GUEST BLOG: How Will the Proposed Laws Help Fight Cybercrime?

03 April 2015 Internet, IT & e-Discovery Blog Blog
Authors: Peter Vogel

My Guest Blogger Nick Akerman learned about Cybercrime as a federal prosecutor where he prosecuted a wide array of white collar criminal matters, including bank frauds, bankruptcy frauds, stock frauds, complex financial frauds, environmental crimes and tax crimes. Nick was also an Assistant Special Watergate Prosecutor with the Watergate Special Prosecution Force under Archibald Cox and Leon Jaworski.

 

New Tools for Companies Against Cybercrime

 

On January 2015, the Obama administration announced a series of proposals to strength­en the country’s response to cyberattacks­ including, most notably, specific amendments to the federal computer crime statute, the Computer Fraud and Abuse Act (CFAA).  These changes are not only significant to the cyber­ crime-fighting efforts of federal prosecutors, but also to private companies.  This is because the CFAA allows compa­nies victimized by violations of the statute to bring civil actions against the perpetrators.  18 U.S.C. 1030(g).  The CFAA, among other things, makes it a crime when an individual “accesses” a computer “without authorization or exceeds authorized access” to steal data.

“Without authorization” typically relates to an outside hacker, whereas “exceeds authorized access” typically relates to a company insid­er, like any employee who has authority to access the company computer but exceeds that authorized access.  There is a split among the circuit courts of appeals over whether employees who access company computers to steal data exceed their authorized access.  The Fourth  Circuit (fol­lowing the  Ninth  Circuit), for  example, in WEC Carolina  Energy  Solutions  v. Miller, nar­rowly interpreted “exceeds authorized  access” not  to apply to employees who are “authorized to access a computer  when his employer approves or sanctions his admission to that computer.”  In contrast, the Seventh Circuit in International Airport Ctrs. v. Citrinapplied the CFAA to an employee who accessed the company computer for the purpose of “further[ing] interests that are adverse to his employer,” i.e. stealing company data to take to a competitor.  The Fifth and Eleventh cir­cuits follow this interpretation.

The administration’s proposal would set­tle this split in the circuits in favor of apply­ing the CFAA to employees by redefining “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in such computer (A) that the accesser is not entitled to obtain or alter; or (B) for a purpose that the accesser knows is not authorized by the computer owner.”  Thus, the proposed law would cover employees who steal data from company com­puters and would incentivize employers to institute written policies and employee agreements delineating precisely the scope of permissible authorization to the company computers.

VALUING DAMAGE

From the standpoint of private employers, another significant change would be the addi­tion of a requirement that “the value of the information obtained [by an insider employee accessing the computer] exceeds $5,000.”  This requirement would be in addition to the juris­dictional prerequisite for CFAA civil actions that require the plaintiff to allege and prove $5,000 in “loss,” a term defined by the statute to include costs of “responding to any offense” and “conse­quential damages incurred because of interrup­tion of service.”  The $5,000 minimum would not constrain criminal prosecutions directed at a computer “owned or operated by or on behalf of a government entity.”  Thus, a case like United States v. Teague, in which the defendant was criminally prosecuted for viewing (not copying or taking) President Barack Obama’s record in the National Student Loan Data System, would still be a viable prosecution.

The value of the stolen data would not be a critical factor for private companies under the proposed amendments if the violation “was committed in furtherance of any felony violation of the laws of the United States or of any state.”  Thus, if an employee steals his employer’s trade-secrets data in violation of the Economic Espionage Act, 18 U.S.C. 1831, there would be no burden on the employer to show that the value of the trade secrets exceeded $5,000.  Because the Economic Espionage Act does not provide for a civil cause of action, this would be a significant expansion in federal law that would supplant the state trade-secrets laws.

Setting limits on insider data thefts to a min­imum value of $5,000 and felony violations directly addresses the concerns expressed by the Ninth Circuit in United States v. Nosal that the CFAA could be interpreted “to criminalize any unauthorized use of information obtained from a computer.”  Also, the proposed changes in the law would address the additional con­cern of the Nosal court that the CFAA could “make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”  Thus, the Obama proposal adds the requirement of willfulness to the statute, defining it to mean “intentionally to undertake an act that the person knows to be wrongful.”

With respect to trafficking in passwords, the proposed law would limit the crime to instanc­es where the violator knew or had reason “to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section [the CFAA] as the result of such trafficking.”  With an eye to changing technologies, the proposed statute also would expand on passwords to include “any other means of access” to a computer.

Finally, the proposed amendments would strengthen law enforcement by increasing penalties for CFAA violations, provide injunctive relief and forfeitures and make felony violations of the CFAA predicate acts for the Racketeer Influenced and Corrupt Organizations statute, 18 U.S.C. 1961.  This proposed amendment to RICO is long overdue.  RICO was enacted in 1970, years before the advent of the information age in which computers have become ubiquitous and the targets and instruments of criminals.  Because RICO, like the CFAA, provides victims with a civil remedy, this proposed amendment would similarly enhance the ability of companies to fight cybercriminals.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Authors

Related Services