So, your business has never had a data breach? Have you ever had an employee leave?

i quitTAKEAWAY: Businesses must protect their data from being taken by anyone who is not authorized to have it — insiders and outsiders alike. If their data is taken in a way that is unauthorized, it is a data breach. When a former employee leaves with a thumb drive, Gmail inbox, or Dropbox of your businesses’ data, that person is then an unauthorized person in possession of your businesses’ data and that is a [YOU FILL IN THE BLANK].

The Problem

Businesses lose employees everyday for various reasons. When an employee is leaving it is not uncommon for them to think something like this:

  • “I did a really great job on that project, that’s really my work, not Tyrannaco’s.”
  • “I brought those customers to Tyrannaco, they are really my customers.”
  • “I did such a great job on that proposal that I am going to keep a copy for a form in case I ever need to do one again.”
  • “The stupid management at Tyrannaco never recognized the value of what I brought to the table — I need to let these people know that I was really the one doing all of the work.”
  • “I always keep a copy of everything I do, that way if it gets lost, I always have a backup copy.”

… and with those rationalizations, and infinitely more, we all know what happens next. The employee decides to keep their own copy of your businesses’ data, including all of the sensitive private information that your businesses’ customers have entrusted to you for your safekeeping. And then the employee decides to open their own business or go to work for one of your competitors and guess what they’ll bring with them …

Let’s summarize: Your customers entrusted your business with their sensitive information, which was taken from your business and is now in the hands of someone else. You, my friend, have been breached!

Now the next section tells you why you should care. I’ll leave it at that, you get the point.

Overview of Texas’ Data Breach Notification Law

Texas’ data breach notification law is titled “Notification Required Following Breach of Security of Computerized Data” and is found at Section 521.053 of the Texas Business and Commerce Code. The main body of the law provides as follows:

(b)  A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

What is a “breach of system security”?

The law defines “breach of system security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”

What is “sensitive personal information”?

The law has a fairly detailed definition of “sensitive personal information” that should be read carefully. A couple of general points will provide an overview of what is and is not protected:

  • Information that is lawfully made available to the public from a federal, state, or local governmental body is not considered sensitive personal information
  • Sensitive personal information does include “an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted:” Social Security number, driver’s license number or other government issued identification number, account or card numbers in combination with the required access or security codes
  • Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

Who does the law apply to?

The law applies to any person (which includes entities) who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information.

Who must be notified?

The law requires notification to “any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” This is an incredibly broad class of individuals that is certainly not limited to only Texas citizens and, quite possibly, is not even limited to citizens of the United States.

When must the notification be given?

The notification must be given as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, the notification may be delayed as necessary to determine the scope of the breach and restore the reasonable integrity of the data system or at the request of law enforcement to avoid compromising an investigation.

What is the penalty for failure notify?

Section 151.151 of the law provides for a penalty for failing to comply with this notification requirement is a civil penalty of up to $100.00 per individual per day for the delayed time but is not to exceed $250,000 for a single breach.

Any more questions?

Presentation Slides: Overview and Update of the Computer Fraud and Abuse Act

Today I had the opportunity to present to the Privacy, Data Security, and eCommerce Committee of the State Bar of Texas on an overview and update of recent cases and issues for the Computer Fraud and Abuse Act. Here are the presentation slides and, of course, feel free to let me know if you have any questions or would like to discuss.

<div style=”margin-bottom:5px”> <strong> <a href=”https://www.slideshare.net/shawnetuma/overview-and-update-on-the-computer-fraud-and-abuse-act-cfaa-for-the-data-security-privacy-committee-of-state-bar-of-texas&#8221; title=”Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security &amp;amp; Privacy Committee of State Bar of Texas” target=”_blank”>Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data Security &amp;amp; Privacy Committee of State Bar of Texas</a> </strong> from <strong><a href=”http://www.slideshare.net/shawnetuma&#8221; target=”_blank”>Shawn Tuma</a></strong> </div>

Fifth Circuit Finds Company Not Liable for Alleged Violations of CFAA and ECPA by Its Regional Manager

Do alleged violations of the Computer Fraud and Abuse Act, Stored Communications Act, and Wiretap Act committed by a company’s Regional Manager make the company liable?

No, as long as the Regional Manager was not acting on behalf of the company.

On October 19, 2012, the United States Court of Appeals for the Fifth Circuit issued its ruling in Larson v. Hyperion Int’l Technologies, L.L.C., No. 12-50102 (5th Cir. 2012) in which it affirmed the district court’s granting of a Motion to Dismiss Larson’s Complaint. Larson (pro se) sued Hyperion alleging that Hyperion’s Regional Manager, Frank Stephenson, acquired his personal and private communications, including emails, medical records, and attorney-client communications which he then faxed to a third party, all without Larson’s knowledge or authorization, by using Hyperion’s fax machine and fax cover pages for the transmissions. Larson sued Hyperion for violating the Computer Fraud and Abuse Act, Stored Communications Act, and Wiretap Act, among other things. Following the district court’s dismissal, Larson appealed pro se.

The Fifth Circuit observed that the Computer Fraud and Abuse Act, Stored Communications Act, and Wiretap Act statutes all “expressly require intentional interception or publication of electronic communications” by the defendant. The Complaint in this case alleged that Stephenson intentionally violated each of these statutes but, because there was no showing that Stephenson was acting on behalf of Hyperion (the defendant), dismissal of those claims was proper.

Takeaway: If you are going to sue a company for violating the Computer Fraud and Abuse Act, Stored Communications Act, or Wiretap Act, you must also be prepared to plead and prove that the intentional actions of the individuals committing the wrongful acts were acting on behalf of the company.

If you have any questions about pursuing or defending claims under the CFAA or the ECPA, please feel free to contact me to discuss.

Shawn E. Tuma (469.635.1335 / stuma@brittontuma.com)

Mind Control, Human Hacking & the Computer Fraud and Abuse Act?

Here is a thought to ponder: Would it violate the Computer Fraud and Abuse Act to hack a person?

Based on the broad definition of computer that is used in the Computer Fraud and Abuse Act I believe that the answer could be “yes.” Here is why:

  • The CFAA applies to anything with a microchip or data processor that is connected to the internet. See Can Stealing a Car Violate the Computer Fraud and Abuse Act?
  • If a person were to have a microchip or data processor implanted into their bodies, and if such device were connected to the Internet, then that person would be a covered “computer” and the CFAA would apply if they were hacked.

So, you may be wondering, what made me think of this crazy idea? Well, I read the article Are You Ready for Mind-Control Warfare? and, the more I thought about it, the more I realized that it is a possibility. Technology has already advanced to the point where tiny microchips are being put under people’s skin for various reasons and there is no doubt that will continue. But, as the above article shows, these technological advances will not stop there. Now we’re looking at things like “the potential for ‘neural interface systems’ (NIS) that could control weapons with the human mind.” Pretty heavy stuff for sure but stop and think about this for a moment.

If technology reaches a point where “computer” driven devices allow the human mind to control weapons, surely someone will then try to gain control over that device and, therefore, the mind that controls those weapons. That is, they will try to “hack” that person. And, when they do, I would argue that they will have violated the Computer Fraud and Abuse Act as it is presently written and interpreted.

Is a $5k loss required for each defendant under Computer Fraud and Abuse Act?

Two federal district courts in Texas have faced this issue and both refused to find that plaintiffs, to assert a civil Computer Fraud and Abuse Act claim, must meet the $5,000 loss threshold separately as to each defendant.

Regular readers of this blog know I often write about the $5,000 jurisdictional loss requirement for asserting a civil claim under the Computer Fraud and Abuse Act. Its importance is demonstrated by the many legitimate CFAA claims that have been dismissed because the jurisdictional loss requirement was not satisfied even though it possibly could have been with a little better strategic planning from the outset.

The statutory language of section 1030(g) of the Computer Fraud and Abuse Act provides that multiple plaintiffs can aggregate their losses to meet the jurisdictional threshold. But, does that mean that the plaintiffs must have a separate $5,000 loss for each defendant? The statutory language of the CFAA does not explicitly answer this question.

Two Federal district courts in Texas have recently faced this issue–in the same case. Neither court found there must be a separate $5,000 loss for each defendant in the lawsuit. The defendants in the case M-1 LLC v. Argus Green LLC, 2011 WL 3813286 (S.D. Tex. Aug. 26, 2011), have raised this issue before the United States District Court for the Eastern District of Texas as well as the court rendering this opinion, the United States District Court for the Southern District of Texas (case transferred from the former). The Eastern District Court denied the defendants’ motion to dismiss, finding that the plaintiffs were not required to have a separate $5,000 loss for each defendant. The Southern District Court, in this opinion, refused to disturb the ruling in the absence of compelling proof that it should.

At least these two federal district courts in Texas have refused to find that plaintiffs, to assert a civil Computer Fraud and Abuse Act claim, must meet the $5,000 loss threshold separately as to each defendant. Given what we know about the unpredictability of the CFAA, whether others courts will find the same way remains to be seen.