Hacking Into A Company You Sold Can Get You Jail Time

A federal judge sentenced David Kent to a year and a day in prison and ordered him to pay $3.3 million in restitution and pay a $20,000 fine for accessing the computer network of Rigzone.com, an industry-specific networking website. Kent founded Rigzone.com, sold it for $51 million, and after the sale accessed the company’s network to obtain information to use for launching a competitor to Rigzone.com. The Complaint describes how Kent was able to do this by exploiting a source code vulnerability that he knew of from the original creation of the website. This is a big no-no. Under the Computer Fraud and Abuse Act, this type of unauthorized access is considered hacking just as if the Russians did it with super-secret James Bond-like gadgets and gizmos.

USA v. Kent, 1:16-cr-00385, U.S. District Court for the Southern District of New York

 

Top 3 CFAA Takeaways from Facebook v. Power Ventures Case in Ninth Circuit

Here are my top 3 key Computer Fraud and Abuse Act (CFAA) takeaways from the Ninth Circuit Court of Appeals’ Order and Amended Opinion issued on December 9, 2016 in Facebook, Inc. v. Power Ventures, Inc.

1.  A violation of the CFAA can occur when someone “has no permission to access a computer or when such permission has been revoked explicitly.”

First, a defendant can run afoul of the CFAA when he or she has no permission to
access a computer or when such permission has been revoked explicitly. Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability.

*   *   *

The record shows unequivocally that power knew that it no longer had authorization to access Facebook’s computers, but continued to do so anyway. . . . Power admitted that, after receiving notice that its use of or access to Facebook was forbidden by Facebook, it “took, copied, or made use of data from the Facebook website without Facebook’s permission to do so.”

*   *   *

In sum, as it admitted, Power deliberately disregarded the cease and desist letter and accessed Facebook’s computers without authorization to do so. It circumvented IP barriers that further demonstrated that Facebook had rescinded permission for Power to access Facebook’s computers. We therefore hold that, after receiving written notification from Facebook on December 1, 2008, Power accessed Facebook’s computers “without authorization” within the meaning of the CFAA and is liable under that statute. (Opinion, p. 15-19).

2.  “[A] violation of the terms of use of a website — without more — cannot establish liability under the CFAA.” (Opinion, p. 15-16).

The foregoing statement was followed with this footnote:

One can imagine situations in which those two principles might be in tension–situations in which, for example, an automatic boilerplate revocation follows a violation of a website’s terms of use–but we need not address or resolve such questions on the stark facts before us.”

One of the most fundamental principles of law is that people be afforded notice of situations placing them in legal jeopardy. Over and over, the Court emphasizes that Power Ventures received actual notice and was subjectively aware that Facebook revoked its authorization to access the site. In looking at how courts handle “browse wrap” versus “click wrap” online agreements, they consistently look for some objective manifestation that the user was subjectively aware of the existence of the agreement and subjectively assented to it — whether actually reading it or understanding it or not.

In future terms of use cases claiming violations of the CFAA, it is likely that the courts will look to see if there was a manifestation of actual notice of the restrictions, prior to the restricted act, which was then consciously disregarded by engaging in the restricted act.

3.  Employee time spent investigating and responding to an incident can be used to calculate the $5,000 “Loss” that is a prerequisite for a civil CFAA claim.

First, we hold that Facebook suffered a loss within the meaning of the CFAA. The statute permits a private right of action when a party has suffered a loss of at least $5,000 during a one-year period. Id. § 1030(c)(4)(A)(i)(I). The statute defines “loss” to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the consequential damages incurred because of interruption of service.” Id. § 1030(e)(11). It is undisputed that Facebook employees spent many hours, totaling more than $5,000 in costs, analyzing, investigating, and responding to Power’s
actions. Accordingly, Facebook suffered a loss under the CFAA. (Opinion, p. 13-14).

 

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

The CFAA is for Access of a Computer, Not Mere Possession

It often said that the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, is an access crime — meaning that it is designed to punish the wrongful access of a device. A recent case out of the Northern District of Texas highlights this point. Continue reading “The CFAA is for Access of a Computer, Not Mere Possession”

3 Key Takeaways About Texas’ Unauthorized Access Law

The Dallas Court of Appeals recently decided a civil case involving claims under Texas’ unauthorized access of computer law that provides some helpful guidance for this relatively new law that has very little case law construing it. The 3 takeaways that follow are the key legal principles that apply to this law as set forth in the case Miller v. Talley Dunn Gallery, LLC, 2016 WL 836775 (Tex. App.–Dallas, Mar. 3, 2016). Continue reading “3 Key Takeaways About Texas’ Unauthorized Access Law”

Making Sense of #AppleVsFBI Issues: #DtSR Podcast

The USA v. Apple battle is one of the hottest issues currently being debated in cybersecurity, privacy, law enforcement, and perhaps even, water coolers in offices around the country. What the debate is lacking in substantive, factually-based, well-reasoned analysis, it certainly makes up for in passion and strong opinions. If you are not convinced, spend a few minutes reading the  #AppleVsFBI Twitter Feed. Continue reading “Making Sense of #AppleVsFBI Issues: #DtSR Podcast”

Departing Employee Taking Data from “Restricted” but Unsecured Folder Doesn’t Violate CFAA

TAKEAWAYS: If your company intends to limit its employees access to certain information on the company network, (1) make sure appropriate technological restrictions are in place and are working; and (2) make sure there are appropriate policies or other documentation in place to show the employees subjectively knew it was off limits.

When an employer intends to keep a network folder restricted from employees, but fails to (1) objectively communicate this intention or (2) secure the folder from general access, an employee who accesses the folder and takes data from it does not violate the Computer Fraud and Abuse Act (CFAA), even if he does so for an improper purpose.

Why policies are critical–explained HERE Continue reading “Departing Employee Taking Data from “Restricted” but Unsecured Folder Doesn’t Violate CFAA”

Court Order Provides CFAA Authorization to Access Computer, Even if Later Overturned

A party who accesses a computer pursuant to a court order authorizing him to seize and access the computer will not be found in violation of the Computer Fraud and Abuse Act if such order is later overturned.

“An essential element of a CFAA claim under 10 U.S.C. § 1030 is that the [defendant] accesses a computer ‘without authorization or exceeds authorized access.’ Hunn v. Dan Wilson Homes, Inc., 789 F.3d 573, 583-84 (5th Cir. 2015) (holding that ‘because [the defendant] did not exceed authorized access, he did not violate the Computer Fraud and Abuse Act’). Here, the state-court turnover orders authorized Shor to access the computers. Even though those orders were ultimately overturned, because Shor had authorization at the time pursuant to a court order to access the computers, Black does not state a claim under the CFAA. See id. (discussing CFAA claim, reasoning that the defendant accessed the computer while still employed at the plaintiff’s company). Land and Bay Gauging, L.L.C. v. Shor, 2015 WL 4978993 (5th Cir. Aug. 21, 2015).

See earlier post.

Fifth Circuit: Accessing Computer Per Later-Overturned Order Does Not Violate CFAA

In Land and Bay Gauging L.L.C. v. Shor, –Fed.Appx — (5th Cir. Aug. 21, 2015), the Fifth Circuit recently held that accessing a computer under the authority of a court order that authorizes the access is sufficient to render the access as being authorized, even if the order is later overturned. An essential element under a Computer Fraud and Abuse Act (CFAA) claim is that the defendant accessed the computer “without authorization” or “exceeds authorized access.” When there is such an access that is authorized by a court order–at the time of the access–the later overturning of that order will not then render the access as having been unauthorized and there will be no violation of the CFAA. 

Additionally, the Rooker-Feldman Doctrine does not bar a Federal court from ruling on CFAA claims that stem from parties’ actions taken pursuant to a state court order where such claims do not attack the validity of the order itself, but instead, focus on the parties alleged violations of independent legal duties under the CFAA.

Does the CFAA Apply to Lenovo’s SuperFish Malware Lawsuits?

For me personally, the timeline of events surrounding the discovery of Lenovo’s SuperFish malware is ironic. Just a couple of days before it was discovered, I had a telephone call with a friend named Jon Stanley. Jon is someone I consider to be an elder statesman of the CFAA as he has been digging deep into the law for a long time — much longer than I have — and our call was basically to chat about all things CFAA-related. (to get a glimpse of what it’s like to talk to Jon, check this out)

One of the things we talked about was our favorite CFAA opinions and Jon told me his was Shaw v. Toshiba, 91 F.Supp.2d 926 (E.D. Tx. 1999). I had skimmed the high points a few years back but never really taken the time to go through it slowly and enjoy it like a snifter of brandy, so after we hung up, I pulled it up and began reading.

I immediately turned to the point that Jon and I discussed which is where the court focused on the silliness of folks trying to argue the Computer Fraud and Abuse Act is a “hacking” law – ha, the court knocked it out of the park! “[T]his Court does not see a blanket exemption for manufacturers in Title 18 U.S.C. § 1030; nor does it see the term ‘hacking’ anywhere in this statute.” Id. at 936. I love that statement — I have never seen the term “hacking” in there either and, to hear people continue referring to it that way makes me wonder if they also refer to the mail and wire fraud statute as intending to keep the crooked city slickers from taking advantage of honest country folk. (seriously, see page 1)

How does this apply to the Lenovo SuperFish Malware?

So now you’re probably wondering where I’m going with this, right? And, what it has to do with the Lenovo SuperFish malware?

Ok, did you catch the first part of that quote? The part about a “blanket exemption for manufacturers”?

The issue in Shaw was whether a computer manufacturer’s sale of laptop computers containing devices with defective microcode that erroneously caused the corruption or destruction of data without notice was a violation of the CFAA, because the instructions given by the defective microcode were an unauthorized transmission. Toshiba argued several things but, most applicable here, that “Congress never intended for the CFAA to reach manufacturers; rather, the CFAA is geared toward criminalizing computer ‘hacking.'” In other words, Toshiba argued that, because it was a manufacturer that did all of its “stuff” before the computer was shipped and sold to Shaw, its activities were not prohibited by the CFAA. The Court disagreed with Toshiba’s narrow interpretation:

Perhaps. But it seems more plausible that Congress, grappling with technology that literally changes every day, drafted a statute capable of encompassing a wide range of computer activity designed to damage computer systems–from computer hacking to time bombs to defective microcode.

Brilliant. Ultimately, the Court denied Toshiba’s Motion for Summary Judgment and allowed the case to proceed. 

 The lawsuits against Lenovo have already started to drop and will surely continue coming. While I have not read the individual complaints, I’d say it’s a safe bet there are some CFAA claims in there — and if not, maybe they should give Shaw v. Toshiba a read (and not just for pleasure).

So, here’s a little test for you: if they do bring a CFAA claim, do they have to plead the $5,000 loss? 

Hey Jon, by the way, thank you!



Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes across the United States and, through the Mackrell International Law Network, around the world.

Dang! “Loss” of Opportunity to Decide Interesting CFAA Issue, But “Loss” Analyisis is Good Too

Plaintiff had interesting claim under the CFAA but couldn’t get there due to that pesky “loss” requirement

Does an employer violate the Computer Fraud and Abuse Act by remotely wiping an employee’s personal mobile device that was connected to the employer’s server and contained its data? Continue reading “Dang! “Loss” of Opportunity to Decide Interesting CFAA Issue, But “Loss” Analyisis is Good Too”