The White House and its top security advisors are regularly advised about cyberintrusions and as a result the “time has come for CEOs and Boards to take personal responsibility for improving their companies’ cyber security” according to Former White House Senior Director for Cybersecurity Sameer Bhalotra. In the recent report from LogRhythm entitled “The Cyber Threat Risk – Oversight Guidance for CEOs and Boards” Bhalotra went to say:
Global payment systems, private customer data, critical control systems, and core intellectual property are all at risk today.
As cyber criminals step up their game, government regulators get more involved, litigators and courts wade in deeper, and the public learns more about cyber risks, corporate leaders will have to step up accordingly.
While cybersecurity risks have increased, government regulation has traditionally lagged behind. Recently, some government entities have tried to catch up by mandating that companies take a proactive approach toward protecting personal and competitively sensitive data. The move is a departure from the traditional reactive response of simply notifying consumers after their personal data is breached.
With this shift in emphasis, companies are asking the obvious questions: “What are we expected to do and what is a proactive cybersecurity compliance program?”
Both on the state level and through federal regulatory agencies, the government is beginning to dictate a comprehensive compliance approach to data protection. Late last year, the U.S. Securities and Exchange Commission’ s Cybersecurity Examination Initiative directed broker-dealers to “further assess cybersecurity preparedness in the securities industry.” Thus, the SEC announced that it “will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.”
In December, a divided panel of the U.S. Court of Appeals for the Second Circuit in U.S. v. Valle interpreted the Computer Fraud and Abuse Act to exclude employees who access their employer’s computers. The upshot is that if you are an employee in the Second Circuit and steal data from your employer to commit identity theft or to provide it to a competitor, you cannot be prosecuted by the Department of Justice or sued by your employer under the CFAA.
By: Ron Moscona, a partner in Dorsey & Whitney’s London Office The Court of Justice of the European Union (“CJEU”) held yesterday, in its decision in Schrems v. Data Protection Commissioner, that the decision of the European Commission of July 2000 which provides the legal basis under EU law for the “Safe Harbor” scheme is… Read More
The recent decision in Allied Portables v. Youmans from the U.S. District Court for the Middle District of Florida underscores the need for businesses to establish explicit, well-advertised written policies identifying the scope of permissible employee access to company computers. Absent such policies, employers may be precluded from using the civil remedy in the federal computer crime statute, the Computer Fraud and Abuse Act, to sue employees who steal or destroy data from a company computers.
Allied properly recognized that for a CFAA claim to succeed, the plaintiff employer must be able to show the critical element that the defendant employee accessed a company computer by exceeding the authorized access to the computer.
Have your client companies’ policies kept
pace with changes in the law affecting
computer technology? New statutes and court
decisions relating to computer technology
affect every business. Many companies
overlook opportunities to respond to these
new laws by adopting robust policies to
take advantage of the protections they
afford and to minimize the risks they pose.
This article will review three critical areas
of computer technology that should be
addressed by company policies: theft of data,
social networking and cloud computing.
Two recent district court opinions add to the caselaw providing judicial guidance on how employers might update their corporate computer policies to be able to sue ex-employees for stealing company data based on the Computer Fraud and Abuse Act (“CFAA”), the federal computer crime statute. Title 18, U.S.C. §1030. This is a particularly significant problem… Read More
Last month I posted my article from the National Law Journal, entitled, “Time to Review Computer Policies,” discussing three recent cases, including LVRC Holdings LLC v. Brekka, 81 F.3d 1127, 1131 (9th Cir. 2009). I cited Brekka for the proposition that it is important to delineate the scope of an employee’s permissible access to the… Read More
THE PRACTICE Commentary on developments in the law Three recent court decisions make it important for companies to begin the new year with a thorough review of their computer-use policies with a focus on two issues: ensuring that employees have no expectation of privacy in using the company computer systems and delineating the scope of… Read More
THE PRACTICE Commentary and advice on developments in the law Three recent court decisions make it important for companies to begin the new year with a thorough review of their computer-use policies with a focus on two issues: ensuring that employees have no expectation of privacy in using the company computer systems and delineating the… Read More