Update on the Computer Fraud and Abuse Act

Slides:



Advertisements
Similar presentations
MADISON COUNTY SCHOOLS ACCEPTABLE USE AND INTERNET SAFETY POLICY.
Advertisements

Northside I.S.D. Acceptable Use Policy
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Acceptable Use of Computer and Network Resources Jim Conroy Acting Director, Academic Computing Services September 9, 2013.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Confidentiality and HIPAA
HIPAA Health Insurance Portability and Accountability Act.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
United States v. Nosal. The Nosal Fact Pattern Korn/Ferry computer Confidential information and trade secrets Authorized access by users logging in with.
The Patriot Act And computing. /criminal/cybercrime/PatriotAct.htm US Department of Justice.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
1 ENFORCING SOCIAL MEDIA AND COMPUTER USAGE POLICIES Haley R. Van Loon BrownWinick 666 Grand Avenue, Suite 2000 Des Moines, IA Telephone:
U.S criminal law’s reinforcement of technological measures protecting property: where the DMCA fits in Elliot N. Turrini Assistant U.S. Attorney Computer.
Riverside Community School District
Chapter 10 White-Collar and Organized Crime. Introduction ► White-collar crimes – criminal offenses committed by people in upper socioeconomic strata.
FERPA 2008 New regulations enact updates from over a decade of interpretations.
OVERVIEW OF COMPUTER CRIME LEGISLATION IN HAWAII
ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.
INTERNET and CODE OF CONDUCT
HIPAA Health Insurance Portability & Accountability Act of 1996.
Spam and The Computer Fraud and Abuse Act Richard Warner.
HIPAA PRIVACY AND SECURITY AWARENESS.
 Four sources of law: Constitutions Statutes Case law Administrative regulations  Main types of laws include: Civil law Criminal law.
© 2004 West Legal Studies in Business A Division of Thomson Learning BUSINESS LAW Twomey Jennings 1 st Ed. Twomey & Jennings BUSINESS LAW Chapter 8 Crimes.
Lesson 5-Legal Issues in Information Security. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues.
EAST HARDIN MIDDLE SCHOOL MR. ERVIN Internet Safety Policy and Acceptable Use Procedures.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
Computer Forensics Law & Privacy © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering, WVU.
Computer Fraud and Abuse Act Richard Warner. Liability under the CFAA  1030(a)(2)(C) imposes liability on whoever “intentionally accesses a computer.
Essentials Of Business Law Chapter 3 Criminal Law Copyright © 2007 The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
CRIMES Used by permission. For Educational purposes only.
Copyright 2000, Marchany Computer Law Threats and Issues VA Computer Crime Act Randy Marchany VA Tech Computing Center ©Marchany,2001.
Cybercrime What is it, what does it cost, & how is it regulated?
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2013 CCH Incorporated. All Rights Reserved W. Peterson Ave.
1 ENFORCING SOCIAL MEDIA AND COMPUTER USAGE POLICIES Haley R. Van Loon BrownWinick 666 Grand Avenue, Suite 2000 Des Moines, IA Telephone:
Yes. You’re in the right room.. Hi! I’m David (Hi David!)
Comprehensive Volume, 18 th Edition Chapter 8: Crimes.
Intellectual Property. Confidential Information Duty not to disclose confidential information about a business that would cause harm to the business or.
LEGAL IMPLICATION OF THE USE OF COMPUTER Lower Sixth Computing Lesson Prepared by: T.Fina.
Human Subjects Update E. Wethington, Chair, UCHS.
Copyright All rights reserved. Copyright All rights reserved. Foreign Corrupt Practices Act (FCPA) – value added for business or competitive.
Securing the Electronic Frontier Ch. 6 Reading: pp ; ; CS 340.
Computers Are Your Future Eleventh Edition Chapter 9: Privacy, Crime, and Security Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall1.
Intellectual property (IP) refers to creations of the mind: inventions, literary and artistic works, music, movies, symbols, names, images, and designs.
ACCEPTABLE USE POLICY: INFORMATION TECHNOLOGY RESOURCES IN THE SCHOOLS The school's information technology resources, including and Internet access,
By: Taysha Johnson. What is an insider threat? 1.A current or former employee, contractor, or other business partner who has or had authorized access.
Information Security and Privacy in HRIS
Cyber Insurance Overview July 30, 2016 Wesley Griffiths, FCAS International Association of Black Actuaries.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA THE PRIVACY RULE Reviewed December 2012.
18 USC § 1030 Computer Fraud and Abuse Act
Hacking: public policy
Michael Spiegel, Esq Timothy Shimeall, Ph.D.
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
HIPAA CONFIDENTIALITY
Handout 2: Data Protection and Copyright
Providing Access to Your Data: Handling sensitive data
6.00 UNDERSTAND SALES, CONSUMER, PROPERTY, AND CYBER LAWS
ES 6 UNDERSTAND SALES, CONSUMER, PROPERTY, AND CYBER LAWS
Proceedings.
ES 6 UNDERSTAND SALES, CONSUMER, PROPERTY, AND CYBER LAWS
Cyber Insurance Overview
Knowingly access without authorization
Forensic and Investigative Accounting
Ethical Use of Computers
ES 6 UNDERSTAND SALES, CONSUMER, PROPERTY, AND CYBER LAWS
Forensic and Investigative Accounting
Laws Against Computer Hacking
Presentation transcript:

Update on the Computer Fraud and Abuse Act Sam Sneed March 2017

Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Computer Fraud and Abuse Act 18 U.S.C. § 1030 Computer Fraud and Abuse Act Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

1984 Comprehensive Crime Control Act (CCCA) Brief History 1984 Comprehensive Crime Control Act (CCCA) Intended to prevent hacking Protect financial records and gov’t computers 1986 CFAA enacted, amended CCCA Criminalized password trafficking Criminalized DDOS attacks, malware distribution, similar exploits 2008 amendments broadened application Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Financial Institution “Protected Computer” Exclusive use Use “by or for” US Gov’t US Government Use “by or for” financial institution Financial Institution “Affects interstate or foreign commerce or communication” Includes computers outside US (PATRIOT ACT) Internet connected Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

7 Types of Offenses Obtain national security info MISDEMEANOR Knowingly transmit code/ command + intend to damage Intentionally access + recklessly damage Intentionally access + cause damage and loss Transfer or keep info harmful to US or useful to foreign nation Applies to private servers w/ US Gov’t accounts Obtain national security info Access computer and obtain info Trespass in a gov’t computer Access to defraud & obtain value Damage a computer or info Traffic in passwords Threaten to damage computer MISDEMEANOR Intentional FELONY For $ gain Furthering illegal act Value >$5k FELONY ONLY Prosecutors may also charge under wire fraud statute (higher penalties) FELONY Health/ safety Economic loss ($5k/person/yr) 10+ computers Gov’t systems for law/ security FELONY ONLY Intent to extort + Foreign/ interstate communication + Threat of damage or disclosure Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

How to violate the CFAA: Insiders vs. Outsiders act “without authorization” INSIDERS “exceed authorized access” Insiders may act “without authorization” when they breach a duty of loyalty to authorizer Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

When does an insider “exceed authorized access”? OWNER/ EMPLOYER GRANT OF AUTHORITY Insider “EXCEEDS AUTHORITY”  More Controversial ACCESS limited to specific purpose E.g. Policy restricting access for official purposes only Accessing system for forbidden purpose E.g. Accessing system for other than official purposes USE of data limited to specific purpose, but ACCESS not similarly limited E.g. Copying data w/ permission Using data for a forbidden purpose E.g. Disclosing data in violation of confidentiality agreement No express limitations, or insider acts within limitations Using data in any way that is contrary to employer’s interests E.g. Insider breaches a duty of loyalty Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Limits on Authorization TECHNOLOGICAL LEGAL Authentication Password Biometric ID Physical controls Locks Contract Employment Agreement Terms of Service/ Use Acceptable Use Policy Confidentiality Notice Cease and Desist Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Criminal Penalties SENTENCE (YEARS) OFFENSE 10 – 20 Obtaining national security information 1 – 10 Accessing a computer and obtaining info Trespassing in a government computer 5 – 10 Accessing a computer to defraud and obtain value 1 – 20 Intentionally damaging by knowing transmission Recklessly damaging by intentional access Negligently causing damage and loss by intentional access Trafficking in passwords Extortion involving computers Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Restrictions and requirements Civil Remedies Types Injunctive relief Equitable relief Compensatory damages Restrictions and requirements Statute of limitations – 2 years No action for negligent design/ manufacture Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Civil Remedies – Show Damages $5000 loss to individual w/in 1 year Medical treatment modified/impaired Threat to public health or safety Damage to US Gov’t computer used in national security, defense, or administration of justice 10+ protected computers w/in 1 year Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Criminal penalties for breach of contract? Controversy Criminal penalties for breach of contract? Aaron Swartz and JSTOR (2010-2012) Reform attempts to exclude TOS/TOU (“Aaron’s Law,” 2013) Overbroad/ ambiguous? Protections under other laws? Defend Trade Secrets Act Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Recent cases Interpreting CFAA U.S. v. Nosal Facebook v. Power Ventures Recent cases Interpreting CFAA Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Recent decisions interpreting CFAA U.S. v. Nosal Criminal – access to defraud and obtain value Facebook, Inc. v. Power Ventures, Inc. Civil Does circumvention of access controls by using another’s login credentials violate the CFAA? Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

US v. Nosal EMPLOYER: Korn/Ferry, executive search firm INSIDERS: David Nosal and other employees ACCESS GRANT Insiders given access to confidential information by grant of login credentials ACCESS REVOCATION Login credentials revoked upon departure UNAUTHORIZED ACCESS Nosal and other employees obtained access to systems after departure using credentials of employee accomplice USE GRANT Insiders allowed to use confidential information for business purposes UNAUTHORIZED USE Information used for competing company established by Nosal HOLDING CFAA violated when Nosal and departing employees accessed Korn/Ferry’s systems after their login credentials were revoked Nosal’s misuse of the information alone was not enough to violate CFAA Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Facebook v. Power Ventures OWNER: Facebook OUTSIDER: Power Ventures ACCESS GRANT Users access Facebook via login credentials; Outsiders required to register and enroll in Facebook Connect ACCESS REVOCATION Facebook sent cease and desist letter and blocked IP address of Power Ventures UNAUTHORIZED ACCESS Power Ventures circumvented access restrictions by directly requesting access via Facebook users Power Ventures switched IP addresses to circumvent IP block USE GRANT Users – Terms of Use Outsiders – Developer Terms of Use UNAUTHORIZED USE Power Ventures ignored Developer Terms of Use HOLDING CFAA violated when Power Ventures accessed Facebook after receiving the Cease and Desist letter Power Ventures’ violation of the Developer Terms of Use alone was not enough to violate CFAA Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

OWNER/ Employer takeaways Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Ambiguity - “exceeds authorized access”? Using the CFAA Broad Low threshold for damages Ambiguity - “exceeds authorized access”? Access vs. use restrictions Inconsistent case law To be revised? Controversial, old Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Explicit policies and agreements Best Practices Explicit policies and agreements Handbook Acceptable Use Confidentiality, Non-compete Explicit revocation of permissions Employee exit processing Reminders of policies and agreements Clearly revoke access to all systems Cease and desist letter Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018