BY Nick Akerman

On July 26, the U.S. Court of Appeals for the Fourth Circuit became the first circuit to adopt the Ninth Circuit’s holding in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), that the Computer Fraud and Abuse Act does not apply to employees who steal data from the company computers. WEC Carolina Energy Solutions LLC v. Miller, 2012 WL 3039213 (4th Cir. July 26, 2012). This case places the Fourth and Ninth circuits in direct conflict with the First, Third, Fifth, Seventh, Eighth and Eleventh circuits, increasing the odds that the U.S. Supreme Court will address this issue at some point.

The CFAA, the federal computer crime statute, allows individuals or companies victimized by violations of the statute to bring a civil action against the perpetrator. U.S.C. 1030(g). For a theft of data a plaintiff must prove that the defendant accessed the computer “without authorization” or exceeded his authorized access. The conflict among the circuits centers on what it means to access a computer without authorization. This article will examine the scope of this issue and the likelihood that the Supreme Court will resolve this conflict in favor of the more expansive meaning of “without authorization.”

The complaint in WEC alleges the classic employee theft of data: Willie Miller, immediately prior to his resignation from WEC to join a competitor, downloaded WEC’s confidential and trade-secret information from his company-issued laptop computer at the direction of his new employer and thereafter used it on behalf of his new employer to obtain business from two WEC customers. WEC’s policies, while not directly restricting his “authorization to access the information,” prohibited him from “using the information without authorization or downloading it to a personal computer.” 2012 WL 3039213, at *1.

The Fourth Circuit in WEC, like the Ninth Circuit in Nosal, interpreted the key element of accessing the computer “without authorization” or exceeding “authorized access” narrowly to hold that the CFAA applies “primarily” to outside hackers and “that an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer.” Id. at *4. Nosal went even further to engraft upon “without authorization” the requirement that the defendant’s access involve “the circumvention of technological barriers” to the computer. 676 F.3d. at 863.

Challenging the Seventh Circuit

Both WEC and Nosal take direct issue with Judge Richard Posner’s holding in Int’l Airport Ctrs. LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006), that “when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it.” In rejecting this “cessation-of-agency theory,” the court in WEC stated that “[s]uch a rule would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer’s use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer’s computer systems.” 2012 WL
3039213, at *6.

The Ninth Circuit rejected Citrin on the basis that “[n]othing in the CFAA suggests that a defendant’s liability for accessing a computer without authorization turns on whether the defendant breached a state law duty of loyalty to an employer.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009). However, both the Ninth and Fourth circuits ignore the Supreme Court’s decision in Carpenter v. U.S., 484 U.S. 19 (1987), which relied on the same state law agency principles to uphold a “scheme to defraud,” the key element of the mail and wire fraud statutes.

Carpenter affirmed the conviction of a Wall Street Journal reporter who, prior to publication, had provided his upcoming financial columns to confederates, who bought or sold stock “based on the probable impact of the column on the market.” Id. at 23. The court held that “an employee has a fiduciary obligation to protect confidential information obtained during the course of his employment,” and intentionally exploiting that information for his own personal benefit constituted a scheme to defraud his employer of confidential information. Id. at 29.

WEC also incorrectly stated that only “two schools of thought exist” between Nosal and Citrin. 2012 WL 3039213, at *3. What Nosal and WEC fail to address is that the other circuits simply interpret “without authorization” unqualifiedly to mean lack of permission. Thus, the Fifth and Eleventh circuits have found lack of permission based limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir.2003). Thus, a company “can easily spell out explicitly what is forbidden” through its policies. Id.

The Fifth Circuit in U.S. v. John, 597 F.3d 263, 269, 272 (5th Cir. 2010), held that a Citigroup account manager, who accessed Citigroup’s internal computer system to provide her brother with customer account information that he used to perpetrate fraudulent charges, had exceeded authorized access based on “Citigroup’s official policy, that…prohibited misuse of the company’s internal computer systems and confidential customer information.” Id. at 272. Similarly, the Eleventh Circuit relied on company rules in U.S. v. Rodriguez,628 F.3d 1258 (11th Cir. 2010), to affirm the CFAA conviction of a Social Security Administration employee who accessed Social Security information for personal reasons in violation of the agency’s policy against “obtaining information from its databases without a business reason.” Id.

The Third and Eighth circuits have found unauthorized access to the company computer when the access was done without a legitimate business purpose. The Third Circuit in U.S. v. Tolliver, 2011 WL 4090472, at *5, found unauthorized access by a bank teller who provided customer information to fraudsters who siphoned funds from customers’ accounts because “she did not have a business purpose” to access those accounts. The Eighth Circuit in U.S. v. Teague, 646 F.3d 1119 (8th Cir. 2011), similarly found unauthorized access by an employee of a government contractor for the Department of Education who viewed President Obama’s student loan records without any legitimate business purpose.

Concern Over Innocent Activities

In the final analysis, the driving force that separates Nosal and WEC from the other circuits in narrowly defining “without authorization” is a concern that “private computer use policies can transform whole categories of otherwise innocuous behavior into federal crimes,” for example, that an employee “could be prosecuted” for innocent activities such as watching television on his “work computer.” Nosal, 676 F.3d at 860; see also, WEC, 2012 WL 3039213, at *6.

There are two reasons why the Supreme Court is unlikely to share this concern. First, the precise same arguments could be leveled at the federal mail and wire fraud statutes because they could be used to prosecute individuals for stealing paltry sums of money through the wires or mails under circumstances that should not be criminalized, yet the court has persistently upheld both statutes. Second, based on its recent decision in Morrison v. National Australia Bank Ltd., 130 S.Ct. 2869, 2881 n.5 (2010), in which the court criticized “judicial lawmaking,” it is highly unlikely that the Supreme Court, without any support in the plain language of the statute, will interpret “without authorization” to exclude employees.

Addressing a recent hot topic regarding the forced disclosure of social media passwords and/or content as part of the employment application process, California has promptly resolved the issue legislatively. Effective January 1, 2013, employers in California are generally prohibited from requiring applicants and employees to disclose or access social media information. This new law, AB 1844, parallels an analogous law, SB 1349, which prohibits California’s public and private postsecondary educational institutions from requiring similar mandatory social media disclosure from students, prospective students, or student groups. Consistent with its historically strong state constitutional rights to privacy, California becomes the first state to pass social media privacy protection in both the employment and education contexts.

Employers

On September 27, 2012, California Governor Jerry Brown signed AB 1844, which passed unanimously in both the California Assembly and Senate. This new law prohibits employers from requiring applicants or employees to disclose username or password information to employers, to access personal social media in the presence of the employer, or to divulge any personal social media. AB 1844 defines “social media” broadly to include videos, photographs, blogs, instant and text messages, email, online services or accounts, or other web profiles or locations.

Moreover, employers may not retaliate against an employee or applicant for failing to comply with an employer’s unlawful request for access to the employee’s social media in violation of the new law.

AB 1844 carves out limited remedial access rights to the employer. Where the employee’s social media is “reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations,” the employer may request access to social media for the limited purpose of investigating such misconduct. Additionally, for employer-issued electronic devices, employers may still require disclosure of access information, such as usernames and passwords associated with the device.

The new law marks continued expansion of privacy protections for employee social media. Through the passage of AB 1844, California joins Maryland and Illinois, which have enacted comparable laws in the employment context. Similarly, the National Labor Relations Board has increasingly focused on employer social media policies in an effort to invalidate policies that are unlawfully overbroad and chill employee speech that is protected under Section 7 of the National Labor Relations Act. The passage of AB 1844 significantly curtails an employer’s ability to access employee social media in the first place.

In anticipation of these new restrictions, employers should review hiring policies and practices to ensure compliance with the new limitations. In addition, employers should not ask current employees to divulge their social media, or information needed to access it, except in the narrow situations outlined in the statute.

Postsecondary Educational Institutions

On September 27, 2012, Governor Brown also signed SB 1349, which passed unanimously in both the California Assembly and Senate. The new law adds a new social media privacy chapter to the California Education Code and prohibits all postsecondary educational institutions from requiring or requesting current or prospective students to “disclose, access, or divulge personal social media.” Similar to AB 1844, “social media” is defined to include any electronic service, account, or content, such as videos, photographs, blogs, instant and text messages, email, online services or accounts, or other web profiles or locations.

Under SB 1349, a postsecondary educational institution may not threaten a current or prospective student or student group with disciplinary action for refusing to comply with a prohibited request. Private nonprofit or for-profit postsecondary educational institutions must additionally post their “social media privacy policy” on their websites.

The new law will not affect the rights or obligations of postsecondary schools to 1) protect against and investigate alleged student misconduct or violations of applicable laws and regulations, or 2) take adverse action against a student, prospective student, or student group for any lawful reason.

In enacting the law, California becomes the second state, joining Delaware, to establish social media privacy protections for students and student groups. Other state legislatures and the U.S. Congress have proposed similar bills in the educational and employment context, and the trend will likely continue.

SB 1349 takes effect January 1, 2013. In light of this, public and private postsecondary educational institutions should assess their social media policies accordingly to ensure that their policies are compliant under the new limitations. Postsecondary institutions should also refrain from requesting social media information from current or prospective students other than under the exceptions outlined in the new law.

Gary Gansle is the head of the Labor and Employment group in Dorsey & Whitney’s Palo Alto office. Jessica Linehan is a member of the Labor and Employment group in Dorsey’s Southern California office. She practices exclusively in the area of employment law. Kurt Whitman is a member of the Regulatory Affairs group in Dorsey’s Minneapolis office. He is licensed in California and Minnesota and advises educational institutions on federal and state education law matters. The authors are all members of Dorsey’s Social Media and Privacy Law Group, which counsels clients on a wide variety of privacy law issues.

© 2012 Dorsey & Whitney LLP. This article is intended for general information purposes only and should not be construed as legal advice or legal opinions on any specific facts or circumstances. An attorney-client relationship is not created or continued by reading this article. Members of the Dorsey & Whitney LLP group issuing this communication will be pleased to provide further information regarding the matters discussed therein.

In a surprising decision early in July, in the case of UsedSoft GmbH v. Oracle International, the highest court in Europe, at the stroke of the pen, has re-written the basic rules of the game relating to the distribution of software in the European Union.

In a word, the European Court of Justice (“ECJ”) held that licensed copies of software can be bought and sold on the open market without the consent of the licensor – even where the licence is stated to be personal to the original purchaser and non-assignable – provided that licence fees were paid upfront and that the licence was granted to the licensee in perpetuity.

The decision focuses on downloaded software, but the ECJ emphasised that it applies regardless of the method by which the copy is sold. Licensed end-users will be free to sell their copies as ‘second-hand software’ whether the copy was originally downloaded online, purchased on physical media or installed on the licensee’s machine by the vendor.

The decision will affect a very significant part (possibly the majority) of software licences granted in Europe. Licences which are subject to annual or periodical fees will not be affected, nor licences that are granted for limited periods of time. However, software is commonly sold against the payment of one-off fees with the grant of a perpetual user right. Many software vendors today prefer to earn recurring income from maintenance and consultancy services, rather than from licence fees. All perpetual licences would appear to be affected by the decision.

The impact on the market

The newly formulated rule – based on the application of the ‘exhaustion of rights’ principle – will apply to all types of software products. The greatest impact will probably be felt at the ‘retail software’ level – everyday software used by individuals and businesses – common desktop/tablet applications, financial tools, games, media players, development tools, mobile apps and so forth. It is easy to see the development of a second-hand market for such products. But it will also be relevant to a wide range of pure business software. Software for business processing, project management and stock management, for instance, and of course Oracle’s own databases, could also be traded in the ‘second-hand market’ and even some individually tailored products – as long as there is a buyer for the product in question.

Software vendors will need to re-think their business models and re-draft their contractual terms. Many will seek work-around solutions. However, artificial legal obstacles to the right of re-sale recognised by the ECJ may not always have the desired legal effect (just as the non-assignability of the licences did not help Oracle in the case at hand). Great care will be required in formulating new legal and business strategies for the distribution of software. Some vendors may move away from a model of perpetual licences and up-front fees, in favour of limited term, renewable licences. Some may prefer to supply their software as a service rather than through the distribution of licensed copies. The ECJ decision is fairly clear that SaaS business models will not be affected by the exhaustion rule, which could give a certain boost to the cloud industry.

The economic effects of the decision are difficult to predict. It is likely that a market for ‘second-hand software’ will quickly develop and it is easy to imagine the market awash with cheap, second hand, older versions, as well as many copies of current new versions reaching the market from obscure sources. An opportunity emerges not only for online marketplaces to specialise in second-hand software but also for intermediaries (like UsedSoft) to enter the business of buying and selling copies of software to exploit price differentiations between markets.

But the effects will be felt wider and deeper. Economists will struggle with the question how the rule (and the emergence of a second-hand market) will impact the price of ‘new’ software and whether the application of the exhaustion rule will benefit the users of software overall (beyond the availability of legitimate ‘second hand copies’). If the rule prompts the industry to shun the practice of selling software with perpetual licences, this may spell bad news to customers who became accustomed to purchasing software with the payment of one-off fees.

A new challenge in the fight against piracy

Fighting piracy will inevitably become much more challenging. The ECJ recognised the risk but pointed out that software vendors are free to use licence keys and other technology measures to track and control the use of their products and to ensure that a licence sold to one customer does not mushroom overnight into thousands of illegal copies distributed on the open market. True, the distribution of unlicensed copies is already common, but there is a real risk it will become much more prevalent in the presence of a legitimate marketplace for ‘second-hand software’. The emergence of such markets will inevitably make it easier to distribute unlicensed copies. Unless adequate technology control measures are introduced, it will be impossible for purchasers to know whether or not copies offered for sale are legitimate.

One possible problem, which was considered by the Court, is that many sellers of licensed copies might continue to use copies of the software held on their computers after selling their legitimate copies (and of course, some may sell further copies illegally). The exhaustion rule, as formulated by the Court, requires the seller of the ‘second-hand copy’ to make his own copy unusable. It will only be possible to monitor compliance with the requirement if the copy is digitally protected. Further, according to the decision, if a seller sells a licensed copy without destroying his own copy, the purchaser will hold a legitimate copy and the seller will be the infringer. This means that purchasers will feel fairly confident that they will not be at risk of infringement when buying second-hand software (although a purchaser will still be holding an infringing copy if it is bought from an unlicensed seller, or from a seller who already sold his legitimate copy).

The exhaustion rule applies only to copies of software originally sold in the EU. In principle, the rule does not allow the resale of copies that were first purchased outside the EU. But again, without effective digital control measures, it will be very difficult for software vendors to ensure that second-hand licensed copies of their products sold on the secondary market in the EU do not originate from outside the EU. Purchasers of second hand copies too will have little ways of knowing whether a copy offered for sale was originally licensed in the EU.

It remains to be seen whether the industry will take steps to try to help the market differentiate between licensed and unlicensed copies and to mark copies of software according to the first place of distribution.

Uncertain legal implications

When is a copy sold in the EU?

The decision in the UsedSoft case throws up some very fundamental legal questions.

One was alluded to above – what constitutes a copy sold in the EU? If an end-user in the EU downloads a copy of a software product from the internet (where the vendor and the server on which the software resides could be located anywhere in the world), what is the location of the sale? Further, if a copy is purchaser outside the EU but the licence is granted perpetually on a worldwide basis, is that sufficient to trigger the exhaustion rule (the vendor having consented to the use of the copy in the EU)? Similar questions have been considered extensively by the European court in the past when applying the exhaustion of rights rule to physical products. The application of the rule to ephemeral copies of software, however, will require a re-examination of the issue.

What is the effect of the sale of a ‘second-hand copy’ on the EULA?

Another key legal question is the effect of the sale of a second-hand copy on the software licence itself.

The Court’s decision focuses on the idea that a copy of a software product sold to an end-user (under a perpetual licence) is then “owned” by the purchaser. That “ownership” – the Court emphasised – is a unique concept of EU law, not necessarily “ownership” in the conventional sense under national laws of Member States. That notional “ownership” underlies the application of the exhaustion (or re-sale) rule. If one purchases a copy of the software and owns it, one is entitled to sell it onwards without having to obtain the original seller’s permission.

But the right to use a copy of the software is granted by contract. The exhaustion of rights rule has never before been applied to a right that exists under contract (only to physical goods). The Court paid very little attention to the significance of the end-user licence agreement (the “EULA”) and the decision does not explain the fate of that contract upon the sale of the second-hand copy. Does the EULA expire upon the sale of the second hand copy? Would the contract continue to apply as between the licensor and the original licensee (insofar as it remains relevant)? Or will the rights and obligations pass on to the buyer of the second hand copy?

The EULA typically includes important terms and conditions. It can impose conditions on the use of the software and various requirements on the licensee, it usually includes warranties and indemnities given by the vendor (and in some cases by the end-user too) as well as provisions on liability limitation, dispute resolution and so on. Software vendors may wish to include new provisions in their licence agreements in order to address issues arising from the exhaustion principle, but will these terms have any effect after a sale is concluded?

The question is not a simple one. On the one hand, the basis of the exhaustion rule is that the intellectual property rights are exhausted in relation to a copy, once it is put on the market by the IP owner (the software vendor). It follows (presumably) that a licence from the vendor is no longer required for the use of that copy. Further, it is difficult to see how the exhaustion rule can give effect to a transfer of contractual rights and obligations from seller to buyer (particularly if the contract is stated to be non-assignable). On the other hand, is it possible then that an end-user who accepted certain terms under an EULA can free himself from the contract simply by selling his copy? Is it possible that the purchaser might acquire better rights than those of the seller (that is, the right to use a copy of the software with no strings attached and subject to no terms and conditions)?

What will be the case, for instance, if the licence allows the user to run the software only in a particular location or only to be accessed by named individuals? Would these restriction go away on sale? Would they continue to bind the purchaser? Or possibly, could it be argued that a licence that contains such restrictions (even if it is granted in perpetuity) is not subject to the exhaustion rule, because the licensee does not truly “own” a copy?

Numerous legal and practical consequences hang on the point concerning the fate of the EULA upon the sale of a ‘second-hand copy’. No doubt, the industry and its legal advisers will grapple with these issues for some time to come and questions will come before the European courts. But it is likely to take many years before the legal complications stemming from the decision in Oracle v UsedSoft will be settled. Until then (unless legislation intervenes) the trade in ‘second-hand software’ will remain shrouded in uncertainty.

Acknowledging that its decision conflicts with the 5th, 7th and 11th Circuits, there is a good chance the Supreme Court will have the final say on this issue if the Department of Justice decides to appeal. As the dissent pointed out, this decision is counter to the common sense notion that a “bank teller is entitled to access a bank’s money for legitimate purposes, but not to take the bank’s money for himself.”

Brekka

The history of this case dates back to LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). Brekka involved the classic employee theft of data whereby employees, before they leave to compete, e-mail to themselves competitively sensitive company data. The Brekka court refused to apply the CFAA to this theft of data, holding that employees cannot act “without authorization” because their employer gave them “permission to use” the company computer. Id. at 1133. Thus, Brekka was predicated on the simplistic proposition that employees have permission to access the company computers and, thus, by definition cannot access the company computers without authorization.

Nosal I

Two years later, in U.S. v. Nosal, 642 F.3d 781(9th Cir. 2011), the 9th Circuit clarified its decision in Brekka, and allowed a violation of company policies to serve as a predicate to prove unauthorized access in the employer/employee context. As of the Nosal decision, Brekka had been relied upon by numerous district courts in and out of the 9th Circuit as a bar to using the CFAA against employees who stole data from their employers’ computers.

David Nosal, a Korn/Ferry executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. Nosal had allegedly recruited “three Korn/Ferry employees to help him start a competing business.” Id. at 782. The Indictment charged these employees with “using their user accounts to access the Korn/Ferry computer system” who then “transferred to Nosal source lists, names, and contact information from the ‘Searcher’ database – a ‘highly confidential and proprietary database of executives and companies’ – which was considered by Korn/Ferry ‘to be one of the most comprehensive databases of executive candidates in the world.’” Id.

The district court had initially rejected Nosal’s motion to dismiss the CFAA counts but reversed itself after the Brekka decision. The government appealed relying upon Korn/Ferry’s computer policies that restricted the scope of employees’ access to the company computers including one that “restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business.” Id.

The government argued that based on these policies, Nosal had exceeded authorized access. The court agreed, holding that “an employee ‘exceeds authorized access’ under §1030 when he or she violates the employer’s computer access restrictions – including use restrictions.” Id. Nosal distinguished Brekka on the lack of computer policies governing Brekka’s right to access the company computers — “[b]ecause LVRC [the employer] had not notified Brekka of any restrictions on his access to the computer, Brekka had no way to know whether – or when – his access would have become unauthorized.” Id. at 787.

The court concluded that “as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations.” Id at 788. Subsequently, the court granted an en banc hearing of its decision in Nosal.

Nosal II

The recent reversal of the initial Nosal decision reasoned that the CFAA only applies to hackers and that “without authorization” and “exceeds authorized access” should be read only to “apply to outside hackers (individuals who have no authorized access to the computer at all) and “exceeds authorized access” would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files). The court stated that “[t]he government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer.”

As the court admits, it basically defines “without authorization” to mean “the circumvention of technological barriers” in the computers. There is, however, nothing in the plain language of the CFAA that supports such a restrictive interpretation of access “without authorization.” Based on Morrison v. National Australia Bank Ltd., 130 S.Ct. 2869 (2010), where the Supreme Court criticized “judicial-speculation-made-law- divining what Congress would have wanted if it had thought of the situation before the court,” it is highly unlikely that the Supreme Court will read such a restriction into the statute.

Nosal further held that “the government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer” and that this would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” As described by the dissent in the case, the court “posit[s] a laundry list of wacky hypotheticals” that include “private computer use policies” that prohibit personal use of company computers making criminals out of “[e]mployees who call family members from their work phones . . . if they send email instead.”

This of course raises an issue of prosecutorial discretion. A similar laundry list of wacky hypotheticals could also be posited with the mail and wire fraud statutes, yet the Supreme Court has upheld both statutes. For example, a student who called home from college asking his parents to send him money for books, when he really intended to use the money to buy beer is technically in violation of the wire and mail fraud statutes. The bottom line is, as the dissent in Nosal pointed out, it is simple to come up with a contorted application of any criminal statute. That does not make the law unenforceable or unconstitutional.

Many companies
overlook opportunities to respond to these
new laws by adopting robust policies to
take advantage of the protections they
afford and to minimize the risks they pose.
This article will review three critical areas
of computer technology that should be
addressed by company policies: theft of data,
social networking and cloud computing.

• Theft of data. Federal and state laws
obligate companies to take steps to prevent
data theft, notify consumers of the theft of
their personal data and create new remedies
for companies to sue data thieves. Policies
are a critical complement to these laws.

The most comprehensive of the
prevention laws is the Massachusetts
regulation that requires companies
maintaining personal data belonging to
Massachusetts residents, whether or not the
company does business in Massachusetts,
to institute a data-compliance program
that includes, among other things, security
policies that must be enforced through
technology such as encryption. 201 Mass.
Code Regs. 201, 17.03-17.05. The personal
data at issue—Social Security numbers,
credit card and banking information—are
data that can be used to perpetrate identity
theft. The obligation to protect data is not
limited to personal information. In 2004,
the Sarbanes-Oxley Act caused the New
York Stock Exchange to require its member
companies to promulgate policies as part
of a comprehensive compliance program
to protect both personal and competitively
sensitive data. NYSE’s Listed Company
Manual, § 303A, ¶ 10.

Also, since 2003, 45 states have enacted
statutes requiring businesses to notify
consumers of a breach of their personal data.
Although these notification laws do not
require companies to establish policies, they
do require a company to determine whether
there is a basis to trigger notification
under the statutes and determine how to
comply with the patchwork of 45 state
laws. Performing these tasks without
response policies will inevitably contribute
to an uncoordinated response and delay
when some states like California require
notification in the “most expedient time
possible and without unreasonable delay,”
while other states, such as Wisconsin, define
a more precise time period. Calif. Civ. Code
§ 1789.82(a); Wis. Stat. § 134.98.

A company cannot investigate data
theft unless it has policies that adequately
define an employee’s expectation of
privacy. In Stengart v. Loving Care Agency,
201 N.J. 300, 314 (2010), the New Jersey
Supreme Court, based on an ambiguity in
a company policy that allowed occasional
personal use of the company computer,
concluded that personal e-mails were
private. Also, with many employees now
using personally owned computing devices
to work outside of the office, a policy
permitting the employer to retrieve work related
data from these devices re-enforces
the employer’s rights to its data.

The Computer Fraud and Abuse Act
(CFAA), 18 U.S.C. 1030, the federal
computer crime statute, provides for a civil
remedy for a company that “suffers damage
or loss” by reason of a violation of the statute.
18 U.S.C. 1030(g). Liability for data theft is
based on whether the access to the company
computers was unauthorized or exceeded
authorized access. The “CFAA…is primarily
a statute imposing limits on access and
enhancing control by information providers.”
EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d
58, 63 (1st Cir. 2003). Thus, a company “can
easily spell out explicitly what is forbidden”
through its policies. Id. The violation of the
policy in turn is the predicate for proving the
critical element of the statute that the access
was unauthorized.

• Social networking. Social media pose a
number of legal challenges to companies,
including ownership of social-media
accounts, labor and employment risks,
and the protection of the company’s
confidential information.

Businesses commonly market themselves
on major social-networking sites including
Facebook, LinkedIn and Twitter. As
demonstrated by two recent cases,
ownership of this marketing tool is not
always clear. Just last July, PhoneDog.com,
a popular mobile phone site, sued a former
employee who had amassed approximately
17,000 followers on Twitter, claiming that
the followers constituted a company-owned
customer list entitling it to $2.50 per month
per follower or $350,000 in total damages.

In December, an employer and former
employee sued each other, claiming
ownership to the former employee’s
LinkedIn account, the popular socialnetworking
site for business professionals.
Eagle v. Morgan, 2011 WL 6739448 (E.D.
Pa. Dec. 22, 2011). The only way to avoid
the inevitable lawsuits over the ownership
of these accounts is for businesses to be
proactive in establishing up-front policies on
ownership rights prior to adopting employee
social-media accounts as a marketing tool.

Labor And Employment Risks

Social networking is fraught with a
multitude of labor and employment risks.
Indiscriminately using social-networking
sites to conduct background checks of new
hires or current employees can lead to
discrimination or invasion-of-privacy suits
based on protected information discovered
during searches. For example, in Pietrylo
v. Hillstone Restaurant Group, No. 2:06-cv-
05754 (D.N.J. 2009), management learned
of a password-protected MySpace site used
by its employees, obtained the password
from an employee, viewed the site and then
fired two other employees based on what
they saw. The fired employees sued, and
the employer was found liable for violating
the federal Stored Communications Act,
18 U.S.C. 2701-11. A company policy
defining the circumstances under which
such Internet investigations can properly be
conducted could have avoided this lawsuit.

What an employee can communicate
about the workplace on a social-networking
site should also be addressed in a policy. The
company has a clear interest in preventing
an employee from disparaging it or releasing
to the public its confidential information,
but it cannot deny an employee the
protected right to labor organizing. In

Policies should address
what an employee can
communicate about
the workplace on a
social-networking site.

October 2010, the National Labor Relations
Board filed a complaint on behalf of a
Connecticut ambulance company employee
fired after using vulgarities to ridicule
her supervisor on Facebook. The NLRB
claimed the company maintained overly
broad rules in its employee handbook
regarding blogging, Internet posting and
communications among employees. The
case settled in February 2011 with the
company agreeing not to prohibit discussion
of hours, wages and working conditions on
social-networking sites.

• Cloud computing. Cloud computing
outsources the maintenance of company data
to a third party. The potential cost savings
in having data maintained by a third-party
provider can be quickly dissipated if company
policies do not anticipate the potential legal
traps created by entrusting data for safekeeping
to someone else. All of the company’s current
policies on security, record retention, incident
response to a data breach and the obligation to
provide e-discovery in the event of a lawsuit
or government investigation must apply on
the cloud and be reflected in the company’s
contract with its cloud provider.

Although the cloud service is typically the
party in possession of the data, the owner’s
overall policy must be to maintain control
of its data so that the data can be destroyed
in the regular course of the company’s
retention policies and preserved in response
to a litigation hold. For multinational
corporations, this also means policies
to ensure compliance with local laws
governing cross-border data transfers. For
example, in November 2009, the European
Network and Information Security Agency
issued a report on cloud computing warning
that companies remain responsible under
U.K. law for safeguarding their customers’
information even if those data are stored by
a service provider in the cloud.

Policies that worked yesterday will not
necessarily work today or tomorrow. Every
company should review its policies to
ensure that they adequately:
• Protect data and respond properly to
data breaches.
• Minimize the risks posed by social
media.
• Apply established policies and
appropriate foreign laws to data maintained
on the cloud.

As breaches continue to occur and affected organizations determine whether and how to disclose these breaches, breaches and disclosure continue to be the subject of reports as well as media, legislative, and regulatory attention. See, for example, Melissa J. Krasnow, Securities and Exchange Commission Issues Guidance on Cybersecurity and Cyber Incident Disclosure (Dec. 2011).

by Melissa J. Krasnow
Partner, Dorsey & Whitney LLP

The 2011 Verizon Data Breach Investigations Report examined breaches that Verizon, the U.S. Secret Service, and the Dutch National High Tech Crime Unit investigated in 2010. This report classified and tallied the types of cyber threats that contributed to breaches. Hacking and malware were utilized in the majority of the breaches, at 50 percent and 49 percent, respectively. Social engineering was involved in 11 percent of the breaches. Many times, these three types of cyber threats from the report and related terms are used but not defined.

This article provides definitions of and statistics from the report about hacking, malware, and social engineering as well as the related terms pretexting, phishing, and spear phishing.

Hacking

Hacking is a broad term that describes all attempts to intentionally access or harm information assets without or in excess of authorization by thwarting logical security mechanisms. The three methods of hacking utilized most commonly in hacking breaches were exploitation of back doors or command/control functionality, exploitation of default or guessable credentials, and brute force and dictionary attacks, at 73 percent, 67 percent, and 52 percent, respectively. With a back door installed, an attacker can bypass security mechanisms and obtain access without using legitimate channels. Regarding the other two methods, an attacker tries a few well-known combinations of default credentials used on various types of systems and, if necessary, then runs a brute force attack to crack the system.

Malware

Malware is short for malicious software and means any software or code developed or used for compromising or harming information assets without the owner’s informed consent. Malware enables or prolongs access, captures data, and/or furthers the attack. The most common means of infection for malware is installation or injection by a remote attacker, constituting 81 percent of malware infections. One example is an attacker breaching a system and then deploying malware or injecting code via SQL injection or other Web application input functionality. Web-based malware, the second most common means of infection, comprises code that is auto-executed (also known as drive-by downloads) and code that requires additional user interaction beyond the page visit (e.g., fake audiovisuals scaring users to “click here to scan and clean your infected system”).

Sending data to an external site/entity, back door, and keylogger/form-grabber/spyware were the three most common functions found in malware breaches, at 79 percent, 78 percent, and 66 percent, respectively. A back door allows an attacker unauthorized access to infected devices, and an attacker can install additional malware, use the device as a launch point for further attacks, or retrieve captured data. A keylogger allows an attacker to build a preconfigured remote installation package that will be deployed on a target system that can capture data from user activity.

When malware captures sensitive information, it must be taken out of the organization’s environment: Either the malware sends it out of the organization (in almost 8 out of 10 incidents involving malware) or the attacker reenters the network to retrieve it. The general rule is that smaller packets are sent out (i.e., credentials captured by keyloggers) while larger amounts of data are retrieved (i.e., the contents of a network file share transmitted through a back door’s file transfer capabilities).

Social Engineering

In a social engineering attack, an attacker uses human interaction (i.e., social skills) to obtain or compromise information about an organization or its computer systems. Social engineering tactics include deception, manipulation, and intimidation to exploit the human element or users of information assets. An attacker may be able to put together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, the attacker may contact a source within the same organization and rely on the information from the first source to add to his or her credibility. Often, these actions are used together with other types of cyber threats and can be conducted through both technical and nontechnical means.

Solicitation and bribery were the most common type of social engineering tactic, used in 74 percent of social engineering breaches. Solicitation and bribery frequently entail collusion between an external agent and an insider. One party uses petitions, promises, and payments to get another to participate in the crime.

Pretexting

Pretexting was used in 44 percent of social engineering breaches. Pretexting is the practice of getting an individual’s personal information under false pretenses using a variety of tactics. The pretexter may be able to obtain personal information including a Social Security number, bank and credit card account numbers, information in a credit report, and the existence and size of savings and investment portfolios. However, some information about an individual may be a matter of public record, including whether they own a house, pay their real estate taxes, or have ever filed for bankruptcy. It is not pretexting for another person to collect this kind of information.

Counterfeiting and forgery were used in 16 percent of social engineering breaches and can involve everything from websites to documents (e.g., the use of fake credentials (driver’s licenses, birth certificates, etc.)).

Phishing

Phishing attacks were used in 11 percent of social engineering breaches. Phishing attacks use e-mail or malicious websites to solicit personal information by posing as a trustworthy organization. For instance, an attacker may send e-mail appearing to be from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, an attacker can use it to gain access to the accounts. Phishing attacks may also appear to come from other types of organizations, like charities. Attackers often take advantage of current events and certain times of the year, including: (1) natural disasters (e.g., Hurricane Katrina), (2) epidemics and health scares (e.g., H1N1), (3) economic concerns (e.g., Internal Revenue Service scams), (4) major political elections, and (5) holidays. Interestingly, phishing attacks are being used more often to gain a toehold in the victim’s environment through attached malware.

Spear Phishing

Spear phishing involves targeted e-mails that typically are used as a catalyst for individuals to click on hyperlinks or open attachments, allowing the downloading of malicious content to the user’s device and the unauthorized entry into an organization’s network. Business activities and products that could be leveraged by an attacker to develop targeted e-mails addressed to individuals within an organization include:

• media releases,
• business mergers and acquisitions,
• business reports/stock reports/financial statements,
• competing for contracts,
• awarded contracts,
• technological breakthroughs,
• international dealings,
• other public information of interest to malicious actors,
• natural disasters,
• referred to by other parties in their public release statements,
• government/industry events,
• government or industry work stoppages,
• and international or political events.

Then, Westrick allegedly sought a $300,000 payment to reveal the changed access codes and new passwords.

The Court Said, “No!”

The ploy did not work. The court issued a temporary restraining order requiring the immediate return of the laptop and directing Westrick to maintain its integrity, and directed him not to disclose the passwords and access codes to third parties.

What to Do to if This Happens to You

There are a couple of ways to handle this type of theft. One approach is to go to the Department of Justice or the FBI and file a criminal complaint. No guarantees – there is no way to predict whether the criminal authorities will investigate and prosecute the case because of competing priorities and limited resources. If they do, there is no way to predict when they will do it. In short, you have no control over what, if anything, happens.

Another approach is to do what this company did. It wisely filed its complaint alleging various violations of the Computer Fraud and Abuse Act (“CFAA”). By doing so, it exercised self-help under a law designed to protect against computer crimes, including extortion in relation to computers. Rather than dealing in a protracted court proceeding, it brought a laser directed court action that resulted in the return of its property and the end to the extortion. This of course does not mean that while you are prosecuting your CFAA action, you should not file a complaint with the authorities. Just understand that what you and your attorney do may likely result in quicker and more efficient justice.

Act Fast

Employees have access to the keys to your kingdom. Most, when terminated or leave, do the right thing. When they do not, you need to recognize it and act fast. A court will not grant emergency relief such as a temporary restraining order unless you treat the matter as the emergency it is. You need to be prepared immediately to –

• Investigate and gather admissible evidence to prove the theft of the data and the extortion that can be presented to a court to justify the entry of an immediate injunction.

• Hire expert counsel who is familiar with the CFAA who can coordinate the investigation with an eye to filing the appropriate court papers.

In many instances, as demonstrated by the Westrick case, taking the civil route as opposed to the criminal route is the best course of action.

The facts in the Eagle case will sound familiar to all social media mavens who use sites like LinkedIn to promote their businesses and professional careers. The plaintiff Linda Eagle, a Ph.D. in communications and psychology, established her LinkedIn account in 2008 after she and others founded Edcomm, Inc., (“Edcomm”) to train individuals to work in the financial services industry. Like others who sign up for a free account with LinkedIn, Dr. Eagle’s complaint alleges she had to assent to a user agreement “which constitutes “a legally binding agreement with LinkedIn Corporation” and, as such, “information provided to LinkedIn is owned by the LinkedIn user, subject to the other terms of the User Agreement.” Id. at *1.

According to LinkedIn’s terms of use, “[u]sers can maintain only one LinkedIn account at a time” and “Dr. Eagle [as alleged in her complaint] used her account to promote Edcomm’s banking education services; foster her reputation as a businesswoman; reconnect with family, friends, and colleagues; and build social and professional relationships.” Id.

In October 2010 Sawabeh Information Services Company (“SISCOM”) purchased Edcomm. Dr. Eagle initially remained employed by SISCOM as its CEO, but approximately 6 months later Edcomm involuntarily terminated her employment. According to Dr. Eagle’s complaint, Edcomm then hijacked her LinkedIn account using her LinkedIn password. Her complaint alleges that Edcomm used her password “to gain unauthorized access” to her account, “changed the password,” and “then changed Dr. Eagle’s account profile to display” Edcomm’s new CEO’s “name and photograph” “but Dr. Eagle’s honors and awards, recommendations and connections.” Id. at *2. The complaint alleges that Edcomm “used Dr. Eagle’s account both to prevent her connections from reaching her, and to acquire business connections for the benefit of . . . [the new CEO] and Edcomm. Id.

In response Edcomm filed a counterclaim alleging facts that Dr. Eagle’s LinkedIn account had been established and used for the benefit of Edcomm at Edcomm’s expense. Thus, the counterclaim alleges “that Edcomm, while under Dr. Eagle’s management, implemented a policy requiring Edcomm’s employees to create and maintain LinkedIn accounts.” Id at 3. All Edomm executive employees, as a matter of company policy, were required “to: (a) utilize their Edcomm email address for LinkedIn accounts; (b) utilize a specific form template, created and approved by Edcomm, for their description of Edcomm, work history, and professional activities, as well as photographs taken by a professional photographer hired by Edcomm; (c) contain links to Edcomm’s website on LinkedIn accounts and the Banker’s Academy webpage, as well as Edcomm’s telephone number; and (d) utilize Edcomm’s template for replying to individuals through LinkedIn.” Id. The counterclaim further alleges that “[c]ertain Edcomm employees monitored these LinkedIn accounts, corrected any violations of Edcomm policy, and maintained accounts for several employees for the benefit of Edcomm” and that “all discussions, connections, and content were added by” Edcomm employees.” Id

In short, Edcomm alleges that “Dr. Eagle’s LinkedIn account was used for Edcomm business and Edcomm personnel developed and maintained all connections and much of the content on her account” and that Dr. Eagle, who regained control of her LinkedIn account after initiating her lawsuit, had “wrongfully misappropriated both Edcomm’s connections on the LinkedIn account and Edcomm’s telephone number constituting Edcomm’s proprietary information on the account.” Id.

Based on these dueling allegations both sides filed numerous claims against each other. Dr. Eagle alleges violations of the Computer Fraud and Abuse Act (“CFAA”), Title 18, U.S.C. §1030, violation of Section 43(a) of the Lanham Act, 15 U.S.C. § 1125(a)(1)(A), unauthorized use of name in violation of 42 Pa.C.S. § 8316, invasion of privacy by misappropriation of identity, misappropriation of publicity, identity theft under 42 Pa.S.C. § 8315, conversion, tortious interference with contract, civil conspiracy and civil aiding and abetting. Id. at. *2. Edcomm also alleges violations of the CFAA, misappropriation, conversion, tortious interference with contract but added claims for unfair competition and a violation of the Pennsylvania trade secret law.

Dr. Eagle moved to dismiss all of Edcomm’s claims on the ground that they do not, as a matter of law, allege facts constituting proper claims for relief. The court granted Dr. Eagle’s motion to dismiss all of Edcomm’s claims except for two Pennsylvania law causes of action, 1) misappropriation of an idea and 2) unfair competition that is essentially based on the same elements of the misappropriation claim. Under Pennsylvania law misappropriation of an idea requires the plaintiff to prove that 1) the plaintiff had an idea that was novel and concrete and 2) the idea was misappropriated by the defendant. Id. at *13. As the court explained,

[t]o determine whether an idea has been misappropriated, Pennsylvania courts look to the three elements of common law misappropriation:
(1) the plaintiff “has made substantial investment of time, effort, and money into creating the thing misappropriated such that the court can characterize the ‘thing’ as a kind of property right,” (2) the defendant “has appropriated the ‘thing’ at little or no cost such that the court can characterize the defendant’s actions as ‘reaping where it has not sown,’ “ and (3) the defendant “has injured the plaintiff by the misappropriation.”

Id.

In refusing to dismiss the misappropriation and unfair competition counts the court relied on the allegations in Edcomm’s counterclaim that “Edcomm personnel, not Dr. Eagle, developed and maintained all connections and much of the content on the LinkedIn Account, actions that were taken solely at Edcomm’s expense and exclusively for its own benefit.” Id. The court stated, ‘[w]hile Plaintiff argues that Edcomm fails to allege facts that would show that it made a substantial investment of time, effort, and money into creating the cell phone number or LinkedIn account, Edcomm counters that its employees developed the accounts and maintained the connections, which are the route through which Edcomm contacts instructors and specific personnel within its clients.” Thus, the court held that “these conflicting allegations create an issue of fact requiring further discovery.” Id.

With businesses like Edcomm actively encouraging their employees to use social media as a marketing tool, there can be little doubt that litigation over the ownership of social media accounts is likely to increase. Just last July PhoneDog.com, a popular mobile phone site, sued in federal district court in California a former employee who had amassed approximately 17,000 followers on Twitter claiming that the followers constituted a company-owned customer list entitling it to $2.50 per month per follower or $350,000 in total damages. The only way to avoid the inevitable lawsuits over the ownership of these accounts is for both employers and employees to be proactive in establishing ownership rights prior to using individual social media accounts as a marketing tool.

From the employer’s standpoint this ownership issue is a prime reason why employers should adopt social media policies clarifying who owns the social media accounts and ownership rights when the employment relationship is terminated. For example, it may make sense to allow employees using LinkedIn to keep their accounts but cleanse them of information that belongs to the employer because of the employer’s financial investment in the site and to ensure the employee is no longer associated as a spokesperson for his former employer. As a strategy to minimize, and perhaps avoid litigation altogether, an agreement between the employer and employee delineating the post employment rights of both the employee and employer to the account would seem the most efficient way to deal with this issue.

The CFAA makes it a crime to gain unauthorized access to a computer. The questioning was premised on Facebook’s terms of service that prohibit a member of the public from providing false information in signing up for a Facebook account. The concern expressed by another Judge in the argument is that a violation of Facebook’s rules such as lying about one’s age would mean that access to Facebook is unauthorized and thus the person is subject to criminal prosecution under the CFAA. For a number of reasons this is a non-issue and, to the extent there is any issue, it is up to Congress, not the 9th Circuit, to remedy it.

First, it should be pointed out that the Nosal case does not involve a criminal defendant accessing Facebook. David Nosal, a Korn/Ferry International executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. The issue before the 9th Circuit is limited to whether Nosal exceeded his authorized access to his employer’s computers when he violated Korn/Ferry’s computer policies that restricted the scope of its employees’ access to the company computers to “legitimate Korn/Ferry business.” Id.

Second, the fear that a minor offense such as lying on Facebook could be prosecuted is not unique to the CFAA. The wire fraud statute, for example, makes it a crime to engage in a scheme to defraud using interstate wires in furtherance of the scheme. On its face the wire fraud statute could theoretically not only be used against someone who lies on Facebook but could be applied against a college student who calls home asking his parents to wire him money for books, when in fact he intentionally lied, planning to use the money to buy beer.

No one has ever seriously argued that this potential misuse of prosecutorial discretion makes the wire fraud statute unconstitutional. Not only has no one ever been prosecuted for simply lying about their age on Facebook, the concern raised over the misuse of federal criminal statutes is totally overblown as evidenced by the fact that Department of Justice does not bring frivolous wire fraud prosecutions based on common lies that have no meaningful harmful impact. Nor is the CFAA unconstitutionally vague. The only Circuit case that has addressed this issue, U.S. v. Mitra, 405 F.3d 492, 496 (8th Cir. 2005), held that “[t]here is no constitutional obstacle to enforcing broad but clear statutes” and that “[t]he statute gives all the notice that the Constitution requires.”

The only government prosecution under the CFAA predicated, in part, on lying about one’s age in signing up for a social networking site, was brought against Lori Drew in the federal court in Los Angeles. Judge Kozinski referenced this prosecution in the oral argument. The Drew case, however, was not a prosecution predicated solely on Drew lying about her age. Drew was a 49-year-old woman who, according to the government’s indictment, used a MySpace account to harass and torment a 13-year-old girl, who, as a result, committed suicide. Drew perpetrated what has been referred to as cyberbullying by posing as a fictitious 16-year-old boy in violation of MySpace’s terms of service that required her, among other things, to provide truthful information on MySpace and not use MySpace to harass, abuse or harm other people or solicit personal information from anyone younger than 18.

No one can seriously argue that the allegations in the indictment were not serious conduct worthy of a criminal prosecution. In that case the jury convicted Drew of a misdemeanor for unauthorized access to MySpace’s website and did not convict her of the felony for doing so with the purpose of intentionally inflicting emotional distress on the young girl. The Department of Justice chose not to appeal that decision to the 9th Circuit.

Third and finally, it is not up to the courts to decide whether the CFAA is good or bad policy. Judge Kozinski responded to the government attorney at the argument stating that it “would be exceedingly bad policy to give the hands of the government the ability to prosecute everybody who has access to a computer” who might violate Facebook’s terms of service. Whether it is or is not bad policy, is not within the purview of the courts. Under the Constitution it is Congress that writes the laws, and it is the court’s obligation to enforce them.

The bottom line – someone who does nothing more than lie about their age on Facebook and violates Facebook’s terms of service could theoretically be prosecuted under the CFAA, but that does not make it unconstitutional or even a realistic concern.

Brekka had been predicated on the simplistic proposition that employees have permission to access the company computers and, thus, by definition cannot access the company computers without authorization. David Nosal, a Korn/Ferry Internation­al executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. Nosal had allegedly recruited “three Korn/Ferry employees to help him start a competing business.” Id. at 782. The indictment charged these employees with “using their user accounts to access the Korn/Ferry computer system.” They then “transferred to Nosal source lists, names, and contact information from the ‘Searcher’ database—a ‘highly confidential and proprietary database of executives and companies’—which was considered by Korn/Ferry ‘to be one of the most comprehensive databases of executive candidates in the world.’” Id. 


The district court had initially rejected Nosal’s motion to dismiss the CFAA counts but reversed its decision after the Brekka decision. The government appealed, citing Korn/Ferry’s computer policies that restricted the scope of its employees’ access to the company computers including one that “restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business.” Id. The government argued that, based on these policies, Nosal had exceeded authorized access.

The court agreed, citing the statutory definition of “exceeds authorized access,” which is “to access a computer with ­authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The court held that the word “so” “refers to an accesser who is not entitled to access information in a certain manner.” Id. at 785. Thus, the court held that “an employee ‘exceeds authorized access’ under § 1030 when he or she violates the employer’s computer access restrictions—including use restrictions.” Id. The government stressed this interpretation in its argument to the 9th Circuit.


Nosal distinguished Brekka on the lack of computer policies governing Brekka’s right to access the company computers: “Because LVRC [the employer] had not notified Brekka of any restrictions on his access to the computer, Brekka had no way to know whether—or when—his access would have become unauthorized.” Id at 787. The court concluded that “as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations.” Id at 788. The full 9th Circuit, however, on October 27, 2011, granted en banc re-consideration to its opinion on October 28, 2011.

The primary argument advanced by Nosal’s counsel was that the CFAA only applies to hacking and that access cannot be unauthorized unless the employee circumvents the technology of the computer. In response to questioning by the court, Nosal’s counsel stated that using another’s password would qualify as a circumvention of the computer’s technology. This argument dismisses as irrelevant any written policies or agreements that limit the scope of an employee’s access to the employer’s computers and the First Circuit’s recognition without reference to the computer’s technology that the “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003).

In rebuttal the government rightly pointed out that there is nothing in the language of the statute that limits the definition of authorized access to the circumvention of technology. Given the Supreme Court’s recent admonition to the lower courts in Morrison v. National Australia Bank, Ltd. 130 S.Ct. 2869, 2881(2010) not to add requirements to a statute that are not on its face, this should be a losing argument. The Court in Morrison expressly warned against such “judicial-speculation-made-law-divining what Congress would have wanted if it had thought of the situation before the court.” Id.

Based on the questioning by various members of the court, it appears that its decision in Nosal will not be reversed. You can decide for yourself. The full argument from last week can be heard at the following link: http://www.ca9.uscourts.gov/media/view_video_subpage.php?pk_vid=0000006176

To print or view this article as a pdf go to: link

By Nick Akerman


Four recent decisions handed down by four different federal courts of appeals during the past year have, in combination, greatly enhanced the ability of businesses to use the Computer Fraud and Abuse Act (CFAA) as a tool to protect competitively sensitive data and personal information stored in company computers. The CFAA is the federal computer crime statute that permits companies that have been victimized by theft or destruction of data to file a civil action against the perpetrator for damages and injunctive relief. 18 U.S.C. 1030(g).


The U.S. Court of Appeals for the 9th Circuit settled the issue of an employer’s ability to use the CFAA against employees, although just last week it granted an en banc rehearing of its decision; the 6th Circuit permitted the statute to be used against a labor union that shut down an employer’s computer system through a massive spam attack; the 3d Circuit broadened the definition of unauthorized access to the company computer to mean accessing without a business purpose; and the 8th Circuit expanded the definition of what it means to obtain information from the computer to include the simple viewing of data as opposed to physically taking or copying data.


The most significant of these decisions is U.S. v. Nosal, 642 F.3d 781 (9th Cir. 2011), reh’g en banc granted (Oct. 27, 2011). In Nosal, the 9th Circuit clarified its earlier decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir. 2009), which up until now had been relied upon by numerous district courts in and out of the 9th Circuit as a bar to using the CFAA against employees who stole their employer’s computer data. A key element to prove either a civil or criminal violation of the CFAA is that the employee accessed the company computer “without authorization” or “exceed-[ed] authorized access.”

Brekka had been predicated on the simplistic proposition that employees have permission to access the company computers and, thus, by definition cannot access the company computers without authorization. David Nosal, a Korn/Ferry Internation­al executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. Nosal had allegedly recruited “three Korn/Ferry employees to help him start a competing business.” Id. at 782. The indictment charged these employees with “using their user accounts to access the Korn/Ferry computer system.” They then “transferred to Nosal source lists, names, and contact information from the ‘Searcher’ database—a ‘highly confidential and proprietary database of executives and companies’—which was considered by Korn/Ferry ‘to be one of the most comprehensive databases of executive candidates in the world.’” Id.


The district court had initially ­rejected Nosal’s motion to dismiss the CFAA counts but reversed its decision after the Brekka decision. The government appealed, citing Korn/Ferry’s computer policies that restricted the scope of its employees’ access to the company computers including one that “restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business.” Id. The government argued that, based on these policies, Nosal had exceeded authorized access.

The court agreed, citing the statutory definition of “exceeds authorized access,” which is “to access a computer with ­authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The court held that the word “so” “refers to an accesser who is not entitled to access information in a certain manner.” Id. at 785. Thus, the court held that “an employee ‘exceeds authorized access’ under § 1030 when he or she violates the employer’s computer access restrictions—including use restrictions.” Id.


The 9th Circuit distinguished its decision in Brekka on the lack of computer policies governing Brekka’s right to access the company computers: “Because LVRC [the employer] had not notified Brekka of any restrictions on his access to the computer, Brekka had no way to know whether—or when—his access would have become unauthorized.” Id at 787. The court concluded that “as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations.” Id at 788. After Nosal it is now universally accepted among the federal circuit courts that have addressed this issue that the CFAA applies to employees who violate company computer policies limiting the scope of their access to the company computers.

The 6th Circuit in Pulte Homes Inc. v. Laborers’ International Union of North America, 648 F.3d 295, 299 (6th Cir. 2011), went one step further and upheld a CFAA complaint against not a single employee but a labor union that in the course of a labor dispute had “bombarded” the computer systems of the employer’s sales and executive offices with e-mails and voicemails, making it impossible for the company to communicate with its customers and vendors. 
The complaint alleged that “[t]o generate a high volume of calls,…[the union] both hired an auto-dialing service and requested its members to call Pulte [Homes, a homebuilder]. It also encouraged its members, through postings on its website, to ‘fight back’ by using…[the union’s] server to send e-mails to specific Pulte executives. Most of the calls and e-mails concerned Pulte’s purported unfair labor practices, though some communications included threats and obscene language.” Id. 


The CFAA claim charged the union with “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” 18 U.S.C. 1030(a)(5)(A). The CFAA defines damage as “any impairment to the integrity or availability of data, a program, a system, or information.” § 1030(e)(8). M The court found the CFAA allegations sufficient in that “the transmissions diminished Pulte’s ability to use its systems and data because they prevented Pulte from receiving at least some calls and accessing or sending at least some e-mails,” and the complaint showed that the union acted “with the conscious purpose of causing damage (in a statutory sense) to Pulte’s computer system.” Id. at 301, 303.


The 3d Circuit’s decision in U.S. v. Tolliver, 2011 WL 4090472 at *1 (3d Cir. Sept. 15, 2011), made clear that company policies, such as those relied upon in Nosal, are not the only way to prove that an employee accessed the company computer “without authorization.” The court upheld the CFAA conviction of Regina Tolliver, a former bank teller for Citizens Bank who provided confidential customer account information to “check runners” who “cashed fraudulent checks against the accounts of seven Citizens Bank customers in branches in upstate New York, western Pennsylvania, and Delaware.” Id. Without reference to any bank policies the court held that “there was sufficient evidence” upon which “the government established that Tolliver exceeded her authorized access” because “she did not have a business purpose” to access the customers’ accounts. Id. at *5. 


While Tolliver actually removed data from her employer’s computer to facilitate the writing of fraudulent checks, the employee in U.S. v. Teague, 646 F.3d 1119 (8th Cir. 2011), only viewed data in the computer, did not remove it and did not use it. Yet the 8th Circuit applied the CFAA to these facts and, in doing, upheld the criminal conviction of Sandra Teague, an employee of a government contractor for the U.S. Department of Education, for accessing President Obama’s record in the National Student Loan Data System.

She had been convicted of violating the CFAA for exceeding unauthorized access to a computer in violation of 18 U.S.C. 1030 (a)(2)(B). This section of the CFAA makes it a crime to intentionally exceed authorized access to a computer and obtain information from the computer. Based solely on her viewing the Obama student loan data, the court found the government had proved the critical CFAA element of having obtained information. 


Although not acknowledged by the 8th Circuit, this decision is at odds with the 1st Circuit’s ruling 14 years ago in U.S. v. Czubinski, 106 F.3d 1069, 1078 (1st Cir. 1997), in which the court overturned the CFAA conviction of Richard Czubinski, an Internal Revenue Service employee, who had exceeded his authorized access to an IRS computer by “merely” viewing restricted tax information relating to “friends, acquaintances, and political rivals.” The court held that the proof was insufficient because there must be a “showing of some additional end—to which the unauthorized access is a means.” Id. However, given the CFAA’s plain language, which does not require the physical removal or copying of data, the obvious privacy concerns resulting from viewing data, and the universal recognition that memorizing information can be as detrimental as taking a physical copy of the data itself, the 8th Circuit view is likely to prevail as the accepted standard.

In sum, four circuit courts independently rendered decisions this year that have greatly facilitated and expanded an employer’s ability to use the CFAA against employees who engage in computer crime directed at the company’s computers. The state of the law of course could drastically change in the near future if the 9th Circuit reverses itself on Nosal in its en banc re-consideration, thus leaving it to the Supreme Court to determine the applicability of the CFAA in the employer/employee context.

Background
The U.S. Securities and Exchange Commission on occasion provides disclosure guidance on topics of interest to the business and investment communities. The SEC said recently that it has observed ‘‘an increased level of attention focused on cyberattacks.’’

The rash of costly cyberattacks against companies like Epsilon and Sony, among others, gave the SEC cause to implement new cybersecurity disclosure requirements.

On Oct. 13 the SEC Division of Corporation Finance issued guidance for public companies regarding their disclosure obligations relating to cybersecurity (i.e., the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access) risks and cyber incidents in light of a public company’s specific facts and circumstances. The guidance is not a rule, regulation or statement of the SEC.

The federal securities laws are designed in part for disclosure of timely, comprehensive and accurate information about risks and events that a reasonable investor would consider important to an investment decision. Although no disclosure requirement specifically refers to cybersecurity risks and cyber incidents, the guidance provides an overview of the following particular disclosure obligations that may require discussion of cybersecurity risks and cyber incidents: (1) risk factors, (2) management’s discussion and analysis of financial condition and results of operations (MD&A), (3) description of business, (4) legal proceedings, (5) financial statement disclosure and (6) disclosure controls and procedures.

Risk factors

A public company should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. A cybersecurity risk disclosure made by a company must adequately describe the nature of the material risks and specify how each risk affects the particular public company. Generic risk factor disclosure should be avoided.

A public company should evaluate its cybersecurity risks and consider previous cyber incidents (including severity and frequency), the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks (including the potential costs and other consequences). In evaluating whether risk factor disclosure should be provided, a public company also should consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which it operates and risks to that security (including threatened attacks it is not aware of).

Examples of disclosures may include: (1) discussion of aspects of the public company’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences; (2) to the extent the public company outsources functions that have material cybersecurity risks, a description of those functions and how the public company addresses those risks; (3) a description of cyber incidents experienced by the public company that are individually, or in the aggregate, material, including a description of the costs and other consequences; (4) risks related to cyber incidents that may remain undetected for an extended period and (5) a description of relevant insurance coverage.

The federal securities laws do not require disclosure that itself would compromise a public company’s cybersecurity. Instead, a public company should provide sufficient disclosure to allow investors to appreciate the nature of the risks that it faces in a manner that would not have that consequence.

Management’s discussion and analysis (MD&A) of
financial condition and results of operations

A public company should address cybersecurity risks and cyber incidents in MD&A if the costs or other consequences associated with known incidents or the risk of potential incidents represent a material event, trend or uncertainty that is reasonably likely to have a material effect on its results of operations, liquidity or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.

Description of business

In ‘‘Description of Business’’ a public company should provide disclosure if one or more cyber incidents materially affect its products, services, relationships with customers or suppliers or competitive conditions. In determining whether to provide disclosure, a public company should consider the impact on each of its reportable segments.

Legal proceedings

In ‘‘Legal Proceedings’’ a public company may need to provide disclosure if it or any subsidiary is a party to a material pending legal proceeding that involves a cyber incident. By way of example, if a significant amount of customer information is stolen, resulting in material litigation, the public company should disclose the name of the court in which the proceedings are pending, the date instituted, the principal parties, a description of the factual basis alleged to underlie the litigation and the relief sought.

Financial statement disclosure

Before a cyber incident, a public company may incur substantial costs to prevent cyber incidents. During and after a cyber incident, a public company may seek to mitigate damages by providing customers with incentives to maintain the business relationship. In addition, cyber incidents may result in losses from asserted and unasserted claims, including warranties, breach of contract, product recall and replacement and indemnification of counterparty losses from their remediation efforts. If losses are probable and reasonably estimable, a public company should determine when to recognize a liability. Also, a public company must provide certain disclosures of losses that are at least reasonably possible.

Cyber incidents may also result in diminished future cash flows, requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software and inventory. A public company may not immediately know the impact of a cyber incident and may be required to develop estimates to account for the various financial implications. A public company should subsequently reassess the assumptions that underlie the estimates made in preparing the financial statements. A public company must explain any risk or uncertainty of a reasonably possible change in its estimates in the near-term that would be material to the financial statements. Estimates that may be affected by cyber incidents include estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation and deferred revenue.

To the extent a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, a public company should consider whether disclosure of a recognized or nonrecognized subsequent event is necessary. If the incident is a material nonrecognized subsequent event, the financial statements should disclose the nature of the incident and an estimate of its financial effect or a statement that such an estimate cannot be made.

Disclosure controls and procedures

Where cyber incidents pose a risk to a public company’s ability to record, process, summarize, and report information that is required to be disclosed in SEC filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective. By way of example, if it is reasonably possible that information would not be recorded properly due to a cyber incident affecting a public company’s information systems, a public company may conclude that its disclosure controls and procedures are ineffective.

Steps to take

Public companies should review the adequacy of their disclosure relating to cybersecurity risks and cyber incidents at present and on an ongoing basis. This review could implicate different areas, including legal, accounting, privacy, information technology, risk management/insurance and corporate communications. SEC disclosure considerations should be taken into account in terms of company preparation for cyber incidents and in applicable company policies, procedures and practices. Finally, a public company should review its insurance coverage relating to cybersecurity and cyber incidents, if any, in light of the guidance (e.g., risk factor disclosure).

Melissa J. Krasnow, a partner in the Corporate
Group of Dorsey & Whitney LLP in Minneapolis,
is a Certified Information Privacy
Professional and serves on the International
Association of Privacy Professionals Publication
Advisory Board.

Reproduced with permission from BNA’s Privacy & Security Law Report, Vol. 10, No. 43, (Oct. 31, 2011). Copyright 2011 The Bureau of National Affairs, Inc. (800-372-1033) www.bna.com.

The proof at trial was wholly circumstantial, but, as the court found, was sufficient for the jury to convict. As the court explained, “the government introduced evidence establishing that on August 27, 2008, Teague’s user ID accessed Obama’s records, as well as the records of Marc Martin, Teague’s nephew. Critically, Teague admitted to conducting the Marc Martin search. Furthermore, the government introduced testimony that there was no timeout between the Obama search and the Marc Martin search. Based on this cumulative evidence, the jury could reasonably conclude the Obama search, which was part of one continuous session with the Marc Martin search, was also conducted by Teague.” Id. at 1122. In affirming the conviction the court also relied on Teague’s trial testimony that “was not particularly credible” and her false exculpatory statements to Department of Education Agents. Id.

What is significant about the proof in this case is the lack of any evidence that Teague did anything with the information she accessed. The proof at trial only showed that she had viewed Obama’s student loan records, not that she published it, used it or did anything with it. Based solely on her viewing the Obama student loan data, the court found the government had proved the critical CFAA element of having obtained information. Obtaining information is not only a critical element to prove unauthorized access to a government computer but is also a critical element to prove both certain criminal and civil violations of the CFAA for unauthorized access to private computers.

While not acknowledged by Teague, this decision is at odds with the First Circuit’s ruling 14 years ago in U.S. v. Czubinski, 106 F.3d 1069, 1078 (1st Cir. 1997) in which the court held that that there was insufficient proof to affirm a CFAA conviction when Czubinski, an IRS employee, had exceeded his authorized access to the IRS computer but “merely” viewed restricted tax information relating to “friends, acquaintances, and political rivals.” There must be a “showing of some additional end-to which the unauthorized access is a means.” Id.

Ultimately, the U.S. Supreme Court may have to resolve this split in the two circuit opinions. Based on recent precedent, most notably Morrison v. National Australia Bank, Ltd.,130 S.Ct. 2869 (2010), the Supreme Court, having warned against judicial legislating by engrafting requirements on a statute that are not supported by the plain language of the statute, is likely to side with Teague. There is nothing in the plain language of the CFAA that requires proof of “some additional end to which the unauthorized access is a means.” It simply requires proof of obtaining information.

Also, in light of privacy concerns and the dangers posed by the use of memorized data taken from the unauthorized access to computers, there is no good policy reason not to interpret “obtaining information” as simply viewing it. By adopting the 1st Circuit’s limitation on the CFAA, there is nothing to stop the low-tech computer thief — someone who uses a cellphone to record the viewed data or copies it down with pen and paper with no evidentiary traces left on the computer. In short, this case correctly broadens the reach of the CFAA beyond the 1st Circuit’s view in 1997 and is the likely view to be adopted by the Supreme Court.

In March 2011, a Final Judgment by Consent was issued in Massachusetts v. Briar Group, LLC, which involves a 2009 Massachusetts data breach and implicates the Massachusetts privacy regulation and the Payment Card Industry Data Security Standard (“PCI DSS”).1

The Massachusetts privacy regulation applies to a person or entity that owns or licenses personal information about a Massachusetts resident, meaning their first and last name or first initial and last name in combination with a (i) Social Security Number, (ii) driver’s license or state‐issued identification card number or (iii) financial account number or credit card or debit card number. Such person or entity must implement and maintain a comprehensive, written information security program. The MassachusettsAttorney General enforces the Massachusetts privacy regulation. The deadline for compliance with the Massachusetts privacy regulation was March 1, 2010.2

The Payment Card Industry Security Standards Council (including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.) sets and enforces PCI DSS, which contains requirements for a secure payments environment framework for any business that stores, processes or transmits payment cardholder data. For example, a business that accepts or processes payment cards must comply with PCI DSS. Interestingly, the following three states have laws addressing compliance with PCI DSS – Minnesota (which is based on, but does not specifically reference, PCI DSS) and Nevada and Washington (which each specifically reference PCI DSS).3

The Briar Group, a Boston restaurant chain owner and operator, reported a data breach to the Massachusetts Attorney General on or around November 24, 2009. In April 2009, the Briar Group experienced a data breach when malcode was installed on its computer systems and allowed hackers access to customers’ credit card and debit card information, including names and account numbers. The malcode was not removed from the Briar Group’s computers until December 2009.

The Briar Group entered into an agreement to resolve the alleged claims of the Massachusetts Attorney General that the Briar Group engaged in unfair or deceptive acts or practices in violation of the Massachusetts consumer protection law by accepting credit card and debit cards from consumers for transactions at their restaurants but failing to protect their personal information.4 Hackers using malware were possibly able to gain access the computer system of the Briar Group and extract cus-tomer credit card and debit card information due to the failure of the Briar Group to implement basic data security measures.

Specifically, this included (i) failing to comply with PCI DSS, (ii) failing to change default user names and passwords on its Micros Point of Sale computer system, (iii) failing to change passwords in its computer network for more than five years, (iv) allowing multiple employees to share common usernames and passwords, (v) failing to modify passwords after employee termination or resignation, (vi) failing to adequately control the number of employees with administrative access to the Briar Group’s computer network, (vii) failing to properly secure remote access utilities and wireless network, (viii) continuing to accept consumer credit cards and debit cards when the Briar Group knew of a data breach and failing to alert its patrons to the data breach while malcode remained on its computer system and (ix) storing payment card information in clear text on its servers.

The Briar Group agreed to (i) comply with and verify its compliance with PCI DSS with the Massachusetts Attorney General’s Office, (ii) not knowingly maintain on its network after the authorization process the full contents of the magnetic stripe of a credit card or debit card, or of any single track of such stripe, or the CVC2/CVV2/CID of any such card or the PIN or PIN block of any such card, (iii) implement, maintain and adhere and produce to the Massachusetts Attorney General’s Office a written information security program under 201 CMR § 17.00, (iv) review the scope of its security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information under 201 CMR § 17.03(i), (v) implement security password management for portions of its computer system that store, process or transmit personal information (including its Micros Point of Sale computer systems), (vi) implement security password management where each person with access to its computer networks is assigned a unique ID and (vii) segment appropriately from the rest of its computer system the network‐based portions that store, process or transmit personal information, by firewalls, access controls or other appropriate measures. The Briar Group also was required to pay $110,000 in civil penalties to Massachusetts.

Finally, the Briar Group must contact a Qualified Incident Response Assessor to investigate a suspected data compromise if it receives notice from a credit card company, payment card processing company, bank or law enforcement agency requiring a forensic audit of its Point of Sale Systems and related infrastructure because a Common Point of Purchase or similar analysis linked fraudulent transactions to Briar Group establishments. If the Briar Group is unable to conclude whether a data compromise has occurred within 14 days of retaining a Qualified Incident Response Assessor, the Briar Group will (i) post conspicuous notice in each of its potentially affected establishments alerting customers that that their debit cards and credit cards might be at risk due to a suspected data compromise and (ii) provide a copy of this consumer notice to the Massachusetts Attorney General’s Office.

Melissa J. Krasnow is a partner in the Corporate Group of Dorsey & Whitney LLP who also is a Certified Information Privacy Professional and serves on the International Association of Privacy Professionals Publication Advisory Board.

1 Commonwealth of Massachusetts v. Briar Group, LLC, Civ. No. 11‐1185B, Consent Judgment (Mass. Sup. Ct. Mar. 28, 2011).
2 201 CMR § 17.00 et seq. (For additional information about the Massachusetts privacy regulation, please see Melissa J. Krasnow, Final Massachusetts Privacy Regulation: What is Required and How to Comply, Bloomberg Law Reports ‐ Risk & Compliance, Vol. 2, No. 12 (Dec. 2009).
3 Minn. Stat. § 325E.64; Nev. Rev. Stat. § 603A.215; Rev. Code Wash. § 19.255.020. (For additional information about the Nevada and Washington laws, please see Melissa J. Krasnow, Revised Nevada Privacy Law Furthers Encryption and Payment Card Law Trends, Bloomberg Law Reports ‐ Technology Law, Vol. 1, No. 3 (Aug. 24, 2009), and Washington Continues the Trend of Encryption and Payment Card Laws, Bloomberg Law Reports ‐ Privacy Law, Vol. 3, No. 5 (June 2010).
4 Mass. Gen. Laws ch. 93A § 2.

“To generate a high volume of calls, . . . [the Union] both hired an auto-dialing service and requested its members to call Pulte [Homes, a homebuilder]. It also encouraged its members, through postings on its website, to “fight back” by using . . . [the Union’s] server to send e-mails to specific Pulte executives. Most of the calls and e-mails concerned Pulte’s purported unfair labor practices, though some communications included threats and obscene language.” Id. at *1.
 
As the court pointed out, “it was the volume of the communications, and not their content, that injured Pulte. The calls clogged access to Pulte’s voicemail system, prevented its customers from reaching its sales offices and representatives, and even forced one Pulte employee to turn off her business cell phone. The e-mails wreaked more havoc: they overloaded Pulte’s system, which limits the number of e-mails in an inbox; and this, in turn, stalled normal business operations because Pulte’s employees could not access business-related e-mails or send e-mails to customers and vendors.” Id.
 
“Four days” into the onslaught, “Pulte’s general counsel contacted” the union and requested that they “stop the attack because it prevented Pulte’s employees from doing their jobs.” Id. When the Union ignored his request, the company filed suit for, among other things, a violation of the CFAA for “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” 18 U.S.C. § 1030(a)(5)(A). The CFAA defines damage as “”any impairment to the integrity or availability of data, a program, a system, or information.” Id. § 1030(e)(8).

The court, relying on the plain meaning of the terms “impairment,” “integrity,” and “availability,” concluded “that a transmission that weakens a sound computer system–or, similarly, one that diminishes a plaintiff’s ability to use data or a system–causes damage.” Id. at *4. Here, the court found that the complaint alleged “just that” – “the transmissions diminished Pulte’s ability to use its systems and data because they prevented Pulte from receiving at least some calls and accessing or sending at least some e-mails.” Id.

The court also found that the complaint alleged that the Union acted with the requisite intent under the statute to intentionally cause damage. The court summed up the allegations in the complaint that showed that the Union acted “with the conscious purpose of causing damage (in a statutory sense) to Pulte’s computer system”:

(1) The union “instructed its members to send thousands of e-mails to three specific Pulte executives; (2) many of these e-mails came from . . . [the union’s] server; (3) . . . [the Union] encouraged its members to “fight back” after Pulte terminated several employees; (4) . . . [the union] used an auto-dialing service to generate a high volume of calls; and (5) some of the messages included threats and obscenity. And although Pulte appears to use an idiosyncratic e-mail system, it is plausible . . . [the union] understood the likely effects of its actions–that sending transmissions at such an incredible volume would slow down Pulte’s computer operations. . . . [The Union’s] rhetoric of “fighting back,” in particular, suggests that such a slow-down was at least one of its objectives.
Id. at *6.

This case is reflective of the pattern that has emerged over the past few years in the judicial interpretation of the CFAA. The district courts have interpreted the CFAA narrowly, sometimes limiting it only to outside computer hacking, while the appeals courts have continued to interpret the statute broadly as a true federal omnibus computer crime statute outlawing all criminal activity directed at computers and computer systems.

“In this exclusive LegalMinds® interview, Akerman discusses recent developments related to data security, identity theft, workplace and customer privacy issues, discloseure obligations and compliance with state laws and federal statues, as well as several recent Supreme Court decisions that can have a significant impact on your internal policies and procedures.”

Starts on Page 17.

“While an old adage has been that companies’ greatest assets walk out the door at the end of each day, now in the Digital Age they can easily take other vital and proprietary assets in their pocket with them. Read the blog post at LegalMinds TV”

The CFAA is the omnibus federal computer crime statute that, among other things, makes it a crime for anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” §1030(a)(2)(C). There is little doubt that the information News Corp.’s reporters allegedly obtained, the voices mails and telephone records, were data files from computers, and there is also no question that the access to the computers through which the News Corp. reporters allegedly obtained the voice mails and telephone information was not authorized.

The CFAA’s definition of a “computer” covers every conceivable type of computer. §1030(e)(1). As the defendant correctly claimed in U.S. v. Mitra, 405 F.3d 492, 495 (8th Cir. 2005), “[e]very cell phone and cell tower is a ‘computer’ under this statute’s definition; so is every iPod, every wireless base station in the corner coffee shop, and many another gadget.” Thus, it is highly likely that from whatever type of computer the News Corp.’s reporters retrieved the voices mails and other personal information, it almost certainly came from what the CFAA would recognize as a computer.

As stated above, to be guilty of the crime the reporter must not only have accessed a computer, but that the information be obtained from a “protected computer,” defined by the CFAA as a computer “used in interstate or foreign commerce or communication.” §1030(a)(2)(B). But what is of particular relevance to the News Corp. situation is that this definition extends to any computer “located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” In other words, any computer anywhere in the world that communicates with the United States through email is subject to the CFAA and can form the basis for a criminal prosecution in the United States.

While it is theoretically possible that a News Corp. reporter could be charged with criminal violations of the CFAA for accessing a computer in the UK, it is highly unlikely that the Department of Justice would prosecute a case that thus far appears to be solely a UK crime. However, to the extent the current FBI investigation uncovers evidence of any U.S. connection such as the alleged retrieval of voices mails from 9/11 victims, the CFAA is likely to be the Justice Department’s criminal statute of choice for the News Corp. reporters and executives who initiated the hacking.

`

Yesterday, ICANN approved the launch of its new generic top level domain name (gTLD) plan.  It will accept applications for new gTLDs from January 12, 2012, to April 12, 2012.  Under ICANN’s plan, anyone can apply to own and manage a gTLD, the part after the dot.  However, the expense for doing so is expected to exceed $500,000 over the first eighteen to twenty-four months, with significant yearly expenses thereafter.

This move follows years of ICANN wrangling with brand owners and governments over opposition to the plan.  It is expected that the new gTLDs will not be functioning until 2013.  Even if brand owners do not want to acquire their own gTLD, there will be several relevant periods for defensively protecting their brands.  The first will be protecting their brands from being registered as gTLDs by others.  The second will involve defensively protecting their brands as second level domain names in the new gTLDs. The final ICANN plan includes a trademark clearinghouse, a uniform rapid suspension system (URS) and a post-delegation dispute resolution procedure (PDDRP), all of which can be used by brand owners to help protect their brands. One controversial aspect of the draft plan that would require brand owners to prove use of their trademarks before they could be included in the trademark clearinghouse was maintained in the final plan approved by the ICANN Board.

Dorsey & Whitney’s Trademark, Copyright and Brand Management Group would be pleased to assist your company in planning for the new gTLD launch. If you have questions, please contact Jamie M. Nafziger at nafziger.jamie@dorsey.com.

What does a company do if it is faced with a possible or actual breach of customer, employee or shareholder personal data? California enacted the first state data breach notification law in 2003, obligating companies to notify individuals whose personal data had been compromised in a data breach. Since then, 45 more states have followed California’s lead in responding to the national epidemic of identity theft. This article provides an overview of these laws, describes some best practices that have developed in response to them and addresses the calls for a federal data-breach law.

The 46 state laws generally require companies to notify individuals if there is a reasonable basis to believe that there has been a compromise of their personal data. See, e.g., Calif. Civ. Code §1798.82. Some states also necessitate determining whether there is a “risk of harm” from the breach to such individuals. See, e.g., Conn. Gen. Stat. §36a-701b(b). These state laws typically cover such nonpublic personal information as name, together with a social security number, driver’s license number or account, credit or debit card number information that would permit access to an individual’s financial account. A handful of states also cover name plus medical information. See, e.g., Calif. Civ. Code §1798.82(e)-(f). When medical information is involved, companies should also review the federal Health Information Technology for Economic and Clinical Health (HITECH) Act data breach rule, which covers protected health information. 45 CFR Parts 160 and 164, Subpart D. The state laws require that affected individuals be provided with adequate timely notice so they can take steps to protect their personal information and prevent identity theft.

Enforcement of these state laws varies. The California law provides for lawsuits by private individuals who have been injured by virtue of not being notified. Calif. Civ. Code §1798.84(b). A number of states like New York and Minnesota charge the State Attorney General with enforcement. N.Y. Gen. Bus. Law §899-aa6(a); M.S.A. §325E.61. Finally, some state laws provide for fines of varying amounts. N.Y. Gen. Bus. Law §899-aa6(a); Fla. Stat. Ann §817.5681(1)(b).

There is no foolproof way to guard against computer hackers or the theft of an employee laptop. One preventative measure to minimize the risk of a data breach is to establish a data compliance program, which a recent Massachusetts privacy regulation requires. 201 CMR 17.00 et seq. Such a program mandates appointing a security coordinator, establishing security policies, minimizing risks to employees and third parties that have contact with the company’s personal data, training the workforce, regularly auditing the program and enforcing the policies and protocols to data incidents and breaches.

A key component of this proactive approach is encrypting personal data so if it is compromised, it is not automatically exposed and cannot be easily deciphered. The state laws generally do not apply when the personal data involved in a breach are encrypted. Also, the Massachusetts privacy regulation requires all personal data to be encrypted if transmitted via the Internet or wirelessly or stored on laptops or portable devices. 201 CMR 17.04.

A company must stand ready to respond once aware or informed of a possible or actual data incident or breach. There should be a mechanism for reporting a possible or actual data incident or breach, and employees should be sensitized to its importance. Time is of the essence in determining whether a data breach has occurred or is likely to occur, whether notification is required or advisable. If notification is required or advisable, then providing it must also be done quickly. Although a number of states, such as California, provide leeway by requiring that notice be provided in the “most expedient time possible and without unreasonable delay,” other states such as Wisconsin, define a more precise time period. Calif. Civ. Code §1789.82(a); Wis. Stat. §134.98.

Suspicion that a data breach may have occurred and having a “reasonable basis” to believe a data breach actually occurred requiring notification is a distinction with practical consequences. For example, that two Web site customers complain within 24 hours that someone used their credit card information to buy merchandise on other Web sites does not mean that your company’s Web site was necessarily breached. It is suspicious and should cause your company to investigate whether the site was breached or whether it was simply a coincidence having nothing to do with the integrity of the company’s Web site.

For that reason, it is critical your company be investigative-ready before the issue arises. Investigative-ready means selecting in advance a person or firm who will conduct the investigation of a company’s computer network and equipment. That computer investigator should be forensically trained and experienced in testifying in court and have credibility with the government agencies the company may ultimately have to convince that it acted properly and reasonably, particularly if it is determined that there is no factual basis to conclude that a data breach occurred.

State laws generally permit notification to “be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.” See, e.g., Calif. Civ. Code §1798.82(c). Notifying law enforcement of a data breach has three practical effects: It may delay when notification must be made; it is a common element of notifications to state attorney generals, regulators and affected individuals; it sends a message to affected individuals that your company is taking an important step to protect them.

If a data breach is determined to have occurred and it is determined that notification of affected individuals is required or advisable, the different state law requirements for notification must be considered. One notable example is that the Massachusetts law does not permit notification of affected individuals of “the nature of the breach.” Instead, the notification must advise about “the consumer’s right to obtain a police report, how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze, and any fees required to be paid to any of the consumer reporting agencies.” Mass. Gen. Laws, Ch. 93H, §3(a). For a breach involving medical information that also is determined to be a breach of protected heath information under the HITECH Act, those requirements also must be addressed.

In addition to notifying affected individuals, a company must also notify state attorney generals, state regulators or consumer reporting agencies under some state laws. New York and North Carolina each requires a particular notification to the State AG, and New York also requires a particular notification to the New York Consumer Protection Board and Office of Cyber Security. N.C. Gen. Stat. § 75-65(f); N.Y. Gen. Bus. Law §899-aa8(a). New Jersey requires notification to the state police. N.J. Stat. §56:8-163(12.c.).

Because these notifications are likely to be publicized in the press and via the Internet, they should be drafted accordingly. For example, notifications sent to the New Hampshire Attorney General are automatically posted on the state attorney general’s Web site (http://doj.nh.gov/consumer/breaches.html). Although not required by law, it is common to include an offer in the notifications for free identity-theft services. Public companies should also consider whether disclosure should be made in their filings with the U.S. Securities and Exchange Commission.

Finally, a company’s responsive actions to the data incident or breach should be carefully documented. If asked by any regulator or sued, a company must be able to credibly explain the cause of the incident or breach and the basis for determining whether notification be made. The Massachusetts regulation and best practices also dictate that a company conduct a post-incident review to analyze lessons learned to prevent future incidents and breaches and to make any changes to the company’s practices for protecting personal data, including becoming aware of and responding to a data incident or breach.

There have been calls for data-breach notification to be more uniform and the subject of a federal law. Recently, the U.S. Department of Commerce issued a green paper on privacy recommending consideration of a comprehensive commercial data-breach framework for electronic records that includes notification provisions; encourages companies to implement strict data-security protocols; and allows states to build upon the existing framework in limited ways, tracking the effective protections from state laws. Department of Commerce Internet Policy Task Force, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework (Dec. 16, 2010). But until a federal data-breach law that pre-empts the state laws is enacted, the state laws must continue to be followed.