Cutting Edge Legal Issues Relating To Mobile Devices …sites.ieee.org/njcoast-mscs/files/2015/11/Nick-Akerman... · cutting edge legal issues relating to mobile devices ... • compensatory

CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES

Cutting Edge Legal Issues

Relating To Mobile Devices

Nick Akerman

Dorsey & Whitney LLP

[email protected]

www.computerfraud.us

212-415-9217


Companies can mitigate their “risk” by

re-evaluating 7 areas of their business

• Hiring Practices

• Company Rules

• Appropriate Agreements

• Use of Technology

• Termination Practices

• Protocols for Response

• Company Compliance Program


HIRING PRACTICES


The Hiring Process

• Honor Prior Employment Agreements

• Explain Company Obligations

– Company Policy

– Employment Agreements

• Criminal Exposure for the Company


COMPANY RULES


The Computer Fraud

and Abuse Act


Overview of the Federal Computer Crime

Statute

• The statute and its scope

• Legal requirements

• How the courts have interpreted the statute

• Current issues in play regarding employees

• Proactive steps a company can take to be able to use the statute to protect its data


Computer Fraud and Abuse Act

• Title 18 U.S.C. § 1030 – Enacted in 1984

• Federal computer crime statute including data theft

• Civil remedy in 1994 amendment

• Computers used in interstate commerce

• Amended in 2001 and 2008

• Computers in foreign countries

• Provides for damages and injunction


Various Causes of Action

• Stealing valuable computer data

• Schemes to defraud

• Trafficking in a computer password or similar information with intent to defraud

• Damaging computer data

• Hacking

• Extortion

• Sending computer viruses


Legal Requirements

• Protected computer

• Lack of authorization or exceeding authorization to access computer

• Theft of information or anything of value

• Damage to data permanent

• $5,000 loss

• Limited to economic damages

• Compensatory damages

• Two-year statute of limitations


The $5,000 Jurisdictional Limit

Loss during any 1 year period aggregating at least $5,000

“Loss” is defined in the statute as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 1030(e)(11).

http://www.westlaw.com/Find/Default.wl?rs=WCLP1.0&vr=2.0&DB=1000546&DocName=18USCAS1030&FindType=L&ReferencePositionType=T&ReferencePosition=SP_935f000049924


Responding to an Offense

• Conducting a damage assessment

• Restoring computer system to its condition prior to the offense

• U.S. Middleton, 231 F.3d 1207 (9th Cir. 2000) – Investigating and repairing damage

• Lost Revenue to the business caused by employee responding to offense

• Use of outside investigator to determine whether computer compromised


Lost Revenue, Costs or Damages

Incurred Because of Loss of Service

• Must be interruption of service

• Nexans Wires S.A. v. Sark-USA Inc., 166 Fed. Appx, 559 (2d Cir. 2006)

– Plaintiff claimed theft of confidential information caused it to lose at least $10 million in profits

– Does not apply to loss of profits from theft of data


Key Issue is an Unauthorized Access

Section 1030(a)(2)(C) - “Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer [commits a crime]”


Ways to Establish Lack of Authorization

• Hacking by outsider who breaks into computer

• Violating company policies and rules

• Exceeding expected norms of intended use

• Employee terminating agency relationship with employer by disloyal conduct

• Accessing for non-business purpose


International Airport Centers

v. Citrin, 440 F.3d 418 (7th Cir. 2006)

• Employee destroyed data on company laptop

• Authorization based on law of agency

• Authorization terminates with disloyal act

• Judge Posner found that authorization terminated when employee “resolved to destroy files that incriminated himself and other files that were also the property of his employer.”


U.S. v. Tolliver, 2011 WL 4090472 (3rd Cir.

2011)

• Regina Tolliver, a former bank teller for Citizen’s Bank, provided customer account information to check runners who cashed fraudulent checks

• Employee policies not at issue

• Court found there was sufficient evidence to convict Tolliver of the CFAA violation because she exceeded her authorized access to the bank computers because she did not have a business purpose to access the customers’ accounts


U.S. v. Rodriquez, 628 F.3d 1258 (11th Cir.

2010)

• Court affirmed the CFAA conviction of a Social Security Administration employee

• Access social security information for personal reasons

• Violated Agency’s policy against “obtaining Information from its databases without a business reason.”


EF Cultural Travel v. Explorica, 274 F.3d

577(1st Cir. 2001)

• Ex-employees set up competing student travel company

• Information was accessed through public website

• Robot created with confidential information

• Used robot to download pricing data

• First Circuit upheld injunction based on confidentiality agreement

• Authorization established by contract

• Pricing data was valuable


Authorization as Defined by

Company Policies

• First Circuit: the CFAA “is primarily a statute imposing limits on access and enhancing control by information providers”

• Companies can set predicate for CFAA violation

• Rules on limiting authorized access

• Agreements can set limits

• Similar to criminal trespass


U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012)

• Employees cannot access without authorization since they are authorized to access the company computers

• CFAA does not extend to violations of use restrictions but is limited to circumvention of technological barriers

• Concern over criminalizing common violations of terms of use and rules

• Followed: WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (2012)


Company Rules

• Employee Handbook

• Compliance Code of Conduct

• Terms of Use on company Web site

• Place in Agreements

• Training


Doe v. Darthmouth Hitchcock Medical

Center, 2001 WL 873063 (D.N.H. July

19, 2001) • Hospital’s Graduate Training Manual prohibited

intern from accessing patient records absent need to know

• Hospital and resident sued

• Court dismissed hospital holding that it had been victimized by its “own policies” and that it would be inconsistent with the purpose of the CFAA to find the hospital vicariously liable for resident’s actions


APPROPRIATE AGREEMENTS


Agreements

• Officers/Employees/Third Parties

• Among related companies

• Confidentiality/Non-Disclosure

• Agreement to search personal computers

• Permissions re scope of access

• Post employment restrictive covenants

• Anti-Raiding Covenants


Working with Vendors

• Warranty and representation on compliance

• Indemnification

• Certification of compliance with EU Safe Harbor Framework

• Adequate insurance coverage

• General due diligence


Terms of Use

• Require users to provide accurate registration information

• Limit use of account to registered user at one computer at a time

• Prohibit use of web crawlers, robots and similar devices

• Post acceptable use guidelines that prohibit abuse, harassment and similar conduct

• Specify limitations on use of materials obtained (e.g., no commercial use)


PROTOCOLS FOR RESPONSE


City of Ontario, Ca. v. Quon (S.Ct. 2010)

• Police officers texted messages on City pagers

• Quon exceeded character limit and reimbursed the City rather than be audited

• City’s computer policy stated email and Internet usage would be monitored

• Supervisor’s statements negated policy by making audits of the texts unnecessary if officers paid for the overages

• A later audit to determine if limit on texts was tood low found Quon had texted sexually explicit messages and was disciplined

• Texts in one month reflected 57 work related messages out of 456


City of Ontario, Ca. v. Quon (S.Ct. 2010)

• 9th Circuit held there was no reasonable expectation of privacy based on employer’s “operational realities” and the search was unreasonable

• Supreme Court reversed holding that on the facts the search was reasonable despite expectation of privacy

• Search was justified by noninvestigatory work-related purpose of determining whether the character limit was sufficient to meet the City’s needs

• Highlights importance of employer’s policies reasonable expectation of privacy and other technology-related policies and the need for enforcing those policies


Riley v. California

• Supreme Court held that the police must obtain a search warrant to review a cellphone

• “a cell phone search would typically expose to the government far more than the most exhaustive search of a house: A phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of private information never found in a home in any form – unless the phone is.”

• Access to cloud storage


Pietrylo v. Hillstone Restaurant Group

(D.N.J. 2009)

• Restaurant employees created an invitation-only Myspace group where employees could vent

• Management found out about,asked for password, viewed the page and fired two employees

• Employer found liable for violation of the Stored Communications Act


Using Technology to Capture Evidence

• Audit trail

• Email Retention

• Imaging computers

• Forensic review


USE OF TECHNOLOGY


Use of Technology

• Risks re transportable media

• Password protection is simplest

• Two step verification

• Access based on need to know

• Encryption


TERMINATION PRACTICES


The Termination Process

• Employees must return all

company property

• Standard Exit Interview Form

• Explain post employment obligations

• Retain evidence


COMPANY COMPLIANCE

PROGRAM


Compliance

• New York Stock Exchange listed company compliance program must protect confidential information that “might be of use to competitors, or harmful to the company or its customers, if disclosed.”

• Effective as of October 31, 2004

• Part of Compliance standards and procedures

• Annual CEO certification

• Massachusetts

• Cover competitively sensitive data and personal data


State Data Compliance Statutes

• Nevada – personal information must be encrypted when it is transferred – effective October 1, 2008

• Connecticut – businesses must “safeguard the data, computer files and documents containing the information from misuse by third parties.” – effective October 1, 2008

• Massachusetts Data Compliance rules effective March 1, 2010

– Applies to a business located anywhere that stores or maintains personal information about a Massachusetts resident

– Mandates a compliance program consistent with the Federal Sentencing Guidelines

• Washington State – personal information encrypted effective July 1, 2010


Massachusetts – Administrative,

Technical and Physical Safeguards

• Develop Security Policies that are enforced through encryption

• Appoint Security Coordinator

• Minimize risks from third parties terminated access to former employees and ensuring compliance by vendors

• Train the workforce on importance of personal information security

• Conduct regular audits at least annually

• Enforce the policies through disciplinary measures and document responsive actions

• Respond to incidents encouraging employees to report violations


Nick Akerman

Dorsey & Whitney LLP

[email protected]

212-415-9217

For On-going Updates Go to

http://computerfraud.us

Documents

Cutting Edge Legal Issues Relating To Mobile Devices …sites.ieee.org/njcoast-mscs/files/2015/11/Nick-Akerman... · cutting edge legal issues relating to mobile devices ... • compensatory