The recent decision in Allied Portables v. Youmans from the U.S. District Court for the Middle District of Florida underscores the need for businesses to establish explicit, well-advertised written policies identifying the scope of permissible employee access to company computers. Absent such policies, employers may be precluded from using the civil remedy in the federal computer crime statute, the Computer Fraud and Abuse Act, to sue employees who steal or destroy data from a company computers.
Allied properly recognized that for a CFAA claim to succeed, the plaintiff employer must be able to show the critical element that the defendant employee accessed a company computer by exceeding the authorized access to the computer.
Author: Melissa Krasnow Organizations are preparing for data incidents and breaches by developing, updating, implementing, and testing incident response plans. This article provides a checklist of key components of an incident response plan. Following are items from state and federal sources of guidance: “Best Practices for Victim Response and Reporting of Cyber Incidents”(April 2015) issued… Read More
Washington State Governor Jay Inslee signed legislation making Washington among the five US states with the most rigorous data breach notification laws enacted to date. Washington joins Florida, Ohio, Vermont, and Wisconsin in imposing strict and specific obligations on any business that has suffered a data breach. The new law is effective July 24, 2015.
Guest Blogger Peter S. Vogel is a trial partner at Gardere Wynne Sewell LLP where he is Chair of the eDiscovery Group and the Internet, eCommerce, & Technology Team, and before practicing law he worked as a systems programmer, received a Masters in Computer Science, and taught graduate courses in information systems. In addition to… Read More
On January 2015, the Obama administration announced a series of proposals to strengthen the country’s response to cyberattacks including, most notably, specific amendments to the federal computer crime statute, the Computer Fraud and Abuse Act (CFAA). These changes are not only significant to the cyber crime-fighting efforts of federal prosecutors, but also to private companies. This is because the CFAA allows companies victimized by violations of the statute to bring civil actions against the perpetrators. 18 U.S.C. 1030(g). The CFAA, among other things, makes it a crime when an individual “accesses” a computer “without authorization or exceeds authorized access” to steal data.
The duty of a board to monitor and oversee organizational risk includes cyberrisks. As cyberrisks and incidents proliferate, boards are seeking to enhance the information they receive about cyberrisks and incidents. One development boards should be aware of is the decision in the Palkon v. Holmes directors and officers (D&O) litigation (2014 U.S. Dist. LEXIS 148799 (D.N.J. Oct. 20, 2014)).
The Obama Administration has just released the proposed text of the Personal Data Notification & Protection Act as the latest step in its uniform federal breach notification initiative. Similar legislative efforts in the past have been unsuccessful, but there remains interest in federal legislation that would eliminate the need to navigate the patchwork of 47 different state breach notification laws. This article will highlight how the proposed federal law compares to most state breach notification requirements, and how it may impact businesses as a practical matter.
The fundamental shift for businesses in the past 15 years from paper documents to computer data has forced the courts to decide whether intangible electronic data should enjoy the same legal protections as physical property.
Because of this shift, it is important to review the judicial response to the electronic-data issue in the context of a federal criminal statute, the National Stolen Property Act (NSPA), and common law conversion.
The NSPA makes it a felony for one who “transports, transmits, or transfers in interstate or foreign commerce any goods, wares, merchandise … of the value of $5,000 or more, knowing the same to have been stolen, converted or taken by fraud.” Conversion is the state civil cause of action for the theft of property.
Continuing the trend of changes in state breach notification and related laws, Cal. A.B. 1710 amends California’s breach notification, security procedures, and Social Security number (SSN) laws in the wake of significant data breaches, particularly in the retail sector. (See “Changes in State Breach Notification Laws.”)
As data breaches continue to occur, breach notification laws are being amended or enacted. In the United States, state and federal breach notification laws should be monitored carefully regarding changes, as should breach notification laws in other countries (e.g., Canada).
As of July 15, 2014, 47 states (other than Alabama, New Mexico, and South Dakota) plus the District of Columbia, Guam, Puerto Rico, and Virgin Islands have breach notification laws. This article addresses changes in state breach notification laws.