Presentation: Helping Businesses Prepare for Computer Fraud and Data Breaches

Last night I had the wonderful opportunity to present to IMA – The Association of Accountants and Financial Professionals in Business on the topic of Helping Businesses Prepare for Computer Fraud and Data Breaches. Here are the presentation slides.

I was really impressed with the quality of this event on many levels — these folks really put on first class meetings so, for those of you who are accountants or financial professionals, I would encourage you to check them out. The facilities were great, the people were great, the food was great and it’s amazing how insightful and inquisitive a group can be when wine is served! Seriously, if you spend much time presenting to groups, you can tell when an audience is interested and paying attention or when they’d rather be some place else — this group was focused and their questions showed it. It was a real pleasure for me. The icing on the cake, however, was at the end when I was told that the organization would make an honorarium to my favorite charity — Cure JM of course! Much thanks!

Beware of this PayPal Spear Phishing Scam – I Just Got One!

There is a bogus email going around purporting to be from PayPal notifying you of charges that you did not authorize. Of course it has a “helpful” link for you to click and cancel the charges. But can you guess what happens if you click the link? You can try it but I’m not going to! I looked up some information and discovered this is not from PayPal and is, in fact, a scam. A copy of the email is included below. Also, please see the comment from John Erickson where he explains how you can check out suspicious looking emails. Thanks John!

20121123-133937.jpg

Discussion of Problems with Proposed Cybercrime Legislation

There are many proposals floating around Capitol Hill that will purport to beef up our nation’s current cybercrime laws, first and foremost the Computer Fraud and Abuse Act. I have recently read two very good articles that do a nice job of explaining many of the inadequacies of the proposed legislation and is well worth the read:

Obama Cybersecurity Proposal: Flawed, But Fixable

Obama’s Cybercrime Crackdown Already Outdated, Experts Say | Government & Legislation | Law & Justice | SecurityNewsDaily.

As for me, the first thing I want Congress to do is make it clear what is really an improper access under the Computer Fraud and Abuse Act and tell us to whom it is really intended to apply (yeah, I know, different Congress = different intent … but hey, if I’m a wishin’ I’m a gonna wish good!).

Beyond that pipe-dream, I am wondering if the most effective thing Congress could do isn’t to simply amend the Computer Fraud and Abuse Act to provide that (1) a “loss” required for a civil claim includes having one’s personally identifiable private information compromised, and (2) the person who’s information was compromised has a civil claim against both the hacker of the information and the person or entity from which the information was hacked.

Make this happen and some very enterprising plaintiff’s lawyers will take care of the rest.

As I asked in my post last week: Who’s Gonna Get It? Mark my words, at some point, somebody will. My hunch is that if Congress made these couple of amendments we’d find out the answer to that question a whole lot easier and quicker!

3 Recent Computer Fraud and Abuse Act Cases Worth Noting

Three recent Computer Fraud and Abuse Act cases decided over the last couple of months are worth looking at because they show the following points, respectively: (1) the CFAA in its current form does not give consumers an adequate remedy for privacy related data breach issues; (2) the CFAA’s focus on “access” is more akin to trespassing on a computer system than using a computer to commit a traditional “fraud”; and (3) the way a judge “walks through” the evidence vis-a-vis the elements of a basic civil claim under the Computer Fraud and Abuse Act.

Why the Computer Fraud and Abuse Act in its current form does not give consumers an adequate remedy to address privacy related data breach issues?

This is demonstrated by La Court v. Specific Media, Inc., 2011 WL 2473399 (C.D. Cal. Apr. 28, 2011) in which the court granted the defendant’s Motion to Dismiss because the plaintiffs in a class-action case, even in the aggregate, could not demonstrate the requisite $5000 “loss” required to maintain a civil claim for violation of the CFAA where the only “loss” they sustained was the value of personal data.

The case arose from the alleged use of Adobe Flash cookies that tracked the plaintiffs’ use of the Internet without their knowledge or consent. The plaintiffs brought a claim for violating the CFAA, among other things, alleging “that they sought to maintain the secrecy and confidentiality of the information obtained by Defendant through use of the” flash cookies and that their personal information has discernible value of which they were deprived but defendants use of it for their own economic benefit. The court dismissed the CFAA claim finding that the plaintiffs personal information, in essence, had no value– or at least not enough value to collectively meet the $5000 threshold.

You will recall that I blogged about this impediment when Apple was sued in the iTracking cases. If not, take a look at these posts where I delve a little deeper into this “loss” issue:

Apple iTracking Case: will Apple be WINNING on Computer Fraud and Abuse Act claim?

Apple Should Win the Computer Fraud and Abuse Act Claims …

iTracking II: Apple Sued Again for Violating Computer Fraud and Abuse Act

From what I can tell, nothing has changed.

Now, there is talk around the “data privacy” neighborhood that things could be changing a bit and courts may be starting to ascribe some value to people’s own personal data but I’ve not yet seen anything that has confirmed this is going to happen.

First, apparently two cases related to the La Court case involving Adobe Flash cookies have been settled for a $2.4 million settlement. The cases are Valdez v. Quantcast Corp. and White v. Clearspring Technologies and the article I read indicating the settlement value can be found HERE. I do not know the details of the settlement but, if any of you happen to know, I would be interested in learning more about it.

Second, just yesterday I read an article by Andrew Clearwater on the International Association of Privacy Professionals newsletter entitled New theory of harm in data breach cases that argued that people have a property right in personal information. I found this argument to be persuasive and, according to Clearwater, it is currently being tested in the case Alan Claridge v. RockYou Inc. (2011 WL 1361588 (N.D. Cal. Apr. 11, 2011) where the court has allowed the case to proceed a partially denying the defendant’s motion to dismiss. As Clearwater says, it will be interesting to see how this develops.

If it is treated like a trespass, why is the Computer Fraud and Abuse Act not called the Computer Trespass and Abuse Act?

Now that is a good question, and one that I do not know the answer to! I do suspect, however, that it was probably an easier “sell” to use the word fraud instead of trespass so I will leave it at that. In Xcedex, Inc. v. Vmware, Inc., 2011 WL 2600688 (D. Mass. June 8, 2011), however, the court stated “[t]he conduct prohibited by the CFAA is ‘analogous to that of “breaking and entering” rather than using a computer … in committing the offense.'” This is an important principle to remember about the CFAA and, I believe, helpful to understanding the various arguments circulating around about what is and “access” under the CFAA.

What kind of evidence does a judge look for when analyzing a civil claim under the Computer Fraud and Abuse Act?

The cynics among us will probably look at this next case and say, “he sure was struggling to find a comment-worthy point in this case” and they just may be right. But let me tell you why I wanted to bring this case to your attention.

Not too long ago I was drafting a motion for summary judgment for a plaintiff on a CFAA claim. As we all know, a movant on summary judgment has a better chance of winning when they can present a clear and concise argument that is supported by clear and concise evidence — with brevity being of paramount importance! One of the questions I asked myself during the drafting process was “what evidence should I use that will be most persuasive to the court and give me the maximum bang for the buck?” Within a couple of weeks of that, I read the opinion in Barnstormers, Inc. v. Wing Walkers, LLC, 2011 WL 1671641 (W.D. Tex. May 3, 2011). I found nothing earth shattering about the CFAA issues presented in this default judgment but did appreciate the way the court walked through the elements and discussed the evidence supporting each element that it found persuasive enough to include in its opinion. To me, that was enough to make it worth mentioning.

Bye Bye Brekka–Hello Nosal! Ninth Circuit Warms-up to Intended-Use Theory of “Access” Under the Computer Fraud and Abuse Act

This past Monday I blogged of what I called the “Trilogy of Access Theories” to refer to the 3 lines of circuit court cases that have different theories for interpreting “access” under the Computer Fraud and Abuse Act (“CFAA”).

That was a FAIL!

United States v. Nosal

As of today the trilogy has become a duo with the Ninth Circuit‘s opinion in United States v. Nosal. Honestly, however, I can’t say that it is that much of a surprise that the Ninth Circuit backed off of the hard line it took in LVRC Holdings LLC v. Brekka in which it established the rigid “access means access” theory. The facts of Brekka were quite distinguishable from the facts of United States v. Rodriguez, United States v. John, United States v. Phillips, and International Airport Centers, LLC v. Citrin–the cases in which the Eleventh, Fifth, and Seventh Circuits, respectively, ruled differently on the access issue. Moreover, the Brekka Court left a few clues in its opinion though I am saving those for a different day … but here’s a hint: study those Bluebook signals! 

Case Background

Continue reading

Apple Should Win the Computer Fraud and Abuse Act Claims …

Image representing Apple as depicted in CrunchBase

Image via CrunchBase

that were filed against it for iTracking–that is, tracking and recording the details of all iPhone and 3G iPad owners’ movements without their knowledge. Here are two and a half reasons why:

Why two and a half, you may wonder? Because one of the reasons is a 50/50 toss up!

Apple has been sued for several different claims but my focus is on the Computer Fraud and Abuse Act (“CFAA”) claim. Based upon the allegations of the Complaint there are 3 issues that the plaintiffs had better be prepared to address when Apple files its Motion to Dismiss, most likely within the next couple of weeks.

Continue reading

Apple iTracking Case: will Apple be WINNING on Computer Fraud and Abuse Act claim?

Image representing Apple as depicted in CrunchBase

Image via CrunchBase

From what I’ve seen thus far, it should.

But first let’s start with a little background …

Apple Was iTracking and Got Sued!

As anyone who is not living under a rock knows by now, Apple has been sued over the allegations that it has surreptitiously tracked and recorded the details of all iPhone and 3G iPad owners’ movements since approximately June 2010. These are the allegations underlying the plaintiff’s claims in Ajjampur v. Apple, Inc., (the “Apple iTracking Case”) filed in the Middle District of Florida, Tampa Division on April 22, 2011. Here is a copy of the Complaint.

The CFAA Violations Alleged

The plaintiffs seek to make this a class action lawsuit and claim it is worth in excess of  $5,000,000 for violations of, among other things, the Computer Fraud and Abuse Act (“CFAA”). Their claims are premised upon 2 violations of the CFAA:

  1. Subsection (a)(2)(C) which is the standard “obtains information from a protected computer” “fraud” section that is almost always used. (Last weeks’ blog Basic Elements of a Computer Fraud and Abuse Act – “Fraud” Claim sets out the elements of proof for this “standard” claim); and
  2. Subsection (a)(5)(A) which provides that a violation is committed by “[w]hoever … knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.

Apple will certainly file a Motion to Dismiss the Computer Fraud and Abuse Act claim on the issues of “jurisdictional loss” and “damage” and, in all likelihood, “access” as well. We will start by looking at access, as courts usually do when analyzing Computer Fraud and Abuse Act cases.

The Access Issue

Continue reading