Blogs

GUEST BLOG: How Will the Proposed Laws Help Fight Cybercrime?

04.03.15

My Guest Blogger Nick Akerman learned about Cybercrime as a federal prosecutor where he prosecuted a wide array of white collar criminal matters, including bank frauds, bankruptcy frauds, stock frauds, complex financial frauds, environmental crimes and tax crimes. Nick was also an Assistant Special Watergate Prosecutor with the Watergate Special Prosecution Force under Archibald Cox and Leon Jaworski.

Nick Akerman3 Nick Page3

New Tools for Companies Against Cybercrime

 

On January 2015, the Obama administration announced a series of proposals to strength­en the country's response to cyberattacks­ including, most notably, specific amendments to the federal computer crime statute, the Computer Fraud and Abuse Act (CFAA). These changes are not only significant to the cyber­ crime-fighting efforts of federal prosecutors, but also to private companies. This is because the CFAA allows compa­nies victimized by violations of the statute to bring civil actions against the perpetrators. 18 U.S.C. 1030(g). The CFAA, among other things, makes it a crime when an individual "accesses" a computer "without authorization or exceeds authorized access" to steal data.

"Without authorization" typically relates to an outside hacker, whereas "exceeds authorized access" typically relates to a company insid­er, like any employee who has authority to access the company computer but exceeds that authorized access. There is a split among the circuit courts of appeals over whether employees who access company computers to steal data exceed their authorized access. The Fourth Circuit (fol­lowing the Ninth Circuit), for example, in WEC Carolina Energy Solutions v. Miller, nar­rowly interpreted "exceeds authorized access" not to apply to employees who are "authorized to access a computer when his employer approves or sanctions his admission to that computer." In contrast, the Seventh Circuit in International Airport Ctrs. v. Citrinapplied the CFAA to an employee who accessed the company computer for the purpose of "further[ing] interests that are adverse to his employer," i.e. stealing company data to take to a competitor. The Fifth and Eleventh cir­cuits follow this interpretation.

The administration's proposal would set­tle this split in the circuits in favor of apply­ing the CFAA to employees by redefining "exceeds authorized access" to mean "to access a computer with authorization and to use such access to obtain or alter information in such computer (A) that the accesser is not entitled to obtain or alter; or (B) for a purpose that the accesser knows is not authorized by the computer owner." Thus, the proposed law would cover employees who steal data from company com­puters and would incentivize employers to institute written policies and employee agreements delineating precisely the scope of permissible authorization to the company computers.

VALUING DAMAGE

From the standpoint of private employers, another significant change would be the addi­tion of a requirement that "the value of the information obtained [by an insider employee accessing the computer] exceeds $5,000." This requirement would be in addition to the juris­dictional prerequisite for CFAA civil actions that require the plaintiff to allege and prove $5,000 in "loss," a term defined by the statute to include costs of "responding to any offense" and "conse­quential damages incurred because of interrup­tion of service." The $5,000 minimum would not constrain criminal prosecutions directed at a computer "owned or operated by or on behalf of a government entity." Thus, a case like United States v. Teague, in which the defendant was criminally prosecuted for viewing (not copying or taking) President Barack Obama's record in the National Student Loan Data System, would still be a viable prosecution.

The value of the stolen data would not be a critical factor for private companies under the proposed amendments if the violation "was committed in furtherance of any felony violation of the laws of the United States or of any state." Thus, if an employee steals his employer's trade-secrets data in violation of the Economic Espionage Act, 18 U.S.C. 1831, there would be no burden on the employer to show that the value of the trade secrets exceeded $5,000. Because the Economic Espionage Act does not provide for a civil cause of action, this would be a significant expansion in federal law that would supplant the state trade-secrets laws.

Setting limits on insider data thefts to a min­imum value of $5,000 and felony violations directly addresses the concerns expressed by the Ninth Circuit in United States v. Nosal that the CFAA could be interpreted "to criminalize any unauthorized use of information obtained from a computer." Also, the proposed changes in the law would address the additional con­cern of the Nosal court that the CFAA could "make criminals of large groups of people who would have little reason to suspect they are committing a federal crime." Thus, the Obama proposal adds the requirement of willfulness to the statute, defining it to mean "intentionally to undertake an act that the person knows to be wrongful."

With respect to trafficking in passwords, the proposed law would limit the crime to instanc­es where the violator knew or had reason "to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section [the CFAA] as the result of such trafficking." With an eye to changing technologies, the proposed statute also would expand on passwords to include "any other means of access" to a computer.

Finally, the proposed amendments would strengthen law enforcement by increasing penalties for CFAA violations, provide injunctive relief and forfeitures and make felony violations of the CFAA predicate acts for the Racketeer Influenced and Corrupt Organizations statute, 18 U.S.C. 1961. This proposed amendment to RICO is long overdue. RICO was enacted in 1970, years before the advent of the information age in which computers have become ubiquitous and the targets and instruments of criminals. Because RICO, like the CFAA, provides victims with a civil remedy, this proposed amendment would similarly enhance the ability of companies to fight cybercriminals.

The publications contained in this site do not constitute legal advice. Legal advice can only be given with knowledge of the client's specific facts. By putting these publications on our website we do not intend to create a lawyer-client relationship with the user. Materials may not reflect the most current legal developments, verdicts or settlements. This information should in no way be taken as an indication of future results.

Search Tips:

You may use the wildcard symbol (*) as a root expander.  A search for "anti*" will find not only "anti", but also "anti-trust", "antique", etc.

Entering two terms together in a search field will behave as though an "OR" is being used.  For example, entering "Antique Motorcars" as a Client Name search will find results with either word in the Client Name.

Operators

AND and OR may be used in a search.  Note: they must be capitalized, e.g., "Project AND Finance." 

The + and - sign operators may be used.  The + sign indicates that the term immediately following is required, while the - sign indicates to omit results that contain that term. E.g., "+real -estate" says results must have "real" but not "estate".

To perform an exact phrase search, surround your search phrase with quotation marks.  For example, "Project Finance".

Searches are not case sensitive.

back to top