Hacking Into A Company You Sold Can Get You Jail Time

A federal judge sentenced David Kent to a year and a day in prison and ordered him to pay $3.3 million in restitution and pay a $20,000 fine for accessing the computer network of Rigzone.com, an industry-specific networking website. Kent founded Rigzone.com, sold it for $51 million, and after the sale accessed the company’s network to obtain information to use for launching a competitor to Rigzone.com. The Complaint describes how Kent was able to do this by exploiting a source code vulnerability that he knew of from the original creation of the website. This is a big no-no. Under the Computer Fraud and Abuse Act, this type of unauthorized access is considered hacking just as if the Russians did it with super-secret James Bond-like gadgets and gizmos.

USA v. Kent, 1:16-cr-00385, U.S. District Court for the Southern District of New York

 

Top 3 CFAA Takeaways from Facebook v. Power Ventures Case in Ninth Circuit

Here are my top 3 key Computer Fraud and Abuse Act (CFAA) takeaways from the Ninth Circuit Court of Appeals’ Order and Amended Opinion issued on December 9, 2016 in Facebook, Inc. v. Power Ventures, Inc.

1.  A violation of the CFAA can occur when someone “has no permission to access a computer or when such permission has been revoked explicitly.”

First, a defendant can run afoul of the CFAA when he or she has no permission to
access a computer or when such permission has been revoked explicitly. Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability.

*   *   *

The record shows unequivocally that power knew that it no longer had authorization to access Facebook’s computers, but continued to do so anyway. . . . Power admitted that, after receiving notice that its use of or access to Facebook was forbidden by Facebook, it “took, copied, or made use of data from the Facebook website without Facebook’s permission to do so.”

*   *   *

In sum, as it admitted, Power deliberately disregarded the cease and desist letter and accessed Facebook’s computers without authorization to do so. It circumvented IP barriers that further demonstrated that Facebook had rescinded permission for Power to access Facebook’s computers. We therefore hold that, after receiving written notification from Facebook on December 1, 2008, Power accessed Facebook’s computers “without authorization” within the meaning of the CFAA and is liable under that statute. (Opinion, p. 15-19).

2.  “[A] violation of the terms of use of a website — without more — cannot establish liability under the CFAA.” (Opinion, p. 15-16).

The foregoing statement was followed with this footnote:

One can imagine situations in which those two principles might be in tension–situations in which, for example, an automatic boilerplate revocation follows a violation of a website’s terms of use–but we need not address or resolve such questions on the stark facts before us.”

One of the most fundamental principles of law is that people be afforded notice of situations placing them in legal jeopardy. Over and over, the Court emphasizes that Power Ventures received actual notice and was subjectively aware that Facebook revoked its authorization to access the site. In looking at how courts handle “browse wrap” versus “click wrap” online agreements, they consistently look for some objective manifestation that the user was subjectively aware of the existence of the agreement and subjectively assented to it — whether actually reading it or understanding it or not.

In future terms of use cases claiming violations of the CFAA, it is likely that the courts will look to see if there was a manifestation of actual notice of the restrictions, prior to the restricted act, which was then consciously disregarded by engaging in the restricted act.

3.  Employee time spent investigating and responding to an incident can be used to calculate the $5,000 “Loss” that is a prerequisite for a civil CFAA claim.

First, we hold that Facebook suffered a loss within the meaning of the CFAA. The statute permits a private right of action when a party has suffered a loss of at least $5,000 during a one-year period. Id. § 1030(c)(4)(A)(i)(I). The statute defines “loss” to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the consequential damages incurred because of interruption of service.” Id. § 1030(e)(11). It is undisputed that Facebook employees spent many hours, totaling more than $5,000 in costs, analyzing, investigating, and responding to Power’s
actions. Accordingly, Facebook suffered a loss under the CFAA. (Opinion, p. 13-14).

 

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

The CFAA is for Access of a Computer, Not Mere Possession

It often said that the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, is an access crime — meaning that it is designed to punish the wrongful access of a device. A recent case out of the Northern District of Texas highlights this point. Continue reading “The CFAA is for Access of a Computer, Not Mere Possession”

3 Key Takeaways About Texas’ Unauthorized Access Law

The Dallas Court of Appeals recently decided a civil case involving claims under Texas’ unauthorized access of computer law that provides some helpful guidance for this relatively new law that has very little case law construing it. The 3 takeaways that follow are the key legal principles that apply to this law as set forth in the case Miller v. Talley Dunn Gallery, LLC, 2016 WL 836775 (Tex. App.–Dallas, Mar. 3, 2016). Continue reading “3 Key Takeaways About Texas’ Unauthorized Access Law”

Making Sense of #AppleVsFBI Issues: #DtSR Podcast

The USA v. Apple battle is one of the hottest issues currently being debated in cybersecurity, privacy, law enforcement, and perhaps even, water coolers in offices around the country. What the debate is lacking in substantive, factually-based, well-reasoned analysis, it certainly makes up for in passion and strong opinions. If you are not convinced, spend a few minutes reading the  #AppleVsFBI Twitter Feed. Continue reading “Making Sense of #AppleVsFBI Issues: #DtSR Podcast”