turn over to the FBI.” Id. The court found no evidence to support the defendants’ position and held that “[t]he mere possibility that the logs may have been altered goes only to the weight of the evidence not its admissibility.” Id.

Second, the defendants attacked the software backup of the private file on the ground that the software used to make the backup was not a forensic software and thus “failed to capture all of the data on the laptop.” Id. The defendants correctly argued that the business software backup was not “a bit-for-bit copy known as a ‘forensic image’” and did not contain the hash values of the files, known as digital fingerprints, and did not capture the computer’s unallocated space where deleted files reside. Id. at *6. The court, however, found that the government met its burden under Fed.R.Evd. 901 of showing authenticity and relevancy, but also held that the lack of completeness of the evidence relates to the government’s burden of proof and is a point which the defense was free to argue to the jury.

While admitting the evidence of the software backup of the personal file, the court took a totally contrary view on the admissibility of the Wu laptop. The court granted the defendants’ motion to exclude the laptop because the government could not “make a prima facie showing that the Laptop image was in ‘substantially the same condition’ as the laptop seized from Wu.” Id. at *7. The court relied on the hearing evidence not only showing Hoffman’s personal animus against Wu because he had filed a civil lawsuit against Wu but found “[m]ost importantly” that “the evidence adduced at the hearing supports the notion that Hoffman tampered with the laptop, which resulted in the FBI imaging ‘bad stuff.’” Id. at *8.

The court relied on the hearing evidence that “Hoffman himself admitted to booting the computer up and perusing its content over the course of two days” and the defendants’ expert who testified “from his forensic examination of the two Images, between the time the . . . [software backup] was made and the time the FBI took possession of the laptop, over 1,000 files or folders were accessed, altered, or deleted” and his findings of “285 files on the . . . [software backup] Image that were absent from the Laptop Image.” Id.

This case provides two clear lessons to any company that suspects one of its employees of stealing data. First, as a general rule it is usually not a good idea for someone in the organization, particularly a small organization, to conduct the investigation into the suspected theft when the employer could be accused of bias against the employee. The court found that Hoffman was biased because he had filed a civil action against Wu and the other defendants “the day before he obtained Wu’s laptop.” Id. at *7. Any issues of bias could have been eliminated if the investigation had been conducted at the direction of outside counsel with expertise in computers and criminal investigations. Hoffman should never have been directing the computer analyst or personally reviewing the computer.

Second, it is critical to hire a qualified computer forensic examiner to conduct the computer examination. What is striking about this case is that the computer examiner hired by Hoffman neither used forensic software to copy the private file nor did he image the entire computer. Instead, he used business software that was not capable of capturing the complete file, never mind the entire computer to preserve it in the exact condition when it was retrieved from Wu. Instead, Hoffman kept the laptop, reviewed it himself, thereby leaving himself open to charges of manipulating, deleting and changing the laptop data.

Indeed, without attributing any bad motive to Hoffman, his opening of Wu’s computer would have necessarily and unwittingly destroyed files and time date stamps that could have provided valuable evidence. There is more to computer investigations than simply hiring an investigator. What is critical is that the investigation be coordinated by an attorney with an expertise in computer crime to ensure that the necessary computer evidence is gathered and preserved, that proper procedures are followed including the use of state of the art forensic techniques and software and that a chain of custody on the computer evidence is preserved to rebut any claims that the computer evidence is not in the same condition as when it was initially retrieved in the investigation.

Under the Federal Sentencing Guidelines, the sentencing judge is permitted to increase the sentence for the crime to which Kramer pled guilty if a computer, as that term is defined by Title 18, U.S. C. § 1030 (e)(1) of the Computer Fraud and Abuse Act (“CFAA”), is used to facilitate the offense. Based on its finding that the cell phone is a computer, the court increased Kramer’s sentence by 28 months.

This case illustrates the breadth with which the federal courts are interpreting the definition of a computer. Indeed, the Circuit Court quoted Steve Wozniak, the founder of Apple Computer, for the proposition that “Everything has a computer in it nowadays.” Id. at *1. This case not only has ramifications for increasing the length of prison sentences for federal crimes, but it also expands the reach of the CFAA, the federal computer crime statute, to ordinary cell phones.

Kramer appealed his sentence claiming “(1) that application of the enhancement was procedural error because a cellular telephone, when used only to make voice calls and send text messages, cannot be a “computer” as defined in 18 U.S.C. § 1030(e)(1), and (2) that even if a phone could be a computer, the government’s evidence was insufficient to show that his phone met that definition.” Id. The Appeals Court, however, disagreed and affirmed Kramer’s sentence.

First, the court rejected Kramer’s argument that a basic cell phone that was only used to make calls and text messages could not be a computer because it did not access the Internet. The court relied on the “exceedingly broad language” of § 1030(e)(1) that “’[i]f a device is “an electronic … or other high speed data processing device performing logical, arithmetic, or storage functions,’ it is a computer.” Id. at *2. The court also held that “there is nothing in the statutory definition that purports to exclude devices because they lack a connection to the Internet.” Id.

Second, the court found that the government provided sufficient evidence that the cell phone was a computer. That proof consisted of “the phone’s user’s manual and a printout from Motorola’s website describing the phone’s features.” Id. at *3. Thus, the court found that the evidence showed that in making calls the phone’s “processor performs arithmetic, logical, and storage functions.” Id. The court also found that “the phone keeps track of the ‘Network connection time,’ which is ‘the elapsed time from the moment [the user] connect[s] to [the] service provider’s network to the moment [the user] end[s] the call by pressing [the end key]’” and that “[t]his counting function alone is sufficient to support a finding that the phone is performing logical and arithmetic operations when used to place calls.” Id.

As to the phone’s texting function, the court further found that the phone performed the following computer functions: (1) “the phone stores sets of characters that are available to a user when typing a message” and “[a]s the user types, the phone keeps track of the user’s past inputs and displays the ‘entered text,’. . . i.e., the message being composed,” (2) “t]he user may also delete characters previously entered, either ‘one letter at a time’ or all at once,” and (3) “the phone allows the users to ‘set different primary and secondary text entry modes, and easily switch between modes as needed when [they] enter data or compose a message,’ including “iTAP” mode which uses ‘software’ to ‘predict[ ] each word’ as it is entered.” Id.

It is hard to argue with the logic of this decision in light of the broad definition of a “computer” as set forth in the CFAA and thus is likely to be followed by other courts.

What the case describes is a fairly typical scenario – unknown individuals hack into the company web site and steal valuable data. There is no indication of the identity of the hackers. The only traces left behind are Internet Protocol (“IP”) addresses assigned to the hackers, the Internet Service Providers (“ISP”) that provided the hackers with Internet access and the dates and times of the intrusions.

Rather than wait for law enforcement to investigate and prosecute, something that may or may not happen, taking the aggressive approach outlined by this case can have the same remedial impact as a criminal prosecution in stopping the illegal activity. It also does not preclude the matter from also being referred at any time to law enforcement. Here, what Liberty Media Holdings did can be adopted as a template by any company victimized by a computer hacker. It filed a lawsuit against the unknown hackers as John Doe defendants and then moved for immediate discovery to subpoena the ISPs “to identify the users of the IP addresses during the dates and times” found on its web site. Id. at 1.

In analyzing Liberty Media Holding’s request, the court relied on Columbia Ins. Co. v. Seescandy.com, 185 F.R.D. 573, 577 (N.D. Cal. 1999) that had “recognized that “(s)ervice of process can pose a special dilemma for plaintiffs in cases … in which the tortious activity occurred entirely on-line. The dilemma arises because the defendant may have used a fictitious name and address in the commission of the tortious acts.” ‘[W]hether discovery to uncover the identity of a defendant is warranted,” Columbia Ins. Co. required the plaintiff to meet the following three standards:

First, . . . identify the missing party with sufficient specificity such that the Court can determine that (the) defendant is a real person or entity that could be sued in federal court .

Second, . . . identify all previous steps taken to locate the elusive defendant.

Third, . . . establish to the Court’s satisfaction that plaintiff’s suit against (the) defendant could withstand a motion to dismiss … Plaintiff must make some showing that an act giving rise to civil liability actually occurred and that the discovery is aimed at revealing specific identifying features of the person or entity who committed the act.
Id., at 578-580.

Here, the court found that Liberty Media Holdings met all three criteria. First, the court found that it had sufficiently identified the defendants through the unique IP addresses and the ISPs that had provided the unknown defendants with their Internet access. The court also found that “the requested discovery is necessary for Plaintiff to determine the names and addresses of each Defendant who performed the allegedly illegal and infringing acts.” Id at *2.

Second, the court found that other than the IP addresses and their ISPs “there are no other measures Plaintiff could take to identify the Defendants.” Id.

Third, the court found that Liberty Media Holdings had three viable claims against the unknown hacker defendants for violations of the Electronic Stored Communications Privacy Act, the CFAA and Copyright Infringement. Thus, the court granted Liberty Media Holdings’ motion to take immediate discovery by issuing subpoenas against the ISPs and various cable operators for the identity of the names belonging to the IP addresses.

In short, any company that is victimized by an unknown hacker can provide these exact same justifications for immediate discovery to identify the hacker through an IP address by subpoenaing the ISP associated with the IP address.

This case is a textbook example of how a company can use self help and available federal law to protect itself and its customers. Not only did Facebook bring a halt to the spam that was plaguing its users, but it also extracted from the perpetrators a significant monetary punishment without the assistance of law enforcement. What is noteworthy is that Facebook was able to achieve this result because it had strong policies in place that prohibited the misuse of its site and then took affirmative steps to enforce those policies through an aggressive federal court action based on two federal statutes designed to protect it and the public against computer crime.

In its complaint Facebook alleged that the spam emails asked the “recipients to click on a link to a “phishing” site designed to trick users into divulging their Facebook login information” and that “[o]nce users divulge[d] the information, Defendants use[d] it to send spam messages to the users’ friends, repeating the cycle.” The complaint further alleged that “certain spam messages allegedly redirect[ed] users to websites that pay Defendants for each user visit.” Id. The court granted Facebook a permanent injunction directing the defendants to refrain from their illegal activity and granting Facebook $360,500,000 in damages. Id. at *3.

The lawsuit alleged violations of the Computer Fraud and Abuse Act (“CFAA”), Title 18, U.S.C., Section 1030 et. seq. and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), 15 U.S.C. § 7701 et seq. The CFAA, primarily a criminal statute, provides civil remedies to a company injured by a violation of the statute, Title 18, U.S.C. Section 1030(g), and the CAN-SPAM Act permits a civil action to be brought by a “provider of Internet access service adversely affected by a violation of” specified sections of the Act. 5 U.S.C. § 7706(g)(4).

The CFAA count was predicated on an unauthorized access to Facebook’s site through a violation of Facebook’s Statement of Rights and Responsibilities (“SRR”) The SRR prohibits users from “any activity . . . that would impair the operation of Facebook’s website, including the use of data mining ‘bots’ to gain access to users’ login information, the posting of unsolicited advertising on the website or circulation of such advertising via e-mail, or any commercial use of the Facebook website without Facebook’s prior authorization.” Id. at *1. The defendant was a Facebook user who was bound by the terms of the SRR. Users are also bound by Facebook’s “strict policies against spam or any other form of unsolicited advertising.” Id.The court granted the permanent injunction based on the following factual findings:

Facebook has received more than 8,000 user complaints, and more than 4,500 Facebook users have deactivated their accounts. Additionally, Facebook has expended large financial and professional resources to upgrade its security measures. Defendants have demonstrated a willingness to continue their activities without regard for Facebook’s security measures or cease and desist requests.
Id. at *3.

If the defendant violates the court’s injunction, he can be fined, imprisoned or both.