In LVRC Holdings LLC v. Brekka, 581 F.3d 1127, (9th Cir. 2009) the employee emailed to himself competitively sensitive data so he could use it to compete against his current employer. Disagreeing with Citrin, the 9th Circuit refused to hold that an employee’s authorization to access the company computer is based on the law of agency. Instead, the court held that the Computer Fraud and Abuse Act did not apply to the theft because an employee cannot act “without authorization” because his employer gave his “permission to use” the company computer. Id. at 1133. Read relevant article.
Month: February 2010
Citrin 7th Circuit
In International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006) the court held that an employee was liable under the Computer Fraud and Abuse and the employee’s “authorization to access the [company] laptop terminated, when, . . . [the employee] resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee.” Read Relevant Article.
Massachusetts Privacy Reg Now Effective
What Is Required and How to Comply
Contributed by: Melissa J. Krasnow, Dorsey & Whitney LLP
The Massachusetts Office of Consumer Affairs and Business Regulation (“MOCABR”) recently issued the final version of the Massachusetts privacy regulation (Regulation). This article provides a summary of this Regulation, which applies to each person or entity that owns or licenses personal information about a Massachusetts resident (Covered Entity) “Owns or licenses” means receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. “Personal information” means a Massachusetts resident’s first and last name or first initial and last name in combination with a (i) Social Security Number; (ii) driver’s license or state-issued identification card number or (iii) financial account number. According to the MOCABR, this Regulation is not preempted if a Covered Entity complies with the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act requirements. Consequently, this Regulation could apply to any type of business.
A Covered Entity must be in full compliance with this Regulation on or before March 1, 2010, including developing, implementing and maintaining a comprehensive, written information security program applicable to records containing personal information (Program).
This Regulation establishes minimum standards for safeguarding personal information in paper and electronic records. The Program must be written in one or more readily accessible parts and contain administrative, technical and physical safeguards consistent with the safeguards for protection of personal information and information of a similar character in any state or federal regulations to which the Covered Entity may be regulated.
The safeguards must be appropriate to (i) the size, scope and type of business of the Covered Entity; (ii) the amount of resources available to the Covered Entity; (iii) the amount of stored data and (iv) the need for security and confidentiality of both consumer and employee information.
The Regulation requires a Covered Entity to take the following action:
1. Designate one or more employees to maintain the Program;
2. Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality or integrity of any electronic, paper or other records containing personal information, and evaluate and improve, where necessary, the effectiveness of the current safeguards for limiting these risks (e.g., ongoing temporary, contract and regular employee training, employee compliance with policies and procedures and means for detecting and preventing security system failures);
3. Develop security policies for employees relating to the storage, access and transport of records containing personal information outside of business premises;
4. Impose disciplinary measures for violations of the Program;
5. Prevent terminated employees from accessing records containing personal information;
6. Take reasonable steps to select and retain third-party service providers (i.e., any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a Covered Entity) that are capable of maintaining appropriate security measures to protect such personal information consistent with this Regulation and any applicable federal regulations;
7. Require third-party service providers by contract to implement and maintain appropriate security measures for personal information (though a contract a Covered Entity has entered into no later than March 1, 2010 with a third-party service provider satisfies this provision even if the contract does not include a requirement that the third-party service provider maintain such appropriate safeguards, until March 1, 2012);
8. Implement reasonable restrictions on physical access to records containing personal information and store the records and data in locked facilities, storage areas or containers;
9. Regularly monitor to ensure that the Program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information and upgrade information safeguards as necessary to limit risks;
10. Review the scope of the security measures at least annually or when there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information;
11. Document responsive actions taken when a data security breach incident occurs and conduct a mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to the protection of personal information; and
12. Establish and maintain a security system, covering its computers and any wireless system, for a Covered Entity, which, at a minimum and to the extent technically feasible (i.e., if there are reasonable means through technology to accomplish a required result):
a.) secures user authentication protocols, including (i) control of user IDs and other identifiers; (ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies (e.g., biometrics or token devices); (iii) control of data security passwords to ensure that these passwords are kept in a location or format that does not compromise the security of the data they protect; (iv) restricting access to active users and active user accounts only and (v) blocking access to user identification after multiple unsuccessful attempts to gain access or limiting access for the particular system;
b.) has secure access control measures that (i) restrict access to records and files containing personal information to those who need personal information to perform their job duties and (ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
c.) encrypts (i.e., transforms data into a form in which meaning cannot be assigned without the use of a confidential process or key) all transmitted records and files containing personal information that will travel across public networks, and encrypts all data to be transmitted wirelessly;
d.) has reasonable monitoring of systems for unauthorized use of or access to personal information;
e.) encrypts all personal information stored on laptops or other portable devices;
f.) includes reasonably up-to-date firewall protection and operating system security patches for files containing personal information on a system that is connected to the Internet, reasonably designed to maintain the integrity of the personal information;
g.) has reasonably up-to-date versions of system security agent software, which includes malware protection and reasonably up-to-date patches and virus definitions or a version of this software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis; and
h.) educates and trains employees on the proper use of the computer security system and the importance of personal information security.
The statute under which this Regulation was issued provides for enforcement by the Massachusetts Attorney General.
Companies that are developing or have developed comprehensive, written information security programs need to revisit what they have done thus far to make sure it complies with the Regulation, and whether it is subject to the Nevada encryption law. Under the Nevada encryption law, a company (except for a telecommunications provider) doing business in Nevada that deals with personal information must comply with specific encryption requirements if it does not accept a payment card (a credit card or similar card) in connection with a sale of goods or services. This law also requires that a company that does accept payment cards in connection with a sale of goods or services comply with the current version of the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is an industry security standard developed by the PCI Security Standards Council (including American Express, Discover, JCB, MasterCard and Visa) for the protection of customer account data. The compliance deadline for the Nevada encryption law is January 1, 2010.
Other companies immediately need to determine whether they are covered by the Regulation. Their compliance efforts should begin now if they determine that they are covered. Finally, companies that determine that they are not covered typically prepare a written summary of their determination.
Time to Review Corporate Computer Policies
THE PRACTICECommentary and advice on developments in the law
Three recent court decisions make it important for companies to begin the new year with a thorough review of their computer-use policies with a focus on two issues: ensuring that employees have no expectation of privacy in using the company computer systems and delineating the scope of the employee’s permissible accessto the company computers. This article will discuss these three decisions and their implications for creating effective corporate computer policies that protect the company against the theft of its data.
Two of these recent decisions—Quon v. Arch Wireless Operating Co. Inc., 529 F.3d 892 (9th Cir. 2008), cert. granted, 2009 WL 1146443 (2009), and Stengart v. Loving Care Agency Inc., 408 N.J. Super. 54 (N.J. App. Div. 2009)—af fect a company’s ability to gather evidence from its own computers. Both cases found company computer policies insufficient to defeat the employee’s expectation of privacy in using the company computers for per sonal reasons. Whether an employee has an expectation of privacy on the company com puters can become a critical issue when it is suspected that an employee may have stolen corporate data.
In Quon, the U.S. Court of Appeals for the 9th Circuit held that a review of text mes sages on pagers provided to municipal police officers violated the Fourth Amendment as an unreasonable search. Although the city had no express policy “directed to text mes saging by use of the pagers,” it did have a general “Computer Usage, Internet and E-Mail Policy” applicable to all employees that limited the “use of City-owned com puters and all associated equipment, software, programs, networks, Internet, e-mail and other systems operating on these computer” to city business.
The policy warned that “[t]he use of these tools for personal benefit is a sig nificant violation of” city policy, that “[a]ccess to all sites on the Internet is record ed and will be periodically reviewed by the City,” that the city “reserves the right to moni tor…all network activity, including email and Internet use,” and that “[u]sers should have no expectation of privacy or confidentiali ty when using these resources.” The policy also warned against using “these systems…for personal or confidential communications” because the information produced on the sys tem “is considered City property.” This policy was acknowledged in writing by each city employee, and it was announced orally that this policy applied to pagers.
The 9th Circuit affirmed the district court’s finding that Jeff Quon had a reason able expectation of privacy with respect to the text messages because the policy did not reflect the “operational reality” at the police department where the staff were told that the department “would not audit their pagers so long as they agreed to pay for any overages” that exceeded a “25,000 character limit.” Id. Consistent with that informal pol icy, Quon had exceeded that limit “ ‘three or four times’ and had paid for the overages every time without anyone reviewing the text of the messages,” demonstrating that the police department “followed its ‘infor mal policy’ and that Quon reasonably relied on it.”
In Stengart, the issue of the computer policies arose in the context of the attorney-client privilege. Marina Stengart used her employer’s laptop computer to communi cate with her attorney about an anticipated lawsuit against her employer “through her personal, web-based, password-protected Yahoo email account.” After Stengart filed a discrimination suit, her then-ex-employer found numerous e-mails on the company computer between Stengart and her attorney. The employer’s computer policy was nearly identical to the policy addressed in Quon with one significant exception. Unlike the written policy in Quon, which limited use of the computers to the employer’s business, the policy in Stengart provided that “[o]ccasional personal use is permitted.”
The court found two specific “ambiguities” with the computer policy that “cast doubt over the legitimacy of the company’s attempt to seize and retain personal e-mails sent through the company’s computer via the employee’s personal email account.” First, the “policy neither defines nor suggests what is meant by ‘the company’s media systems and services,’ nor do those words alone convey a clear and unambiguous understanding about their scope.” Second, the court found that one could reasonably conclude “that not all personal emails are necessarily company property because the policy expressly recognizes that occasional personal use is permitted.” Given these ambiguities, Stengart could have assumed her e-mails with her attorney would be confidential.
The third decision relates to a company’s ability to use evidence found on its own computers to bring a viable court action against the disloyal employee under the federal Computer Fraud and Abuse Act (CFAA) to retrieve the stolen data and pre vent its dissemination in the marketplace. The CFAA, the federal computer crime stat ute, provides a civil remedy for a company that “suffers damage or loss” by reason of a violation of the CFAA. 18 U.S.C. 1030(g). A critical element in proving most CFAA claims is that the violator accessed the com puter “without authorization” or “exceed ing authorized access.”
THE ISSUE OF PERMISSIBLE ACCESS
That case, LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), has made it more important than ever for corporate computer policies to address what is not permissible access to the company computer system. Until Brekka, no other circuit court had disagreed with the 7th Circuit’s holding in Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), that an employee’s authorization to access the company computers is predicated on his agency relationship with his employer such that when an employee violates his duty of loyalty by stealing his employer’s data, his authorization to access the company comput ers terminates. Brekka refused to apply the CFAA to a theft of employer data, holding that employees cannot act “without autho rization” because their employer gave them “permission to use” the company computer.
Although this division in the circuit courts will ultimately have to be resolved by the U.S. Supreme Court, from an employ er’s standpoint it is important to empha size that the agency relationship with the employee is not the only way to prove that an employee’s access to the company computer was unauthorized or exceeded authorization. Employers can proactively establish the predi cate for unauthorized access by promulgating the rules of access through company policies. The “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). Thus, a company “can easily spell out explic itly what is forbidden” through a compliance code or an employee handbook or through employee agreements. See Cont’l Group Inc. v. KW Property Mgmt., 622 F. Supp. 2d 1357 (S.D. Fla. 2009); EF Cultural Travel B.V. v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001).
In designing corporate computer policies and employee agreements, it is important not to lose sight of the well-established operating principle that company computers are com pany property, and, as such, the company can “attach whatever conditions to their use it wanted to,” even if these conditions are not “reasonable.” Muick v. Glenarye Electronics, 280 F.3d 741, 743 (7th Cir. 2002). Nonetheless, in light of Quon, Stengart and Brekka, a company should review its computer policies to ensure that they do the following:
- Clearly define the computer systems cov ered by the policy; expressly encompass what ever technology is used, such as text mes saging or instant messaging; and address not only the servers but removable media such as thumb drives and disks.
- Make clear that all data created in fur therance of any personal use belongs to the company—including use of the company systems to access personal Web-based e-mail accounts—and may be monitored by the company and will not be confidential.
- Reflect operational reality and are audited at least annually to ensure they reflect operational reality.
- Spell out precisely the scope of an employee’s permissible authorization to the company computers, particularly what they are not permitted to do, e.g., access the company computers to retrieve company data for a competitor.
The time to get this right is now before the company finds itself the victim of a data theft.
Verdict in MySpace Suicide Case
November 27, 2008
Verdict in MySpace Suicide Case
By JENNIFER STEINHAUER
LOS ANGELES — A federal jury here issued what legal experts said was the country’s first cyberbullying verdict Wednesday, convicting a Missouri woman of three misdemeanor charges of computer fraud for her involvement in creating a phony account on MySpace to trick a teenager, who later committed suicide.
The jury deadlocked on a fourth count of conspiracy against the woman, Lori Drew, 49, and the judge, George H. Wu of Federal District Court, declared a mistrial on that charge.
Although it was unclear how severely Ms. Drew would be punished — the jury reduced the charges to misdemeanors from felonies, and no sentencing date was set — the conviction was highly significant, computer fraud experts said, because it was the first time that a federal statute designed to combat computer crimes was used to prosecute what were essentially abuses of a user agreement on a social networking site.
Under federal sentencing guidelines, Ms. Drew could face up to three years in prison and $300,000 in fines, though she has no previous criminal record. Her lawyer has asked for a new trial.
In a highly unusual move, Thomas P. O’Brien, the United States attorney in Los Angeles, prosecuted the case himself with two subordinates after law enforcement officials in Missouri determined Ms. Drew had broken no local laws.
Data Protection Strategies
Technology poses a special risk to companies whose businesses depend on such valuable competitive data. With just a couple of mouse clicks or through the use of a thumb drive that can be slipped into a pocket, an employee can easily remove from the workplace what amounts to multiple file cabinets worth of documents. Last year, for example, I represented a client where the data at issue was worth more than $1 billion in business to the company. The employees in that case removed the data from the company by simply downloading it to several compact disks and e-mailing it to their home e-mail addresses. I also represented a company in a case involving the theft of data relating to government contracts worth hundreds of millions of dollars where the stolen data was used to divert the business to a major competitor. The data in that case was removed on floppy disks. In addition to traditional lawsuits that can last a year or two through discovery and trial, a major part of my practice is filing emergency court actions for injunctive relief—temporary restraining orders and preliminary injunctions—to seek the immediate return of competitively sensitive data that is stolen from a company. In those cases, the client suddenly discovers that a trusted employee has taken valuable data to a competitor. In response, I go into action marshalling the evidence, drafting the necessary court papers, and within a day or two find myself appearing before a judge asking for the immediate return of the data. These actions are important to my clients who cannot afford to have their competitive positions in the marketplace undermined by a competitor using their key information.
RICO and Data Thieves
The civil remedy in the Racketeer Influenced and Corrupt Organizations (RICO) statute, 18 U.S.C. 1961, et. seq., is not limited to the “archetypal, intimidating mobster.” Sedima SPRL v. Imrex Co. Inc., 473 U.S. 479, 498 (1985). There is no reason why RICO cannot apply to data thieves. RICO provides a significant remedial advantage over traditional remedies such as the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030(g), which directly outlaws the theft of data, and, like RICO, provides for a civil remedy. The CFAA, however, is limited to compensatory damages, whereas RICO provides for treble damages and attorney fees. 18 U.S.C. 1964(c). This article will review the elements of a civil RICO action as they apply to data theft and how to frame a successful RICO suit predicated on data theft.
To allege and prove civil RICO, a plaintiff “must show that he was injured by defendants’ (1) conduct (2) of an enterprise (3) through a pattern (4) of racketeering activity.” Sedima SPRL, 473 U.S. at 496. The threshold issue is whether the data thief was acting through a RICO “enterprise.” The statute defines enterprise as “any individual, partnership, corporation, association, or other legal entity, and any union or group of individuals associated in fact although not a legal entity.” 18 U.S.C. 1961(4). The enterprise and the defendant cannot be the same.
There must also be “some distinctness between the RICO defendant and the RICO enterprise.” Cedric Kushner Promotions Ltd. v. King, 533 U.S. 158, 163 (2001). In King, for example, the court held that “the need for two distinct entities is satisfied” when there is an individual defendant and the RICO enterprise is his wholly owned corporation. In the context of data theft the “enterprise” can be the victim company, the competing company, individuals that used the stolen data or an association- in-fact consisting of entities or individuals who participated in or benefited from the theft.
‘Racketeering activity’ can include acts of data theft
The element of “racketeering activity” is defined by the statute to include a specified list of state and federal crimes upon which the RICO action may be predicated. 18 U. S.C. 1961(1). A RICO plaintiff must allege and prove by a preponderance of the evidence that the defendant committed the criminal acts underlying the RICO count. The criminal acts that apply to data theft are mail fraud, 18 U.S.C. 1341; wire fraud, 18 U. S.C. 1343; and interstate transportation and receipt of stolen property, the value of which is $5,000 or more, 18 U.S.C. 2314, 2315.
The mail and wire fraud statutes outlaw schemes to defraud, the object of which is to steal property. That the property is intangible computer data “does not make it any less ‘property’ protected by the mail and wire fraud statutes.” Carpenter v. U.S., 484 U.S. 19, 26 (1987). The use of the mails or interstate wires, such as e-mailing from state to state in furtherance of the scheme, provides federal jurisdiction for the crime.
In contrast to the mail and wire fraud statutes, the courts disagree on whether intangible computer data can be the property stolen or received in violation of ßß 2314 and 2315. Relying on Dowling v. U.S., 473 U.S. 207 (1985), which refused to apply ß 2314 to bootlegged movies, U.S. v. Brown, 925 F.2d 1301, 1307-8 (10th Cir. 1991), held that computer information “is an intangible intellectual property” and is not “goods, wares or merchandise” within the meaning of ßß 2314 and 2315.
An exception exists, however, when, “there has been ‘some tangible item taken, however insignificant or valueless, it may be.’ ” U.S. v. Martin, 228 F.3d 1, 14-15 (1st Cir. 2000). Thus, if an employee steals data worth $5,000 or more from the company computers and also steals the disk upon which he stores the stolen data and takes the disk to another state, the theft violates ß 2314.
The 2d U.S. Circuit Court of Appeals rejects this distinction between tangible and intangible property and applies the statutes to the theft of computer data. For example, in U.S. v. Farraj, 142 F. Supp. 2d 484, 489 (S.D.N.Y. 2001), the court upheld the validity of a ß 2314 charge when a paralegal e-mailed across state lines his employer law firm’s confidential and proprietary trial plan. Because of this divergence in law, it is essential to check the appropriate circuit law before filing a RICO action predicated on violations of ßß 2314 or 2315.
Plaintiffs must also satisfy the ‘pattern’ requirement
A RICO plaintiff must also allege and prove that the criminal predicate acts constitute a “pattern.” The U.S. Supreme Court has defined “pattern” as more than simply the statutory requirement of “at least two acts of racketeering activity…within ten years.” 18 U.S.C. 1961(5). Based on the legislative history, the Supreme Court requires that the criminal acts predicating the RICO violation be “related,” and that “they amount to or pose a threat of continued criminal activity.” H.J. Inc. v. Northwestern Bell Tel. Co., 492 U.S. 229, 239 (1989).
The criminal acts are related if they “have the same or similar purposes, results, participants, victims, or methods of commission, or otherwise are interrelated by distinguishing characteristics and are not isolated events.” H.J. Inc. v. Northwestern Bell, 492 U.S. at 240. Relatedness among the predicate acts for stealing computer data can be shown if the object was to steal data from one or more victims for the purpose of using the victims’ data in competition or perpetrating identity theft. See, e.g., General Motors Corp. v. Arriortua, 948 F. Supp. 670, 673, 677-78 (E.D. Mich. 1996) (predicate crimes all related to theft of trade secrets, including those on computer disks from the same victim for use by a competitor).
In addition to the requirement that the criminal acts must be related, they must be continuous for there to be a valid RICO “pattern.” “Continuity is both a closed- and open-ended concept, referring either to a closed period of repeated conduct, or to past conduct that by its nature projects into the future with a threat of repetition.” H.J. Inc., 492 U.S. at 241. Continuity over a closed period must constitute related illegal activity over “a substantial period of time.” Id. at 242. While there is no bright-line test for determining precisely what period of time is “substantial,” ordinarily the predicate acts must have been committed for at least two years. Spool v. World Child Intern. Adoption Agency, 520 F.3d 178, 184 (2d Cir. 2008).
‘Minitab’: Plaintiff failed to allege open-ended pattern
The classic data theft is usually not concealed for two years but is discovered shortly after it occurs. Given that practical reality, the most common method to prove a “pattern” relating to data theft is to show open-ended continuity through “past criminal conduct that by its nature projects into the future with a threat of repetition.” U.S. v. Browne, 505 F.3d 1229, 1259 (11th Cir. 2007). There is a disagreement among the federal courts as to whether a threat of continuing criminal activity can be inferred from a theft of data. A recent federal district court case, Binary Semantics Ltd. v. Minitab Inc., No. 4:07-CV- 1750, 2008 WL 763575, at *4 (M.D. Pa. March 20, 2008), dismissed a RICO count based on the theft of trade secret data, holding that the plaintiff failed to allege an open-ended pattern.
The court refused to follow General Motors, 948 F. Supp. at 678, and Gould Inc. v. Mitsui Mining & Smelting Co., 750 F. Supp. 838, 842 (N.D. Ohio 1990), both of which upheld civil RICO counts on the basis that the theft of trade secrets does pose a threat of continuing criminal activity to use the stolen trade secrets. The Minitab decision was premised on the court’s belief “that the theft of trade secrets necessarily implies that they will be used” and relied on four district court cases that “reached conclusions contrary to General Motors and Gould.” Minitab, 2008 WL 763575, at *4.
Theft and use are distinct criminal acts
The principal flaw in Minitab, and certain of the cases upon which it relies, is that it improperly melds the theft and use of the trade secrets into a single crime, when theft and use are universally recognized as distinct criminal acts with the theft a precondition for use. For example, the Economic Espionage Act, 18 U.S.C. 1831(a)(1)(3), while not a RICO predicate, makes theft and possession separate crimes. This distinction also applies to a violation of the RICO predicates ß 2314 for theft of data and a violation of ß 2315 for possession of the stolen data. Indeed, “[w]hen the Supreme Court spoke of the threat of repetition, it was referring to the threat of repeated victimization…, not merely the retention of the ill-gotten fruits of previous crimes” and “the thief who steals a trade secret victimizes the owner every time the trade secret is used because the owner suffers a new loss with each use of the secret.” General Motors, 948 F. Supp. at 679.
That “threat of the unbridled continuation of the violation” supports a judicial finding of irreparable harm justifying the entry of a preliminary injunction. John G. Bryant Co. Inc. v. Sling Testing and Repair Inc., 369 A.2d 1164, 1167 (Pa. 1977). Similarly, a thief who steals data to commit identity theft later victimizes each person whose identity he or she steals. Given the Minitab opinion, it is critical in a RICO count predicated on data theft to allege in as much factual detail as possible the circumstances demonstrating why the theft will likely lead to further criminal activity and victimization and to allege this future criminal activity as separate and distinct violations of the federal criminal law.
Time to review corporate computer policies
Time to review corporate computer policies
The National Law Journal
February 1, 2010
PDF copy of original article: View The National Law Journal