Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security & Privacy...

FRAUD 2.0Overview and Update of the

Computer Fraud and Abuse Act and A Few Lessons About Data Breaches

Shawn E. Tumawww.brittontuma.com

Privacy, Data Security, and eCommerce Committee of the State Bar of Texas

August 28, 2013

2

#fraud20

www.brittontuma.com

3

when is the last time you heard of …

www.brittontuma.com #fraud20

4

NON COMPUTER

RELATED FRAUD?


5

2012 Cybercrime Statistics

• costs $110 billion annually

• 18 adults every second are victims

• 556,000,000 adults every year are victims

• 46% of online adults are victims

• mobile devices are trending

2012 Norton Cybercrime Reportwww.brittontuma.com

The Statistics

6

What is fraud?• Fraud is, in its simplest form, deception

• Black’s Law Dictionary

• all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by false suggestions or suppression of the truthwww.brittontuma.com

Fraud?

#fraud20

7

Traditional vehicles for fraud?• verbal communication

• written communication

• in person

• through mail

• via wirewww.brittontuma.com

Fraud?

#fraud20

8

What do computers do?

EFFICIENCY!www.brittontuma.com #fraud20

9

FRAUD 2.0


10

Computer Fraud = Fraud 2.0• Deception, through the use of a computer

• “old crimes committed in new ways … using computers and the Internet to make the task[s] easier”

• computer hacking, data theft, theft of money, breaches of data security, corporate espionage, privacy breaches, computer worms, Trojan horses, viruses, malware, denial of service attacks

• mouse and keyboard = modern fraudster tools of choice

www.brittontuma.com

Fraud 2.0

#fraud20

11

Who knows the percentage of businesses that suffered at least one act of computer fraud in last

year?

90%(Ponemon Institute Study)

www.brittontuma.com

Fraud 2.0

#fraud20

12

BRIEF HISTORY OF THE COMPUTER FRAUD

AND ABUSE ACT (CFAA)

#fraud20

13

Computer Fraud and Abuse Act

Federal Law – 18 U.S.C § 1030

www.brittontuma.com

The Law!

#fraud20

14

History of CFAA


15

History of CFAA


16

Why?

Primary Law for Misuse of Computers

Computers …

Why is the Computer Fraud and Abuse Act important?


17www.brittontuma.com

“Everything has a computer in it nowadays.”

-Steve Jobs

Why Computers?

#fraud20

18

WHAT IS A COMPUTER?

#fraud20


has a processor or stores data

“the term ‘computer’ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but …”

IMPORTANT! “such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;”

The CFAA says

What is a computer?

#fraud20


What about . . .

What is a computer?

#fraud20


“’That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, . . . .”

-United States v. Kramer

The Fourth Circuit says

Anything with a microchip

#fraud20


This may limit the problem of applying it to alarm clocks, toasters, and coffee makers – for now?

The CFAA applies only to “protected” computers

Protected = connected to the Internet

Any situations where these devices are connected?

What is a “protected” computer?

#fraud20


•TI-99 •3.3 MHz Processor•16 KB of RAM

•Leap Frog Leapster•96 MHz Processor•128 MB of RAM

•iPhone 5•1.02 GHz Processer•1 GB of RAM

Perspective

#fraud20


66 MHz = fastest desktop in 80s

96 MHz = child’s toy today

250 MHz = fastest super computer in 80s

1.02 GHz = telephone today

Perspective

#fraud20


What is a computer?

#fraud20


no, I really mean seriously . . .

What is a computer?

#fraud20

28

WHAT DOES THE CFAA PROHIBIT?

#fraud20

29

Statutory Language

CFAA prohibits the access of a protected computer that is

Without authorization, or

Exceeds authorized access


30

Statutory Language

Where the person accessing Obtains information

Commits a fraud

Obtains something of value

Transmits damaging information

Causes damage

Traffics in passwords

Commits extortion


31

Very Complex Statute

Overly simplistic list

Very complex statute

Appears deceptively straightforward

Many pitfalls

www.brittontuma.com

“I am the wisest man alive, for I know one thing, and that is that I know nothing.”

-Socrates

#fraud20

32

Very Complex Statute

Two Most Problematic Issues

“Loss” Requirement

• Confuses lawyers and judges alike

Unauthorized / Exceeding Authorized Access

• Evolving jurisprudence

• Interpreted by many Circuits

• New conflict on April 10, 2012www.brittontuma.com #fraud20

33

Civil Remedy

Limited civil remedy Procedurally complex with many

cross-references

“damage” ≠ “damages”

Must have $5,000 “loss” (i.e., cost)

Loss requirement is jurisdictional threshold


34

Civil Remedy

What is a “loss”?“any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

Loss = cost (unless interruption of service)


35

Civil Remedy

What can qualify as a “loss”? Investigation and response costs

• Forensics analysis and investigation• Diagnostic measures• Restoration of system• Bartered services for investigation / restoration

Value of employees’ time Attorneys’ fees if leading investigation

www.brittontuma.com

36

Civil Remedy

What is not a “loss”? Lost revenue (unless interruption of

service)

Value of trade secrets

Lost profits

Lost customers

Lost business opportunities

Privacy and Personally Identifiable Informationwww.brittontuma.com

37

Civil Remedy

Privacy and Personally Identifiable Information

iTracking

Hacking / data breach

Browser cookies

REMEMBER: Loss is only required for civil remedy – not criminal violation

www.brittontuma.com

38

Civil Remedy

What would you advise?• Wrongful access of your client’s

computer

• Considering a CFAA claim

• Your advice would be to ________?

www.brittontuma.com

39

Civil Remedy

Remedies• Available

• Economic damages

• Loss damage

• Injunctive relief

• Not Available• Exemplary damages

• Attorneys’ fees


40

Basic Elements

Elements of broadest CFAA Claim1. Intentionally access computer;

2. Without authorization or exceeding authorized access;

3. Obtained information from any protected computer; and

4. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.


41

Basic Elements

Elements of CFAA Fraud Claim1. Knowingly and with intent to defraud;

2. Accesses a protected computer;

3. Without authorization or exceeding authorized access;

4. By doing so, furthers the intended fraud and obtains anything of value; and

5. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.


42

WRONGFUL ACCESS

#fraud20

43

Wrongful Access

General Access Principles Access by informational / data use

≠ technician

Must be knowing or intentional access

≠ accidental access


44

Wrongful Access

“without authorization” Outsiders No rights Not defined Only requires intent to

access, not harm Hacker!

“exceeds authorized” Insiders Some rights CFAA defines: access

in a way not entitled Necessarily requires

limits of authorization Employees, web

users, etc.

www.brittontuma.com

Two Types of Wrongful Access

#fraud20

45

Wrongful Access

When does authorization terminate?

Trilogy of Access Theories

• Agency Theory

• Intended-Use Theory

• Strict Access Theory


46

Wrongful Access

Agency Theory


International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006)

• Under common law agency principles, an employee’s right to access his employer’s computer is premised on his serving the interests of his employer. Should his loyalties to his employer change and his interests become adverse, so to would his authorization change by becoming unauthorized.

• Under this “agency theory” the authorization to access was based upon the employee’s own subjective loyalties and interests and, if they changed, his authorization to access the employer’s computer changed with it.

• 7th Circuit only

47

Wrongful Access

Intended-Use Theory


United States v. John, 597 F.3d 263 (5th Cir. 2010)

• Access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given is exceeded and the employee is actually aware of those limitations on purpose through policies or contractual agreements.

• The employer can implement restrictions on access and use of information obtained thereby, in advance, by policies and agreements that are known by the employee and, if the employee still violates those limitations by accessing information and using it for improper purposes–not for its intended use–that is unauthorized for purposes of the CFAA.

• 5th, 11th, 8th, 3rd, 1st (possibly) Circuits

48

Wrongful Access

Strict Access Theory


United States v. Nosal (Nosal II), 676 F.3d 854 (9th Cir. 2012) (en banc)

• A strict interpretation of the CFAA prohibits unauthorized access to the computer rather than unauthorized use of the information. If authorization to access has been given, access will continue to be authorized until it is explicitly revoked, regardless of how it is used.

• 9th and 4th Circuits

49

Wrongful Access

Establishing limits for Intended-Use• Contractual

• Policies: computer use, employment & manuals

• Website Terms of Service

• Technological

• Login and access restrictions

• System warnings

• Training and other evidence of notification

• Notices of intent to use CFAAwww.brittontuma.com #fraud20

50

Wrongful Access

Contractual limits should• Clearly notify of limits

• Limit authorization to access information

• Limit use of information accessed

• Terminate access rights upon violation

• Indicate intent to enforce by CFAA

Goal: limit or terminate authorization

www.brittontuma.com

51

Wrongful Access

Ways to terminate for Strict Access

Craigslist Inc. v. 3Taps Inc., 2013 WL 447520 (ND Ca. Aug. 16, 2013)

3Taps operates an online service that aggregates and republishes ads from Craigslist. After learning, Craigslist took two important steps:

1. sent a cease-and-desist letter informing “[t]his letter notifies you that you and your agents, employees, affiliates, and/or anyone acting on your behalf are no longer authorized to access, and/or prohibited from accessing Craigslist ‘s website or services for any reason” (clear and direct notice)

2. configured its website to block access from IP addresses associated with 3Taps (technological restrictions)

Craigslist as owner of the website rescinded that permission for 3Taps and further access by 3Taps after that rescission was “without authorization.”

With active monitoring, access and use can be controlled with CFAA.


52

Wrongful Access

Remember Aaron Swartz? In 2008, downloaded and released

approximately 20% of the Public Access to Court Electronic Records (PACER) database of United States federal court documents which amounted to about 18,000,000 documents. He was investigated by the FBI but was not charged.

Tried to “liberate” all information in JSTOR’s database by making it publicly available via file sharing networks. Made several attempts by using MIT’s network and account with a guest account he created, each time circumventing the barriers that MIT and JSTOR set up to stop him.

Circumvented IP blocking, download limitations, spoofed MAC address, bought new laptop to circumvent, broke into network closet.


53

Wrongful Access

Who is Sandra Teague?United States v. Teague, 646 F.3d 1119 (8th Cir. 2011)

Worked for a contractor that assists the Department of Education with student loan inquiries via a call center ; had been granted access to the National Student Loan Data System which contains student borrowers’ private information.

Used their access to look up 1 record for an individual even though they were not working on anything related to that person. For this single act, Teague was charged with violating the Computer Fraud and Abuse Act, tried, and convicted.

Can you guess whose student loan records are that guarded?


54

Wrongful AccessExamples

Employment SituationsMost common scenario is employment• Employee access and take customer account

information

• Employee accesses and takes or emails confidential information to competitor

• Employee improperly deletes data and email

• Employee deletes browser history

• Employee accessing their Facebook, Gmail, Chase accounts at work


55


Family Law SituationsHave you ever logged into your significant other’s email or Facebook to see what they’re saying to others?

DON’T ANSWER THAT!• Arkansas spouse after separation

• NTTA account?

• Bank account?

• Cancelling services via online accounts?

• Kate Gosselin v. Jon Gosselin alleges, post separation:• hack email, phone, bank account

• stole hard drive

• published info for tabloids and book

• $5,000 loss?www.brittontuma.com #fraud20

56


Sharing Website LoginsHave you ever borrowed or shared website login credentials and passwords for limited access sites (i.e., online accounts)?

DON’T ANSWER THAT!

• Recent case held that permitting others to use login credentials for paid website was viable CFAA claim

• The key factor here was the conduct was prohibited by the website’s agreed to Terms of Service


57


Misuse of WebsitesEver created a fake profile or used a website for something other than its intended purpose?

DON’T ANSWER THAT!

• Myspace Mom case – United States v. Drew

• Fake login to disrupt legitimate website sales

• Accessing website to gain competitive information when prohibited by TOS

• Creating fake Facebook to research opposing parties

• Website scraping – Craigslist v. 3Tapswww.brittontuma.com #fraud20

58


Hacking & Private InformationHacking was original purpose for CFAA• Hacking and obtaining private information

• United States v. Teague • 8th Cir, employee looking up forbidden educ. records

• United States v. Tolliver • 3rd Cir, employee looking up customer records without

business purp.

• Tracking individuals through geo-tagging• Website collection of private information• All fit within the prohibitions of the CFAA• Loss is the problem, from a civil standpoint

www.brittontuma.com

59

DATA BREACHWHAT DO YOU DO?

#fraud20

60

Data Breach

Data Breach

• often a product of computer fraud• on the rise• major risk to virtually all businesses

• PII, PHI, financial data, cardholder data• disruption and data loss• claims from data subjects• fines and penalties from govts, agencies, indust.

groups

• impossible to prevent• plan ahead to reduce harm


61

Data Breach

4 Phases of Data Breach

• Preparation

• Prevention

• Understanding • Laws, Rules & Regulations

• Responding


62

Data Breach

Preparation• Breach Response Plan

• Goal Execute!• Who, What, When, How

• Attorney – privilege

• Adopted Notification Form

• Educate Team• IT Security Audit / Penetration Testing• Compliance Prepare, Train, Audit

• HIPAA, ERISA, OSHA, PCI, FINRA

• Cyber Insurance


63

Data Breach

Prevention

• Software and Systems Updates

• Remediate Vulnerabilities

• Encrypt, Encrypt, Encrypt

• Data Surveillance & IT Alerts• Cyber CounterIntelligence / CounterEspionage

• IT Alerts


64

Data Breach

Understanding Laws, Rules & Regulations• No Federal Breach Notification Law

(yet)• 46 States’ Have Laws

• ≠ Alabama, Kentucky, New Mexico, South Dakota

• Massachusetts is an oddball• 45 days (FL, OH, VT, WI) otherwise expeditious

without unreasonable delay• Consumers + State Attorney General

• Agencies (FTC, HHS, OCR, DOL, SEC)• Industries (FINRA, PCI)• International


65

Data Breach

Responding to a Breach – Just Execute the Plan!• Contact Attorney• Assemble Response Team• Contact Forensics• Investigate Breach• Remediate Responsible Vulnerabilities• Contact Vendor for Notification• Reporting & Notification

• Law Enforcement First• AGs, Admin. Agencies, Industries, Cred. Rpt,

Consumerswww.brittontuma.com #fraud20

66

OTHER LAWS FOR COMBATING FRAUD

2.0

#fraud20

67

Federal Laws

Federal Laws for Combating Fraud 2.0• Electronic Communications Privacy Act - 18

U.S.C. § 2510

• Wiretap Act ≠ intercept communications

• Stored Communications Act ≠ comm. at rest

• Fraud with Access Devices - 18 U.S.C. § 1029

• devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards

• Identity Theft – 18 U.S.C. § 1028


68

Texas Laws

Texas Laws for Combating Fraud 2.0• Breach of Computer Security Act (Tx. Penal Code §

33.02)• knowingly access a computer without effective consent of owner

• Notification Required Following Breach of Security of Computerized Data (Tex. Bus. Comm. Code sec. 521.053) amended by SB 1610 (eff. 6/14/13)

• Fraudulent Use or Possession of Identifying Info (TPC § 32.51)

• Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02)

• Unlawful Access to Stored Communications (TPC § 16.04)

• Identity Theft Enforcement and Protection Act (BCC § 48.001)

• Consumer Protection Against Computer Spyware Act (BCC § 48.051)

• Anti-Phishing Act (BCC § 48.003)


69

• Welcome to the world of Fraud 2.0!

• Why? Remember what Jobs said

• CFAA is very broad and covers all kinds of computer fraud (sometimes) – evolving!

• Data Breaches – be prepared – it will happen!

• Many other Federal and Texas laws also available for combating computer fraud

• Cyber Insurancewww.brittontuma.com

Conclusion

#fraud20

Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security & Privacy...

Technology

Transcript of Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security & Privacy...