Update on the Computer Fraud and Abuse Act Sam Sneed March 2017

Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Computer Fraud and Abuse Act 18 U.S.C. § 1030 Computer Fraud and Abuse Act Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

1984 Comprehensive Crime Control Act (CCCA) Brief History 1984 Comprehensive Crime Control Act (CCCA) Intended to prevent hacking Protect financial records and gov’t computers 1986 CFAA enacted, amended CCCA Criminalized password trafficking Criminalized DDOS attacks, malware distribution, similar exploits 2008 amendments broadened application Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Financial Institution “Protected Computer” Exclusive use Use “by or for” US Gov’t US Government Use “by or for” financial institution Financial Institution “Affects interstate or foreign commerce or communication” Includes computers outside US (PATRIOT ACT) Internet connected Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

7 Types of Offenses Obtain national security info MISDEMEANOR Knowingly transmit code/ command + intend to damage Intentionally access + recklessly damage Intentionally access + cause damage and loss Transfer or keep info harmful to US or useful to foreign nation Applies to private servers w/ US Gov’t accounts Obtain national security info Access computer and obtain info Trespass in a gov’t computer Access to defraud & obtain value Damage a computer or info Traffic in passwords Threaten to damage computer MISDEMEANOR Intentional FELONY For $ gain Furthering illegal act Value >$5k FELONY ONLY Prosecutors may also charge under wire fraud statute (higher penalties) FELONY Health/ safety Economic loss ($5k/person/yr) 10+ computers Gov’t systems for law/ security FELONY ONLY Intent to extort + Foreign/ interstate communication + Threat of damage or disclosure Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

How to violate the CFAA: Insiders vs. Outsiders act “without authorization” INSIDERS “exceed authorized access” Insiders may act “without authorization” when they breach a duty of loyalty to authorizer Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

When does an insider “exceed authorized access”? OWNER/ EMPLOYER GRANT OF AUTHORITY Insider “EXCEEDS AUTHORITY”  More Controversial ACCESS limited to specific purpose E.g. Policy restricting access for official purposes only Accessing system for forbidden purpose E.g. Accessing system for other than official purposes USE of data limited to specific purpose, but ACCESS not similarly limited E.g. Copying data w/ permission Using data for a forbidden purpose E.g. Disclosing data in violation of confidentiality agreement No express limitations, or insider acts within limitations Using data in any way that is contrary to employer’s interests E.g. Insider breaches a duty of loyalty Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Limits on Authorization TECHNOLOGICAL LEGAL Authentication Password Biometric ID Physical controls Locks Contract Employment Agreement Terms of Service/ Use Acceptable Use Policy Confidentiality Notice Cease and Desist Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Criminal Penalties SENTENCE (YEARS) OFFENSE 10 – 20 Obtaining national security information 1 – 10 Accessing a computer and obtaining info Trespassing in a government computer 5 – 10 Accessing a computer to defraud and obtain value 1 – 20 Intentionally damaging by knowing transmission Recklessly damaging by intentional access Negligently causing damage and loss by intentional access Trafficking in passwords Extortion involving computers Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Restrictions and requirements Civil Remedies Types Injunctive relief Equitable relief Compensatory damages Restrictions and requirements Statute of limitations – 2 years No action for negligent design/ manufacture Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Civil Remedies – Show Damages $5000 loss to individual w/in 1 year Medical treatment modified/impaired Threat to public health or safety Damage to US Gov’t computer used in national security, defense, or administration of justice 10+ protected computers w/in 1 year Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Criminal penalties for breach of contract? Controversy Criminal penalties for breach of contract? Aaron Swartz and JSTOR (2010-2012) Reform attempts to exclude TOS/TOU (“Aaron’s Law,” 2013) Overbroad/ ambiguous? Protections under other laws? Defend Trade Secrets Act Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Recent cases Interpreting CFAA U.S. v. Nosal Facebook v. Power Ventures Recent cases Interpreting CFAA Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Recent decisions interpreting CFAA U.S. v. Nosal Criminal – access to defraud and obtain value Facebook, Inc. v. Power Ventures, Inc. Civil Does circumvention of access controls by using another’s login credentials violate the CFAA? Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

US v. Nosal EMPLOYER: Korn/Ferry, executive search firm INSIDERS: David Nosal and other employees ACCESS GRANT Insiders given access to confidential information by grant of login credentials ACCESS REVOCATION Login credentials revoked upon departure UNAUTHORIZED ACCESS Nosal and other employees obtained access to systems after departure using credentials of employee accomplice USE GRANT Insiders allowed to use confidential information for business purposes UNAUTHORIZED USE Information used for competing company established by Nosal HOLDING CFAA violated when Nosal and departing employees accessed Korn/Ferry’s systems after their login credentials were revoked Nosal’s misuse of the information alone was not enough to violate CFAA Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Facebook v. Power Ventures OWNER: Facebook OUTSIDER: Power Ventures ACCESS GRANT Users access Facebook via login credentials; Outsiders required to register and enroll in Facebook Connect ACCESS REVOCATION Facebook sent cease and desist letter and blocked IP address of Power Ventures UNAUTHORIZED ACCESS Power Ventures circumvented access restrictions by directly requesting access via Facebook users Power Ventures switched IP addresses to circumvent IP block USE GRANT Users – Terms of Use Outsiders – Developer Terms of Use UNAUTHORIZED USE Power Ventures ignored Developer Terms of Use HOLDING CFAA violated when Power Ventures accessed Facebook after receiving the Cease and Desist letter Power Ventures’ violation of the Developer Terms of Use alone was not enough to violate CFAA Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

OWNER/ Employer takeaways Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Ambiguity - “exceeds authorized access”? Using the CFAA Broad Low threshold for damages Ambiguity - “exceeds authorized access”? Access vs. use restrictions Inconsistent case law To be revised? Controversial, old Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Explicit policies and agreements Best Practices Explicit policies and agreements Handbook Acceptable Use Confidentiality, Non-compete Explicit revocation of permissions Employee exit processing Reminders of policies and agreements Clearly revoke access to all systems Cease and desist letter Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018