Presentation is loading. Please wait.

Presentation is loading. Please wait.

Update on the Computer Fraud and Abuse Act

Published byJulie Dvořáková Modified over 6 years ago

Similar presentations

Presentation on theme: "Update on the Computer Fraud and Abuse Act"— Presentation transcript:

1 Update on the Computer Fraud and Abuse Act
Sam Sneed March 2017

2 Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary
September 20, 2018

3 Computer Fraud and Abuse Act
18 U.S.C. § 1030 Computer Fraud and Abuse Act Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

4 1984 Comprehensive Crime Control Act (CCCA)
Brief History 1984 Comprehensive Crime Control Act (CCCA) Intended to prevent hacking Protect financial records and gov’t computers 1986 CFAA enacted, amended CCCA Criminalized password trafficking Criminalized DDOS attacks, malware distribution, similar exploits 2008 amendments broadened application Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

5 Financial Institution
“Protected Computer” Exclusive use Use “by or for” US Gov’t US Government Use “by or for” financial institution Financial Institution “Affects interstate or foreign commerce or communication” Includes computers outside US (PATRIOT ACT) Internet connected Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

6 7 Types of Offenses Obtain national security info
MISDEMEANOR Knowingly transmit code/ command + intend to damage Intentionally access + recklessly damage Intentionally access + cause damage and loss Transfer or keep info harmful to US or useful to foreign nation Applies to private servers w/ US Gov’t accounts Obtain national security info Access computer and obtain info Trespass in a gov’t computer Access to defraud & obtain value Damage a computer or info Traffic in passwords Threaten to damage computer MISDEMEANOR Intentional FELONY For $ gain Furthering illegal act Value >$5k FELONY ONLY Prosecutors may also charge under wire fraud statute (higher penalties) FELONY Health/ safety Economic loss ($5k/person/yr) 10+ computers Gov’t systems for law/ security FELONY ONLY Intent to extort + Foreign/ interstate communication + Threat of damage or disclosure Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

7 How to violate the CFAA: Insiders vs. Outsiders
act “without authorization” INSIDERS “exceed authorized access” Insiders may act “without authorization” when they breach a duty of loyalty to authorizer Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

8 When does an insider “exceed authorized access”?
OWNER/ EMPLOYER GRANT OF AUTHORITY Insider “EXCEEDS AUTHORITY”  More Controversial ACCESS limited to specific purpose E.g. Policy restricting access for official purposes only Accessing system for forbidden purpose E.g. Accessing system for other than official purposes USE of data limited to specific purpose, but ACCESS not similarly limited E.g. Copying data w/ permission Using data for a forbidden purpose E.g. Disclosing data in violation of confidentiality agreement No express limitations, or insider acts within limitations Using data in any way that is contrary to employer’s interests E.g. Insider breaches a duty of loyalty Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

9 Limits on Authorization
TECHNOLOGICAL LEGAL Authentication Password Biometric ID Physical controls Locks Contract Employment Agreement Terms of Service/ Use Acceptable Use Policy Confidentiality Notice Cease and Desist Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

10 Criminal Penalties SENTENCE (YEARS) OFFENSE 10 – 20
Obtaining national security information 1 – 10 Accessing a computer and obtaining info Trespassing in a government computer 5 – 10 Accessing a computer to defraud and obtain value 1 – 20 Intentionally damaging by knowing transmission Recklessly damaging by intentional access Negligently causing damage and loss by intentional access Trafficking in passwords Extortion involving computers Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

11 Restrictions and requirements
Civil Remedies Types Injunctive relief Equitable relief Compensatory damages Restrictions and requirements Statute of limitations – 2 years No action for negligent design/ manufacture Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

12 Civil Remedies – Show Damages
$5000 loss to individual w/in 1 year Medical treatment modified/impaired Threat to public health or safety Damage to US Gov’t computer used in national security, defense, or administration of justice 10+ protected computers w/in 1 year Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

13 Criminal penalties for breach of contract?
Controversy Criminal penalties for breach of contract? Aaron Swartz and JSTOR ( ) Reform attempts to exclude TOS/TOU (“Aaron’s Law,” 2013) Overbroad/ ambiguous? Protections under other laws? Defend Trade Secrets Act Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

14 Recent cases Interpreting CFAA
U.S. v. Nosal Facebook v. Power Ventures Recent cases Interpreting CFAA Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

15 Recent decisions interpreting CFAA
U.S. v. Nosal Criminal – access to defraud and obtain value Facebook, Inc. v. Power Ventures, Inc. Civil Does circumvention of access controls by using another’s login credentials violate the CFAA? Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

16 US v. Nosal EMPLOYER: Korn/Ferry, executive search firm
INSIDERS: David Nosal and other employees ACCESS GRANT Insiders given access to confidential information by grant of login credentials ACCESS REVOCATION Login credentials revoked upon departure UNAUTHORIZED ACCESS Nosal and other employees obtained access to systems after departure using credentials of employee accomplice USE GRANT Insiders allowed to use confidential information for business purposes UNAUTHORIZED USE Information used for competing company established by Nosal HOLDING CFAA violated when Nosal and departing employees accessed Korn/Ferry’s systems after their login credentials were revoked Nosal’s misuse of the information alone was not enough to violate CFAA Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

17 Facebook v. Power Ventures
OWNER: Facebook OUTSIDER: Power Ventures ACCESS GRANT Users access Facebook via login credentials; Outsiders required to register and enroll in Facebook Connect ACCESS REVOCATION Facebook sent cease and desist letter and blocked IP address of Power Ventures UNAUTHORIZED ACCESS Power Ventures circumvented access restrictions by directly requesting access via Facebook users Power Ventures switched IP addresses to circumvent IP block USE GRANT Users – Terms of Use Outsiders – Developer Terms of Use UNAUTHORIZED USE Power Ventures ignored Developer Terms of Use HOLDING CFAA violated when Power Ventures accessed Facebook after receiving the Cease and Desist letter Power Ventures’ violation of the Developer Terms of Use alone was not enough to violate CFAA Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

18 OWNER/ Employer takeaways
Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

19 Ambiguity - “exceeds authorized access”?
Using the CFAA Broad Low threshold for damages Ambiguity - “exceeds authorized access”? Access vs. use restrictions Inconsistent case law To be revised? Controversial, old Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

20 Explicit policies and agreements
Best Practices Explicit policies and agreements Handbook Acceptable Use Confidentiality, Non-compete Explicit revocation of permissions Employee exit processing Reminders of policies and agreements Clearly revoke access to all systems Cease and desist letter Copyright 2016 ES&A, Inc. All Rights Reserved Confidential and Proprietary September 20, 2018

Download ppt "Update on the Computer Fraud and Abuse Act"

Similar presentations

MADISON COUNTY SCHOOLS ACCEPTABLE USE AND INTERNET SAFETY POLICY.

MADISON COUNTY SCHOOLS ACCEPTABLE USE AND INTERNET SAFETY POLICY.
Northside I.S.D. Acceptable Use Policy 2009-2010.

Northside I.S.D. Acceptable Use Policy
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Acceptable Use of Computer and Network Resources Jim Conroy Acting Director, Academic Computing Services September 9, 2013.

Acceptable Use of Computer and Network Resources Jim Conroy Acting Director, Academic Computing Services September 9, 2013.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
United States v. Nosal. The Nosal Fact Pattern Korn/Ferry computer Confidential information and trade secrets Authorized access by users logging in with.

United States v. Nosal. The Nosal Fact Pattern Korn/Ferry computer Confidential information and trade secrets Authorized access by users logging in with.
The Patriot Act And computing. /criminal/cybercrime/PatriotAct.htm US Department of Justice.

The Patriot Act And computing. /criminal/cybercrime/PatriotAct.htm US Department of Justice.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
1 ENFORCING SOCIAL MEDIA AND COMPUTER USAGE POLICIES Haley R. Van Loon BrownWinick 666 Grand Avenue, Suite 2000 Des Moines, IA 50309-2510 Telephone: 515-248-6625.

1 ENFORCING SOCIAL MEDIA AND COMPUTER USAGE POLICIES Haley R. Van Loon BrownWinick 666 Grand Avenue, Suite 2000 Des Moines, IA Telephone:
U.S criminal law’s reinforcement of technological measures protecting property: where the DMCA fits in Elliot N. Turrini Assistant U.S. Attorney Computer.

U.S criminal law’s reinforcement of technological measures protecting property: where the DMCA fits in Elliot N. Turrini Assistant U.S. Attorney Computer.
Riverside Community School District

Riverside Community School District
Chapter 10 White-Collar and Organized Crime. Introduction ► White-collar crimes – criminal offenses committed by people in upper socioeconomic strata.

Chapter 10 White-Collar and Organized Crime. Introduction ► White-collar crimes – criminal offenses committed by people in upper socioeconomic strata.
FERPA 2008 New regulations enact updates from over a decade of interpretations.

FERPA 2008 New regulations enact updates from over a decade of interpretations.
OVERVIEW OF COMPUTER CRIME LEGISLATION IN HAWAII

OVERVIEW OF COMPUTER CRIME LEGISLATION IN HAWAII
ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.

ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.
INTERNET and CODE OF CONDUCT

INTERNET and CODE OF CONDUCT
HIPAA Health Insurance Portability & Accountability Act of 1996.

HIPAA Health Insurance Portability & Accountability Act of 1996.

Similar presentations

Ads by Google