Honored to be part of the Team: From 44 Felony Counts to One Misdemeanor, Plea Entered in U.S. v. Salinas CFAA Case

A plea deal has been entered in the case of US v. Salinas. Mr. Salinas’ legal team successfully negotiated an agreement that reduced a 44 felony count indictment down to a single misdemeanor count.

Tor Ekeland led Salinas’ legal team and did the heavy lifting on getting this deal done. I am honored that Tor invited me to be a part of the team as well; it was great to have the opportunity to work alongside such outstanding lawyers as Tor, Alma Garza, Meredith Heller, and the rest of the Team. Thanks Tor!

Read more about the details of the case on Tor’s website:

This morning, Fidel Salinas entered a guilty plea to one misdemeanor violation of the Computer Fraud and Abuse Act CFAA. When Tor Ekeland P.C. entered Mr. Salinas case on a pro bono basis he was facing a 44 felony count Indictment for various computer crimes. Tor Ekeland, working alongside Firm partner Meredith Heller and local counsel Alma Garza and Shawn Tuma sucessfully negotiated a resolution of Mr. Salinas’ Indictment down to a single misdemeanor count. Sentencing is scheduled for February 2, 2015 in the Southern District of Texas.

via From 44 Felony Counts to a Misdemeanor : Plea deal Entered in U.S. v. Salinas » Tor Ekeland, PC: Tor Ekeland, PC.

 

Dang! “Loss” of Opportunity to Decide Interesting CFAA Issue, But “Loss” Anayisis is Good Too

Plaintiff had interesting claim under the CFAA but couldn’t get there due to that pesky “loss” requirement

Does an employer violate the Computer Fraud and Abuse Act by remotely wiping an employee’s personal mobile device that was connected to the employer’s server and contained its data?

The United States District Court for the Southern District of Texas was poised to answer this question but did not reach the issue. The court found, as in most of these cases, the plaintiff did not satisfy the jurisdictional threshold $5,000 loss requirement.

What we did get, however, is a strong analysis of how the federal courts in Texas interpret the loss requirement of the CFAA. 

Something to think about — would this have violated the CFAA?

The plaintiff in Rajaee v. Design Tech Homes, Ltd. claimed that his job required him to have constant access to email to do his job. His employer did not provide him with a mobile device so he used his own personal iPhone 4 to conduct his work for Defendants. Plaintiff’s iPhone was connected to his employer’s network server to allow him to remotely access the email, contact manager, and calendar provided by the employer. The parties disagreed over who connected the device or whether it was authorized.

Plaintiff resigned his employment with Defendants and, a few days later, Defendants’ network administrator remotely wiped Plaintiff’s iPhone, restoring it to factory settings and deleting all the data–both personal and work-related–on the iPhone.

Plaintiff sued Defendants alleging that their actions caused him to lose more than 600 business contacts collected during his career, family contacts, family photos, business records, irreplaceable business and personal photos , and videos, and numerous passwords.

Plaintiff sued for violations of the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, and various state law claims.

Violation of the Electronic Communications Privacy Act

The Court found the Defendants’ actions did not violate the Stored Communication Act prong of the ECPA: “the Fifth Circuit has held that ‘information that an individual stores to his hard drive or cell phone is not in electronic storage under the statute.’” The information Plaintiff claimed was deleted was stored on his cell phone and not covered by the SCA.

Unauthorized Access Under the Computer Fraud and Abuse Act

The Court does not reach the issue of whether Defendants’ actions were an unauthorized access under the CFAA but that doesn’t mean we can’t think about it ourselves. In fact, over a year ago my friend Jim Brashear (@JFBrashear) and I talked about this and he suggested I write something about it. I didn’t. I should have.

What we do know from the court’s opinion are the following things:

  • Plaintiff owned the iPhone
  • The iPhone contained Plaintiff’s personal data
  • The iPhone was connected to Defendants’ server
  • The iPhone contained Defendants’ data
  • Defendants’ network administrator somehow remotely wiped all of the data — Plaintiff’s and Defendants’ — from the iPhone

We also know that a cell phone is considered a “protected computer” under the CFAA (post). So, we have a protected computer that — somehow — has its data wiped by someone other than its owner.  What we do not know from the opinion, but need to know, are:

  • What authorization did Plaintiff have to retain Defendants’ data on his device after his employment terminated?
  • What authorization did Plaintiff give Defendants to access his device when (whomever) connected it to Defendants’ server (beyond the fact that by connecting to the server Plaintiff was necessarily giving Defendants authorization for their server to communicate with his device)?
  • Assuming Plaintiff gave any authorization to Defendants, did that authorization continue for as long as Plaintiff maintained the connection to Defendants’ server?
  • What means did Defendant’s network administrator use to remotely wipe the device and what steps were taken beforehand to give Defendants the ability to do that?

I believe the answers to these questions are important in this analysis. If I were the judge, these are things I would want to know.

A hack back?

Thinking in the big picture, this scenario reminds me of the ongoing debate over whether it is acceptable for a company to “hack back” — that is, after a hacker has stolen data from a company, whether the company can in turn hack the attacking hacker (“you drew first blood” – Rambo) to either retrieve or destroy its (or its customers) data that is now residing on the hacker’s system likely in some far off land.

The arguments on both sides of the hack back issue are vigorous and I am not foolish enough to think I could resolve the issue here. I just want to point out that, in the big picture, the rationale seems somewhat similar: someone else has your data, they are not entitled to keep it, you do not want them to keep it, so go zap it!

Loss Under the Computer Fraud and Abuse Act

The real value in the Rajaee Opinion comes from the court’s analysis of the loss issue. As I discussed the CFAA’s loss requirement in another post, “I find it to be one of the more challenging aspects of any civil CFAA claim as well as an important feature of the CFAA to keep it from being used in civil cases that do not justify ‘having a federal case made out of it.’”

Meeting the loss requirement is a jurisdictional threshold that must be met before a plaintiff can bring a civil claim under the CFAA. “Although the CFAA is a criminal statute, Section 1030(g) provides a private right of action ‘for [a]ny person who suffers damage or loss by reason of a violation of this section.’”

The terms “damage” and “loss” are statutorily defined terms that each have a unique meaning under the CFAA, which meanings also differ from the meaning of “damages.” This is important to remember.

The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. Capitol Audio Access, Inc. v. Umemoto (for CFAA, disclosure of info not “damage” and evading license not “loss”)

Courts still routinely get this wrong despite the fact that “loss” is defined in subsection (e)(11): “the term ‘loss’ means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.

While the Rajaee Opinion does not rise to the level of analysis of the Nosal Court’s Opinion which throughly discusses the various views of the CFAA loss jurisprudence, it is one of the more thorough ones I have seen from a federal court in Texas.

Because this case involves a ruling on a motion for summary judgment, the Plaintiff has the burden of providing evidence to support its allegations. The Rajaee Court required Plaintiff to point to evidence that, if believed by the trier of fact, would be sufficient to show that his loss did in fact exceed $5,000. Plaintiff referred the court to a declaration in which he described the losses he suffered as a result of Defendants’ deletion of his personal data as being:

  1. pictures of his personal home rehabilitation project, which decreased the value of the remodel by at least $50,000;
  2. pictures and video of family, friends, and his dogs, which he values at $3,500;
  3. all cell phone contacts after 2009, which he values at over $50,000 based on his diminished employability;
  4. all of Plaintiff’s text messages, which he values at $1,000; and
  5. all of his notes and email accounts, which he values at $600.

The court was correct in agreeing with the Defendants who argued that none of these items qualified as loss. “Plaintiff [did] not produce[] evidence of any costs he incurred to investigate or respond to the deletion of his data, nor do the losses and damages for which he does produce evidence arise from an ‘interruption of service.’”

Because of this, the court dismissed the CFAA claim. 

Important CFAA Loss Principles Applied in this Case

In reaching its decision, the court referenced and stated the following propositions of law that will be helpful for any party to understand in a civil case in the federal courts in Texas, especially the Southern District:

Platform Magazine Quotes Tuma Discussing CyberGard: The Public Relations Side of a Data Breach

CyberGard - Cyber Risk Protection ProgramThank you to Platform Magazine for quoting me discussing the PR component of my CyberGard – Business Cyber Risk Protection Program in this forward thinking article about the value of getting public relations on board before your company has a data breach.

In a recent post I explained why a data breach response must focus on the business side of the breach: “The most important issue is how the incident will impact the company’s overall business. No matter how great of a job we do on the legal side, if the business side suffers too much, it is an overall failure. These situations are not the time for tunnel vision.”

Click here to learn more about CyberGard

A key component to focusing on the business impact is the businesses’ communications with the public. This where having professionals to help with the “messaging” becomes so important. Read more in The Public Relations Side of a Data Breach | Platform Magazine.

 

The Art of Data Security: How Sun Tzu Masterminded the Home Depot Data Breach

The Art of Data SecuritySun Tzu taught that, when it comes to the art of data security, you must be wary of your business associates and other third parties.

Why?

Have you heard that Home Depot had a data breach? That hackers were able to exfiltrate 56 million payment cards and 53 million customer email addresses from its systems? Did you hear what may be the biggest news of all, the news that was announced earlier today (11/6/14)?

Do you know what that news has in common with the other “big breach event” from roughly a year ago?

Have you heard of the national retailer that what was hit with a perfectly timed cyber attack on Black Friday ’13 that resulted in credit card data from roughly 110 million customers being taken? That company has now spent over $61,000,000 as a result of the data breach and will spend much more. It is facing new lawsuits weekly, its net earnings are down, earnings per share are down, and its sales are down. The company is Target. Target, however, was not attacked directly.

Do you know how both Home Depot’s and Target’s computer system were attacked?

In both cases, cyber criminals obtained access credentials from third-party vendors to the “big boys” which credentials were used to get inside of their network environment, past the firewalls and much of the security perimeter. Once on the inside, they then used custom-built malware to execute the heist of the valuable data they were seeking all along.

Home Depot also said today that the criminals used a third-party vendor’s user name and password to reach the perimeter of its network, then gained additional rights to navigate the company’s systems. (Bloomberg)

What did Sun Tzu teach us about this technique?

In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.

You can be sure of succeeding in your attacks if you attack places which are not defended.

The spot where we intend to fight must not be made known; for then the enemy will have to prepare against a possible attack at several different points; and his forces being thus distributed in many directions, the numbers we shall have to face at any given point will be proportionately few.

Most businesses focus their energy on securing their own networks but focus very little on examining the networks of their business associates and other third parties that they allow to access their networks.

Around 500 B.C. Sun Tzu taught that if an enemy — a cyber criminal — wants to attack your company’s computer network, they would be wise to do so by attacking indirectly, such as through your company’s business associates and other third-parties who have access to your network. Cyber criminals may be a lot of things, but they are not dumb … the successful ones, anyway.

Target learned.

Home Depot learned.

Will your company?

Stay wary friends.

 

Are the Russians Strategically Positioned for Full Scale Cyber War with the US? (apparently they have been since 2011)

Remember this word: Stuxnet

Got it?

(read more about Stuxnet on p. 145-46 of this article)

It is now our turn to have the cyber weapons of war used against us and the Russians are making sure they have the upper hand when the time comes. Stay tuned …

A destructive “Trojan Horse” malware program has penetrated the software that runs much of the nation’s critical infrastructure and is poised to cause an economic catastrophe, according to the Department of Homeland Security.

National Security sources told ABC News there is evidence that the malware was inserted by hackers believed to be sponsored by the Russian government, and is a very serious threat.

The hacked software is used to control complex industrial operations like oil and gas pipelines, power transmission grids, water distribution and filtration systems, wind turbines and even some nuclear plants. Shutting down or damaging any of these vital public utilities could severely impact hundreds of thousands of Americans.

via ‘Trojan Horse’ Bug Lurking in Vital US Computers Since 2011 – ABC News.

Fifth Amendment Permits Police To Force Users to Unlock iPhones With Fingerprints, But Not Passcodes

digital fingerprintsThe Fifth Amendment does not prohibit the police from forcing users to provide a fingerprint to unlock a mobile device but it does prohibit them from forcing users to provide a passcode.

This was the ruling of a District Court in Virginia.

The court’s rationale is that the Fifth Amendment does not protect against providing physical or tangible information to further an investigation, such as DNA evidence or a physical key, but it does protect a defendant from having to provide information that must be communicated because by communicating that information, the defendant would be testifying against himself.

Read more: Court Rules Police Can Force Users to Unlock iPhones With Fingerprints, But Not Passcodes – Mac Rumors.