Those 3rd party IT audit provisions you’re seeing in Privacy & Data Security Addenda to contracts – this is why: Hillary Clinton’s email firm was run from a loft apartment with its servers in the bathroom
An employee of East Bay Perinatal Medical Associates in Oakland, CA, retained on his personal laptop, a patient list that he had prepared as part of his job. The list did not contain PHI information but it did contain PII information. The Berkley Police discovered the list during an unrelated investigation and notified EBPMA that it was on the computer. This action — alone — was sufficient to trigger the notification requirement of the California data breach notification law, at great expense and frustration for EBPMA.
Do you still think that your company isn’t at risk for a data breach? If so, go ahead and get familiar with the image below — this is the first page of the template for the notification that EBPMA had to send out!
An employee of Golden State Credit Union viewed member account information, containing Personally Identifiable Information (PII), without having the requisite authority to view such accounts. This action — alone — was sufficient to trigger the notification requirement of the California data breach notification law, at great expense and frustration for the Credit Union, which offered credit monitoring services to those affected.
Do you still think that your company isn’t at risk for a data breach? If so, go ahead and get familiar with the image below — this is the first page of the template for the notification that Golden State had to send out!
I had the wonderful opportunity to visit with and get to know Rocky Dhir (@rockydhir) at the State Bar of Texas 2015 Annual Meeting in San Antonio. Rocky is the Founder and CEO of Atlas Legal Research, LP (@atlaslegal), “the world’s leading legal outsourcing company.”
Rocky and I did a brief interview where we talked about a lot of things — but also cybersecurity and, more specifically, cybersecurity for law firms. Rocky is a pro at this and he does them all of the time for the State Bar of Texas’ Texas Bar TV channel — and it really showed, but I had a great time doing it and, in the end, that’s what matters, right?
To have a valid CFAA claim, there must be an access to a computer.
The Computer Fraud and Abuse Act is often referred to as an “access crime” because the act that is prohibited is accessing a computer. Misusing information that someone else obtained from a computer is not accessing a computer. Doing so may be wrong for other reasons, but it is not a CFAA violation because it does not entail accessing a computer.
The court in New Show Studios LLC v. Needle, 2014 WL 2988271 (C.D. Cal. June 30, 2014) addressed this issue where a former employee continued to use his former employer’s information after his employment terminated by having people who still worked for the company access information and supply it to him. The court dismissed the CFAA claim because the plaintiff did not plead any access to a computer:
To prevail on a CFAA claim, plaintiffs must establish, among other things, that defendants “intentionally accessed a computer.” LVRC Holdings LLC, 581 F.3d at 1132. But the FAC is devoid of any allegation that the defendants accessed any computer. Instead, the FAC only alleges that Needle “gained access to confidential and sensitive information.” FAC ¶ 37. Accessing plaintiffs’ information, however, is not the same thing as accessing plaintiffs’ computer systems, even if that information was at some point stored on those computers. The Ninth Circuit has specifically cautioned against reading the CFAA as an “expansive misappropriation statute.” Nosal, 676 F.3d at 857; see also id. at 863 (explaining that the “general purpose” of the CFAA “is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets”). If plaintiffs wish to assert a claim under the CFAA, they must plainly allege that defendants’ accessed their computer systems, and explain the basis for those allegations.
A person’s use of his single individual use password to access a news site to access content that he then shared with over 100 other people did not cause any impairment to the integrity or availability of data or loss due to interruption of service as required to bring a civil claim under the Computer Fraud and Abuse Act.
Capitol Audio Access, Inc. v. Umemoto, 980 F. Supp.2d 1154 (E.D. Cal. 2013).
The U.S. Eastern District of Louisiana recently sided with employers in the on-going judicial debate over interpreting the Computer Fraud and Abuse Act “CFAA”. See Associated Pump & Supply Co., LLC v. Dupre, et al., No. 14-0009 E.D. La.. Associated Pump sued its former employee Kevin Dupre for violating CFAA during his alleged scheme to steal Associated Pump’s trade secrets. The complaint sets forth a now familiar scenario: shortly before resigning, Dupre used his work computer to violate a confidentiality agreement and known company policies by improperly accessing and obtaining Associated Pump’s confidential information to use while employed by Associated Pump’s competitor. These allegations, the Court held, state a viable CFAA claim.