former employee = current data thief

Fifth Circuit Upholds CFAA Conviction for Former Employee’s Misuse Causing Damage Based on Circumstantial Evidence

In United States v. Anastasio N. Laoutaris, 2018 WL 614943 (5th Cir. Jan. 29, 2018), the United States Fifth Circuit Court of Appeals affirmed a jury verdict finding Laoutaris guilty of two counts of computer intrusion causing damage, in violation of 18 U.S.C. § 1030(a)(5)(A) and (c)(4)(B)(i) of the Computer Fraud and Abuse Act.

Laoutaris had been an IT engineer for Locke Lord LLP; following the termination of his employment, he accessed to the firm’s computer network and issued instructions and commands that caused significant damage to the network, including deleting or disabling hundreds of user accounts, desktop and laptop accounts, and user e-mail accounts. This post-termination access was without authorization. He was ordered to pay restitution in the amount of $1,697,800 and sentenced to 115 months’ imprisonment.

On appeal, Laoutaris argued that “the evidence at trial was insufficient to support the jury’s verdict for both counts of conviction because there was no proof he was the person who accessed Locke’s network and caused the damage that occurred on the relevant dates.” Further, Laoutaris had an expert testify that the attacks came from China.

The Fifth Circuit disagreed and found “[t]he evidence at trial shows a rational jury could have found each essential element for the § 1030(a)(5)(A) offenses charged against Laoutaris, who elected to testify. Contrary to his assertions, there was ample circumstantial evidence identifying him as the perpetrator of these offenses.”

The government’s brief indicates that the following evidence was admitted on this issue, beginning at page 6:

At trial, the government presented a substantial volume of circumstantial evidence identifying Laoutaris as the intruder. Logs created by the servers on the Locke Lord network showed that the intruder on December 1 and December 5 connected to the network using LogMeIn, which was installed on the HOBK01 backup server in Houston, and accessed the network using the credentials of a Windows “master services account” called svc_gn and its associated password. (ROA.1463-1515, 2835-47.) The IP address of the intruder on December 1 and December 5 was 75.125.127.4. (ROA.2768, 2835.)
That IP address was assigned to The Planet. (ROA.1077-79.) Laoutaris was an employee of The Planet at the time. (ROA.1068-70; see also ROA.2635-83.) Kelly Hurst, Laoutaris’s supervisor at The Planet, testified that the IP address was The Planet’s public wireless network at the Houston corporate office, which employees would be able to use while working out of The Planet’s corporate office. (ROA.1077-78.)
*7 Laoutaris was also associated with the LogMeIn software running on the Houston backup server. The software program was installed by a person who identified his email address as “c_hockland@hotmail.com.” (ROA.1304-07, 2848.) Records from Microsoft established that the account was created by “A.N. Laoutaris.” (ROA.2587.) Further, several Locke Lord employees testified that “c_hockland@hotmail.com” was an email address they knew to be associated with Laoutaris. (ROA.1306.) Additionally, Laoutaris’s personnel file included his resume, where he used the email address, and an email he sent on his last day providing c_hockland@hotmail.com as his forwarding email address. (ROA.2550.) Even after he quit, Laoutaris used that email address to send a message to a former colleague at Locke Lord making disparaging comments about the firm and his former supervisor. (ROA.2559-60.) Laoutaris continued using the email address as recently as July 2014, after he was indicted. (ROA.2681.)
The government also presented evidence establishing that Laoutaris had the password for the “svc_gn” account. The “svc_gn” account was the “master of all masters” account that had “no limits” on what it could do within the Locke Lord network. (ROA.1147.) IT engineers at Locke Lord explained that all of the engineers would from time to time use the “svc_gn” account when performing various tasks on the network and that all the *8 engineers had the password. (ROA.1147.) The jury heard evidence that Laoutaris asked for, and received, the password for the “svc_gn” account shortly before quitting the law firm. On August 10, 2011, a few days before Laoutaris quit, he requested the password from Michael Ger and Stan Guzic, two of the other IT engineers at Locke Lord. (ROA.2556-57.) Guzic testified that Laoutaris “constantly asked us for the password” and thus “to help him remember it, we used his name within the password itself” – specifically, “4nick8.” (ROA.1151.)
Not only was Laoutaris specifically tied to the December 1 and December 5 attacks, the government presented evidence tying him to at least 12 unauthorized intrusions into the Locke Lord network through LogMeIn. (ROA.2703-16, 2746, 2756, 2758, 2760, 2762, 2764, 2766, 2768, 2835, 2849.) Each of those intrusions originated from an IP address that was tied back to Laoutaris – either his home or his place of employment. (ROA.2703-16.)
The government’s brief also provides an excellent example of how to calculate a loss in a case such as this, beginning at page 12.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

What do we in the United States really want from our cyber laws?

In my newsfeed are articles in prominent publications discussing the problems with the federal Computer Fraud and Abuse Act from very different perspectives.

www.businesscyberrisk.comIn the “the CFAA is dangerous for security researchers” corner we have White Hat Hackers and the Internet of Bodies, in Law360, discussing how precarious the CFAA (and presumably, the state hacking laws such as Texas’ Breach of Computer Security / Harmful Access by Computer laws) and Digital Millenium Copyright Act can be for security researchers.

In the “the CFAA prevents companies from defending themselves” corner we have New Bill Would Allow Hacking Victims to ‘Hack Back’, in The Hill, discussing The Active Cyber Defense Certainty Act (ACDC). ACDC (what a great acronym!) would allow companies more latitude in defending themselves against those intruding into their networks by permitting them to use techniques described as “active defense,” under certain conditions, though not permitting companies to counterattack.

Now, instead of thinking about these two measures in isolation, think of them together. What if we were to get both of them passed into law? What if we got one or the other?

This reminds me of a piece I wrote about the CFAA and the broader national policy discussion a few years ago, Hunter Moore or Aaron Swartz: Do we hate the CFAA? Do we love the CFAA? Do we even have a clue? In that piece I stated,

The CFAA has become a national lightening rod with many loving it, many hating it, and far too many loving it and hating it at the same time, without even realizing it. Before we go any further, however, consider this quote:

The CFAA was tailor-made to punish precisely the kind of behavior that [guess who?] is charged with: breaking into other people’s accounts and disseminating their … information.

Quick! Who is that referring to? Hunter Moore? Edward Snowden? Aaron Swartz? Sandra Teague?

I used this overly simplified example to try and make a point that, philosophically, we as a nation need to stop looking at each of these cases and laws in isolation and need to look at the bigger picture of how it all fits together. Picking and choosing based upon our own personal likes and dislikes due to the emotional tug of the facts is no way to develop, maintain, and mature a body of law on any subject matter — much less one as complicated as cyber.

Take this discussion and add into the mix new security-based laws such as NYDFS and then mix in the 48 states + HIPAA, GLBA, etc. breach notification laws, the conundrum of cybersecurity law schizophrenia, and then see what we have to work with. Does it all make sense?

What do you think? Where do we begin? Who needs to be involved in working this out? What are the first questions we need to ask?

Hacking Into A Company You Sold Can Get You Jail Time

A federal judge sentenced David Kent to a year and a day in prison and ordered him to pay $3.3 million in restitution and pay a $20,000 fine for accessing the computer network of Rigzone.com, an industry-specific networking website. Kent founded Rigzone.com, sold it for $51 million, and after the sale accessed the company’s network to obtain information to use for launching a competitor to Rigzone.com. The Complaint describes how Kent was able to do this by exploiting a source code vulnerability that he knew of from the original creation of the website. This is a big no-no. Under the Computer Fraud and Abuse Act, this type of unauthorized access is considered hacking just as if the Russians did it with super-secret James Bond-like gadgets and gizmos.

USA v. Kent, 1:16-cr-00385, U.S. District Court for the Southern District of New York

 

FUD and Voting Machine Hacking: An Important Point and Important Lesson

This morning I am doing radio interviews as a Fox News Radio contributor. My topic? The DEFCON Voting Village demonstration of hacking voting machines that have been, or may currently be, used in US elections. Here are a couple of the news stories if you are unfamiliar: Hacking a US electronic voting booth takes less than 90 minutes | New Scientist and To Fix Voting Machines, Hackers Tear Them Apart | Wired

With all of the talk about hacking or rigging elections, this is a great topic to pique people’s interest for a radio interview but it can also generate a great deal of FUD. And, I really do not like FUD because it detracts from the real issues and lessons that we can learn from situations. So, there is one very important point and one very important lesson that I have tried to make during these interviews and that I hope will rise above the FUD:

IMPORTANT POINT: The voting machines used in this example were obtained from eBay and government auctions because they had been decommissioned. This means they were old. Unfortunately, some had been used in recent elections — which is a big problem — but generally speaking, we’re talking about outdated technology.

IMPORTANT LESSON: Voting machines are computers and, while (IMO) no computer will be secure they can certainly be more secure. We must be vigilant about the security of the voting machines and other election infrastructure that we use in our voting process and demand that current, state of the art equipment be used, where security is baked in from the outset and is continuously maintained as an ongoing process, from now on until further notice.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Fifth Circuit: Employee Taking Data to Work for Competitor Violates Texas Hacking Law

former employee = current data thiefBefore leaving his employment at Merritt Hawkins & Associates (MHA), Larry Gresham allegedly accessed MHA’s computer network and copied 400 of MHA’s proprietary files and then deleted hundreds of files in an attempt to hide his activities. A jury found Gresham’s actions violated the Harmful Access by Computer Act (HACA), Texas unauthorized access law (i.e., “hacking law”). The Fifth Circuit affirmed the jury’s verdict. Merritt Hawkins & Associates, L.L.C. v. Gresham, 2017 WL 2662840 (5th Cir. June 21, 2017).

Here are three key points from this case about the Texas Harmful Access by Computer Act (civil) or Breach of Computer Security (criminal) laws:

  1. An employee may violate HACA / BCS by accessing his employer’s computer system without its “effective consent” (i.e., (a) by using it for a purpose other than that for which consent was given, (b) in violation of a clear and conspicuous prohibition, or (c) in violation of an express agreement) and taking data to use for non-company business related purposes.
  2. An award of $50,000 in damages for the missing and stolen computer files was supported by sufficient evidence, in the following form:
    1. the owner of the company’s testimony that he would have to pay an employee at least $100 an hour to recreate every file that was deleted and that it would be more expensive to search the company’s database to see if any files remained, even though he admitted that it was difficult to calculate the damages, especially for those that were taken but not deleted;
    2. a computer forensics expert testified that he billed the company over $60,000 for his work assessing the damage to its computer system, excluding litigation costs; and
    3. the company’s IT employee testified about the expenses he incurred and the hours he worked trying to restore the computer files.
  3. “A prevailing party on a Harmful Access by Computer claim ‘is entitled’ to attorneys’ fees.” Tex. Civ. Prac. & Rem. Code § 143.002.

See these resources for more information about the Texas Harmful Access by Computer Act and Breach of Computer Security laws:

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

“Thank You” to 2 Legal Leaders that I Respect

There are many ways to honor someone. For me, one of the greatest privileges is knowing that others have found some value or usefulness in my work, especially by referencing it to others. What is unfortunate, however, is when you did not learn about it for quite some time and realize you never properly thanked them!

So . . .  here I am in a meeting with an attorney and her clients to discuss my consulting with them (behind the scenes) to help the attorney with various cyber issues that are involved in the case. Now you already know that I consider myself to be fairly knowledgeable in the area of cyber law but even in this area, there is still a lot out there I do not know. An issue about the Wiretap Act comes up — specifically, the Texas version of the Wiretap Act — and I do not have a good answer for the question.

So . . . I change the subject momentarily while I do what any reasonable Texas attorney should do; I use my iPad to discretely pull up Judge Emily Miskel’s (@emilymiskel) very well-respected article that discusses this issue, Peeping Toms in the New Millennium: Digital Dos and Don’ts, that she co-authored with Mark I. Unger (@miunger) and Kristal C. Thomson.

In perusing Peeping Toms in the New Millennium (while maintaining normal conversation) I not only found the answer to the question that I was looking for, but I also discovered that the article included a reference to one of my blog posts, 3 Key Takeaways About Texas’ Unauthorized Access Law, that discusses the case Miller v. Talley Dunn Gallery, LLC.

Given the tremendous respect that I have for Judge Emily Miskel and Mark Unger (I have not met Kristal but she is in good company!), I was both humbled and honored. So, now, here is my proper “THANK YOU!

Finally, if you’re like me (and Judge Miskel, and Mark, and presumably Kristal) and you geek out on this kind of stuff and want further reading, let me direct you to my original blog post that discusses the Texas Breach of Computer Security and Harmful Access by Computer Act laws, which are explained in more detail than you could ever ask for starting on page 25 of this guide: Federal Computer Fraud and Abuse Act and Texas Computer Crime Laws.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

WHDT World News Interviews Shawn Tuma about WikiLeaks’ CIA Vault7

See also: 

Insider Misuse of Computers: No Big Deal? It Can Be a Data Breach, Ask Boeing

Insider misuse triggers a breach just like outside hackers.

When a company’s information is compromised because of insider[1] misuse of computers or information, regardless of insider’s intentions, the result for the company and the data subjects of that information is often the same as if it were an attack by an outside adversary – it is a data breach.

Boeing’s insider-triggered data breach.

A Boeing employee emailed his spouse an internal company document containing personally identifiable information for about 36,000 co-workers to get help with formatting the document. His intentions were noble and innocent, he wanted to do a good job on the document and believed his spouse could help. The outcome was much different.

See: Guide to Responding to Data Breaches and Reporting Cybersecurity Incidents to Law Enforcement and Governmental Agencies

Because the sensitive data on its employees left Boeing’s “control” when it passed from an employee to a non-employee, it triggered a data breach. As a result, Boeing had to go through the breach notification process by notifying the 36,000 employees affected, providing them with two years of complimentary credit monitoring services, and notify the attorneys general of Washington, California, North Carolina, and Massachusetts. Read the full story here: Boeing discloses 36,000-employee data breach after email to spouse for help

Why was this a data breach?

In this analysis, you start with the data itself. Was the confidentiality, integrity, or availability of the data compromised? When a company collects, stores, or processes data, it is responsible for the safe keeping of that data, wherever it may be (yes, even if the company entrusts it to another for safekeeping, the company is still responsible). Generally speaking, when that company has employees, contractors, or other workers performing services on its behalf -– insiders — they are treated as being within the company’s control and legal protections of that data and their access to, possession, and use of that data is still within the legal fiction of being within company control. The confidentiality of that data is still intact as long as they are acting within the scope of their permissible role.

Insiders exceeding limitations of access and use of information may trigger breach.

When insiders exceed the boundaries that have been placed upon them by accessing, possessing, or using that data in a manner that is unauthorized by the company, it may result in a data breach, depending upon the particular facts of how it is used, the nature of the data, the type of industry, and any regulatory framework that may apply to that industry. For example, in the healthcare context the HIPAA Privacy Rule would almost certainly classify such a situation as an unlawful use or disclosure, triggering a data breach by the company.

Insiders keeping company information after termination of employment is almost certainly a breach.

When insiders take sensitive company data outside of the company, it will almost certainly trigger a data breach for the company. The most obvious example of this is an employee that retains company data after that employee is no longer employed by the company. Once the employment relationship terminates, the employee’s basic duties to the company also terminate and, unless there is some contractual extension of those duties, the employee possessing that information is no different than the spouse of the Boeing employee possessing the information – it is no longer within the legal fiction of “protections” of the company that maintain its confidentiality. In other words, its confidentiality has now been compromised.

Texas’ breach notification law is triggered by insider misuse.

In most cases, determining whether a breach has occurred will depend on the breach notification laws for the particular jurisdiction where the company does business and where the data subjects of that information reside.[2]

What is a breach of system security under Texas law?

The Texas breach notification law, Breach of Security of Computerized Data,[3] requires any company that conducts business in Texas and owns or licenses computerized data that includes sensitive personal information to disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

A “’breach of system security’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”[4]

Regarding insiders, the law specifically states that “[g]ood faith acquisition of sensitive personal information by an employee or agent of the person for the purposes of the person is not a breach of system security unless the person uses or discloses the sensitive personal information in an unauthorized manner.”[5] In other words, if an insider is authorized to access company SPI for a valid business purpose, and does so, but later uses or discloses that information in an unauthorized manner, it is a data breach under the Texas breach notification statute.

What is sensitive personal information under Texas law?

What is often referred to as personally identifiable information is defined by the Texas data breach notification law as “sensitive personal information” (SPI). The law has a fairly detailed definition of SPI that should be read carefully. A couple of general points will provide an overview of what is and is not protected:

  • Information that is lawfully made available to the public from a federal, state, or local governmental body is not considered sensitive personal information
  • Sensitive personal information does include “an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted:” Social Security number, driver’s license number or other government issued identification number, account or card numbers in combination with the required access or security codes
  • Also included is information that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

Does an employee’s unauthorized taking of company data to use for working for a competitor trigger a data breach under Texas law?

Consider a common scenario in the business world, with a few extra twists for emphasis:

  1. An employee who has had access to and worked with her employer’s customer database containing detailed information and SPI decides to leave the company.
  2. Because she has done most of the work in building up the customer database, she believes she is entitled to have a copy of it for herself so, before giving her notice or actually terminating her employment, she copies the customer database to her personal Dropbox account and saves it to a USB thumb drive.
  3. She then gives her notice, terminates her employment, and goes to work for a competitor.
  4. Once she starts work, she looks for the database but discovers that she lost the USB drive, which was unencrypted, so she downloads the customer database from her Dropbox folder, which also happens to be an openly “shared” folder, freely accessible by anyone on the Internet because she is an amateur photographer and it contains the images she uses to display her work on her blog.
  5. She then begins using her former employer’s customer database without telling her new employer but she does secretly upload the database to her new employer’s computer network.

Texas Broadens Unauthorized Access of Computer Law to Specifically Address Insider Misuse

3 Key Takeaways About Texas’ Unauthorized Access Law

What do you think, data breach or no data breach? In the hypothetical, at which step do you think there became a problem, if any? Please share your answer and reasoning in the comments – this one should be fun!

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

[1] The term “insiders” is often used to refer to “privileged users,” that is, users who have at least some rights, or privileges, to access and use the computers whereas the term “outsiders” refers to users who do not have any access rights, or privileges, to access the computers whatsoever. See Shawn E. Tuma, In Search of the Golden Mean: Examining the Impact of the President’s Proposed Changes to the CFAA on Combatting Insider Misuse, 18 SMU Sci. & Tech. L. Rev. 3, p.4 (2015).

[2] See Shawn E. Tuma, Guide to Responding to Data Breaches and Reporting Cybersecurity Incidents to Law Enforcement and Governmental Agencies, Cybersecurity Business Law (2016).

[3] Breach of Security of Computerized Data, Texas Bus. & Comm. Code § 521.053.

[4] Tex. Bus. & Com. Code Ann. § 521.053 (a) (West).

[5] Tex. Bus. & Com. Code Ann. § 521.053 (a) (West).