United States v. Nosal. The Nosal Fact Pattern Korn/Ferry computer Confidential information and trade secrets Authorized access by users logging in with.

Slides:

Advertisements

Similar presentations

Technology: Unethical Behavior and Its Consequences Prepared by Tami Genry March 2004.

Advertisements

Acceptable Use of Computer and Network Resources Jim Conroy Acting Director, Academic Computing Services September 9, 2013.

Confidentiality and HIPAA

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

1 Social Media: Strategy and Implementation Are you protected? Amy D. Cubbage & Cynthia L. Effinger.

1 ENFORCING SOCIAL MEDIA AND COMPUTER USAGE POLICIES Haley R. Van Loon BrownWinick 666 Grand Avenue, Suite 2000 Des Moines, IA Telephone:

EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Security, Privacy, and Ethics Online Computer Crimes.

Access to Electronic Media Acceptable Use Policy August 8, 2011 Meece Middle School.

Chapter 10 White-Collar and Organized Crime. Introduction ► White-collar crimes – criminal offenses committed by people in upper socioeconomic strata.

Nicholas Beckworth Annie Billings Steven Blair Nimmida Kulwattanasopon Thomas Wootten.

Class 13 Internet Privacy Law European Privacy.

Yes No Yes No Yes No Yes No Yes No Yes No Yes No.

Hofstra University Zarb School of Business Department of Accounting, Taxation, and Legal Studies ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Assistant Professor Glen.

Four tips to mitigate Mobile fraud in the future.

Presented By: Stephanie R. Taylor ESTATE PLANNING FOR DIGITAL ASSETS R ANDALL |D ANSKIN A Professional Service Corporation.

General Awareness Training

Security Policies University of Sunderland CSEM02 Harry R. Erwin, PhD.

(Edited) WORKPLACE PRIVACY.

Spam and The Computer Fraud and Abuse Act Richard Warner.

Intellectual Property, Nondisclosure agreements, Electronically Monitored Workplaces, And high level thinking questions.

An Educational Computer Based Training Program CBTCBT.

Joseph Kummer Terri Berry Brad White.  1. Specific instances of employee hacking and the consequences which resulted therefrom.  2. How employees utilize.

Shareholders Preemptive rights Suzie. Facts  Company A   Company B Company C  （ 55% ）（ 45% ）  Company D.

Employer Alert: New Duty to Police Illegal Activities in the Workplace Presented by M. Karen Thompson.

EFFECT OF CORPORATE IT POLICIES ON OTHERWISE PRIVILEGED COMMUNICATIONS Prepared by Joel P. Hoxie of Snell & Wilmer November 2010 Presented by: Jon Barton.

U.S. Copyright Enforcement Benjamin Hardman Attorney / Advisor Office of Intellectual Property Policy & Enforcement, USPTO.

Our Criminal Laws. A punishable offense against society Society (through police & prosecutors) attempts to identify, arrest, prosecute, and punish the.

LEE BURGUNDER LEGAL ASPECTS of MANAGING TECHNOLOGY Third Ed. LEGAL ASPECTS of MANAGING TECHNOLOGY Third Ed.

Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.

Notice and Choice and Its Problems Robert Sloan Richard Warner.

Public law governs:  relationships between individuals and the state/government; and  the structure, administration and operation of the state/government.

Online banking security best practices Access via ‘transaction devices’

Chapter 04 Legal Liability of CPAs McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.

EAST HARDIN MIDDLE SCHOOL MR. ERVIN Internet Safety Policy and Acceptable Use Procedures.

“The act of gaining unauthorized access to computer systems (cracking) should not be criminalized assuming that there is no damage.” Dan Garrison Megan.

Chapter 5 Our Criminal Laws Lesson 5-1 Criminal Law.

Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.

Acceptable Use Policy by Andrew Breen. What is an Acceptable Use Policy? According to Wikipedia: a set of rules applied by many transit networks which.

Trespass to Chattels: Spam Richard Warner. CompuServe v. Cyber Promotion  :“CompuServe has received many complaints from subscribers threatening to discontinue.

Copyright © 2008 by West Legal Studies in Business A Division of Thomson Learning Chapter 47 Accountant’s Liability and Malpractice Twomey Jennings Anderson’s.

Chapter 5 Our Criminal Laws

Computer Fraud and Abuse Act Richard Warner. Liability under the CFAA  1030(a)(2)(C) imposes liability on whoever “intentionally accesses a computer.

Under what common law theories may professionals be liable to clients? Under what common law theories may professionals be liable to clients? What are.

The Computer Misuse Act of1990 The Copyright, Designs & Patents Act of

Trade Secrets Basics Victor H. Bouganim WCL, American University.

1 ENFORCING SOCIAL MEDIA AND COMPUTER USAGE POLICIES Haley R. Van Loon BrownWinick 666 Grand Avenue, Suite 2000 Des Moines, IA Telephone:

BELL QUIZ ON CHAPTER 18 Name one thing an agent can negotiate.

Yes. You’re in the right room.. Hi! I’m David (Hi David!)

Comprehensive Volume, 18 th Edition Chapter 8: Crimes.

Bell Ringer What is legality? What makes something legal/illegal? What could make a contract illegal?

Security Debate Why cracking should be criminalized.

Intellectual Property. Confidential Information Duty not to disclose confidential information about a business that would cause harm to the business or.

DON Code of Privacy Act Fair Information Principles DON has devised a list of principles to be applied when handling Protected Personal Information (PPI).

Data protection—training materials [Name and details of speaker]

ACCEPTABLE USE POLICY: INFORMATION TECHNOLOGY RESOURCES IN THE SCHOOLS The school's information technology resources, including and Internet access,

Torts: A Civil Wrong Chapter 18. The Idea of Liability Under criminal law, wrongs committed are called crimes. Under civil law, wrongs committed are called.

Law for Business and Personal Use © Thomson South-Western CHAPTER 4 Criminal Law and Procedure 4-1 Criminal Law 4-2 Criminal Procedure.

CHAPTER SIXTEEN The Right to Privacy and Other Protections from Employer Intrusions.

18 USC § 1030 Computer Fraud and Abuse Act

Hacking: public policy

Private and Public law Statutory periods. Tortious liability.

Update on the Computer Fraud and Abuse Act

Spencer County Public Schools Responsible Use Policy for Technology and Related Devices Spencer County Public Schools has access to and use of the Internet.

Laws for Secure Credentialing

Student User Agreement and Policy 2022

Presentation transcript:

United States v. Nosal

The Nosal Fact Pattern Korn/Ferry computer Confidential information and trade secrets Authorized access by users logging in with their credentials Transfer to a competitor with intent to defraud Does this exceed authorization?

Types of Unauthorized Access Access with credentials Guessed Access without credentials No explicit, specific notice Stolen Explicit, specific notice Types of unauthorized access Vulnerability Cookie deletion Norm violation Backdoor By user in violation of contract or policy

The Government’s Claim Korn/Ferry computer Confidential information and trade secrets Authorized access by users logging in with their credentials Transfer to a competitor This is a crime, in addition to this

Information relevant to national security? NoYes 1030(a)(1) Intentionally & causing damage? Yes 1030(a)(5)(A) No Intent to defraud? Yes No 1030(a)(4) Obtaining information? YesNo 1030(a)(2) Governmental computer? YesNo Recklessly & causing damage? 1030(a)(3) YesNo 1030(a)(5)(B) Causing damage? YesNo 1030(a)(5)(C) A bit more Without or exceeds authorization Without authorization 1030(a)(3)

18 USC 1030(a)(4) Whoever “[1] knowingly and with intent to defraud, accesses a protected computer [2] without authorization, or exceeds authorized access, and [3] by means of such conduct furthers the intended fraud and obtains anything of value” commits a crime unless [4] the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period”. Everything is clearly fulfilled—except the “exceeds authorized access” condition.

The Definition The meaning of "exceeds authorized access" is:  "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. 1030(e)(6). “The government reads ‘so’ to mean ‘in that manner,’ which it claims must refer to use restrictions.” The claim is that the use restrictions are given in the contract and the notice.

The Consequence The owner of a computer or network can criminalize accessing a computer by prohibiting certain uses of the information the accesser obtains. The court finds this objectionable.

The Court’s Concern “... the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless,...such minor dalliances would become federal crimes.”

Types of Unauthorized Access Access with credentials Guessed Access without credentials No explicit, specific notice Stolen Explicit, specific notice Types of unauthorized access Vulnerability Cookie deletion Norm violation Backdoor By user in violation of contract or policy Not a crime, but trespass?

A More Borderline Example Sally runs a free social networking site in which users must register and obtain an account. The Terms of Use agreement allows only one account per user, and prohibits commercial activity. Joe signs up for an account and uses the site to sell his products. In response to complaints about this commercial use, Sally bans Joe’s account. Joe opens new account with a new name, and he then uses the new account to sell his products. This time, however, Joe acts in ways that keep complaints to a minimum, and Sally is never notified that Joe is back using the site. A crime? Or just breach of contract?

The Nosal Court’s Objections “Employer-employee and company-consumer relationships are traditionally governed by tort and contract law; the government's proposed interpretation of the CFAA allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law.”

The Nosal Court’s Objections “Significant notice problems arise if we allow criminal liability to turn on the vagaries of private polices that are lengthy, opaque, subject to change and seldom read. Consider the typical corporate policy that computers can be used only for business purposes.”

The Nosal Court’s Objections “What exactly is a "nonbusiness purpose"? If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii? And if minor personal uses are tolerated, how can an employee be on notice of what constitutes a violation sufficient to trigger criminal liability?”

The Nosal Court’s Objections “website owners retain the right to change the terms at any time and without notice. Accordingly, behavior that wasn't criminal yesterday can become criminal today without an act of Congress, and without any notice whatsoever.”