Does the CFAA Apply to Lenovo’s SuperFish Malware Lawsuits?

For me personally, the timeline of events surrounding the discovery of Lenovo’s SuperFish malware is ironic. Just a couple of days before it was discovered, I had a telephone call with a friend named Jon Stanley. Jon is someone I consider to be an elder statesman of the CFAA as he has been digging deep into the law for a long time — much longer than I have — and our call was basically to chat about all things CFAA-related. (to get a glimpse of what it’s like to talk to Jon, check this out)

One of the things we talked about was our favorite CFAA opinions and Jon told me his was Shaw v. Toshiba, 91 F.Supp.2d 926 (E.D. Tx. 1999). I had skimmed the high points a few years back but never really taken the time to go through it slowly and enjoy it like a snifter of brandy, so after we hung up, I pulled it up and began reading.

I immediately turned to the point that Jon and I discussed which is where the court focused on the silliness of folks trying to argue the Computer Fraud and Abuse Act is a “hacking” law – ha, the court knocked it out of the park! “[T]his Court does not see a blanket exemption for manufacturers in Title 18 U.S.C. § 1030; nor does it see the term ‘hacking’ anywhere in this statute.” Id. at 936. I love that statement — I have never seen the term “hacking” in there either and, to hear people continue referring to it that way makes me wonder if they also refer to the mail and wire fraud statute as intending to keep the crooked city slickers from taking advantage of honest country folk. (seriously, see page 1)

How does this apply to the Lenovo SuperFish Malware?

So now you’re probably wondering where I’m going with this, right? And, what it has to do with the Lenovo SuperFish malware?

Ok, did you catch the first part of that quote? The part about a “blanket exemption for manufacturers”?

The issue in Shaw was whether a computer manufacturer’s sale of laptop computers containing devices with defective microcode that erroneously caused the corruption or destruction of data without notice was a violation of the CFAA, because the instructions given by the defective microcode were an unauthorized transmission. Toshiba argued several things but, most applicable here, that “Congress never intended for the CFAA to reach manufacturers; rather, the CFAA is geared toward criminalizing computer ‘hacking.'” In other words, Toshiba argued that, because it was a manufacturer that did all of its “stuff” before the computer was shipped and sold to Shaw, its activities were not prohibited by the CFAA. The Court disagreed with Toshiba’s narrow interpretation:

Perhaps. But it seems more plausible that Congress, grappling with technology that literally changes every day, drafted a statute capable of encompassing a wide range of computer activity designed to damage computer systems–from computer hacking to time bombs to defective microcode.

Brilliant. Ultimately, the Court denied Toshiba’s Motion for Summary Judgment and allowed the case to proceed. 

 The lawsuits against Lenovo have already started to drop and will surely continue coming. While I have not read the individual complaints, I’d say it’s a safe bet there are some CFAA claims in there — and if not, maybe they should give Shaw v. Toshiba a read (and not just for pleasure).

So, here’s a little test for you: if they do bring a CFAA claim, do they have to plead the $5,000 loss? 

Hey Jon, by the way, thank you!



Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes across the United States and, through the Mackrell International Law Network, around the world.

pie

Low Hanging Fruit Can Make a Pretty Good Cybersecurity Pie

“Cybersecurity” just sounds like something that must be really complicated, right?

Sure it does — it sounds exotic and cool — and complicated. And yes, when you get into the weeds of technical things that hackers (actually, crackers) do to monkey around with computers, it can be mind-boggling.

But, must you really understand all of those things to have some basic cybersecurity protection to help improve the odds for your company?

phishingThink about this:

  • How much would your company’s cybersecurity odds improve if nobody in your company ever clicked on a phishing email?
  • If 75% wouldn’t?
  • If 50% more wouldn’t, after being taught how to think about them, than would have before?
  • How hard would it really be to take one day a month and have a lunch-and-learn for your workforce to help teach them how to think about and recognize such attacks, as well as other similar techniques the bad guys use?

piePhishing scams, weak passwords, infected usb devices — those aren’t the exotic things that people think about when they hear the word “cybersecurity.” They are the easy(ier) things — the low hanging fruit in the grand cybersecurity scheme. But don’t forget, even that low-hanging fruit can go a long way toward making a really good cybersecurity pie and save you and your company a whole lot of heartburn!

 

#LMAMKT

Post Webinar Thoughts: Simple Ways to Effectively Use Social Media to Help Build Your Law Practice

Here is a great post by Cordell on a few takeaways from our webinar on social media marketing for lawyers. Check it out and let us know what you think: Simple Ways to Effectively Use Social Media to Help Build Your Law Practice | Cordell Parvin Blog.

Chaos? Plan Ahead!

New Podcast: #DtSR Episode 130 – Where Law and Cyber Collide

I really appreciate the #DtSR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] inviting me to tag along for another episode of the Down the Security Rabbit Hole podcast.

In this episode we discuss the following:

  • Traveler’s Insurance files suit against a web development company for failing to provide adequate security, resulting in a breach of one of its customers
  • FTC goes after LabMD for a data breach
  • Social media company TopFace pays a ransom to hackers

Go HERE for more details and to listen to the Podcast!

#LMAMKT

Upcoming Webinar: Simple Ways to Effectively Use Social Media to Help Build Your Law Practice

#LMAMKTOn Tuesday, February 17, 2015, my coach Cordell Parvin (@CordellParvin) and I will be presenting this webinar for the Legal Marketing Association (LMA): Simple Ways to Effectively Use Social Media to Help Build Your Law Practice: Sponsored by the Social Media SIG

This webinar is based on the information we shared in the 3 part series of blog posts that were on Cordell’s blog: Simple Ways to Use Social Media to Build Your Practice in One Hour

Attendees will be live-tweeting at #LMAMKT and you will be able to view the Prezi HERE

This should be a lot of fun so you don’t want to miss it! For more information on the webinar, go HERE

#LMAMKT

 

Texas Business Guide for Identifying and Protecting Trade Secrets - Cover

Get Your Free Texas Business Guide: Identifying and Protecting Trade Secrets Under the (New) Uniform Trade Secrets Act

Trade secrets are the lifeblood of a company but it can be a difficult issue to understand.

Here is a free guide to help you identify and protect your company’s trade secrets.

DOWNLOAD: Texas Business Guide for Identifying and Protecting Trade Secrets

Yes, Your Business Has Trade Secrets

Texas Business Guide for Identifying and Protecting Trade Secrets - CoverWhether they realize it or not, virtually every business has trade secrets which can be as simple as something unique or remarkable about the way it makes a product or provides a service that sets it apart from the competition. This is something that gives the business a competitive advantage and is usually something it has spent significant time and resources to develop.

Unfortunately, in today’s business environment, honor and integrity are not always the rule and many businesses find their trade secrets are being taken and used to compete against them. This can come from as close as disloyal employees or local competitors to around the world from foreign state‐sponsored organizations engaging in industrial espionage.

Preparation is the Key to Successfully Protecting Your Businesses’ Trade Secrets

The first-time many businesses ever gives serious thought to their trade secrets is when they find that they have been taken. It is then that the business begins scrambling to identify its trade secrets and, assuming it can put together a comprehensive list, hopes and prays that it has satisfied the requirements for keeping that information protected under the law of trade secrets so that it can use the legal process to keep it from being used by the businesses’ competitors. To make matters worse, when the disclosure of trade secrets is being threatened and an injunction from a court is all that will stop it, Time is precious and every minutes can make the difference between winning or losing.

Here Is The Guide

Shawn Tuma has prepared a comprehensive Guide to help you understand how to identify and protect your businesses’ trade secrets. The Guide provides a step-by-step explanation of everything from what trade secrets are in general, to how to identify your own businesses’ trade secrets, to the most common threats against trade secrets, and how to protect against those threats.

You can download a free .pdf copy of the Guide by clicking on this link: Texas Business Guide for Identifying and Protecting Trade Secrets 

Once you have downloaded the Guide, you can be proactive in protecting your businesses’ trade secrets by using it to prepare for the problem before it ever arises and, in doing so, help reduce the chances that the problem will ever arise by:

  1. carefully evaluating what information it has that qualifies as trade secret information;
  2. implementing security measures, policies, and procedures to prevent the disclosure of that information and protect its trade secret status; and,
  3. in the event its trade secrets are ever compromised, be much better prepared to quickly and efficiently make its case in a court of law and successfully prevent others from using its trade secrets.
About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at Scheef & Stone, L.L.P., a business law firm with offices in Dallas and Frisco, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

No Fear!

No Standing for Fear of Future Harm: Another Consumer Data Breach Class Action Dismissed

No Fear!The U.S. District Court for the Southern District of Texas dismissed a class action data breach lawsuit filed by Beverly T. Peters against St. Joseph Services Corp. The reason is familiar in consumer class action data breach cases: fear from the heightened risk of future identity theft or fraud from a data breach does not give legal standing to sue by a party whose data may have been compromised.

“Having reviewed the parties’ submissions and the relevant law, the court concludes that the answer is no,” the judge wrote in the opinion. “Peters has not made the requisite demonstration of injury, traceability and redressability for her alleged injuries. Lacking viability, her federal claims are dismissed with prejudice.”

The original Law360 article is here, but it is behind a paywall so you will need a subscription to access: Another data breach case dismissed for no standing: Ex-Patient’s Class Action v. St Josephs.