Unauthorized Access: Civil CFAA Legal Risk Strategy...

A tutorial on the definition of a "loss event" is appropriate for those who seek greater understanding of "Operational Risk Management" (ORM).   Specifically when it comes to the civil litigation strategy utilizing the "Computer Fraud and Abuse Act" (CFAA) 18 U.S.C. 1030.

What is a loss?  Easy:  Loss = cost.  "Any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment and restoring the data, program, system or information to its condition prior to the offense and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service."

So the remedies available are economic damages, loss damage and injunctive relief.  Not exemplary damages or attorneys fees.  Don't let that last one scare you from using CFAA, as an effective deterrent in your arsenal as a General Counsel.  The basic threshold is that the victim incurred a loss during any one year period, of at least $5,000.00.

For the focus of this blog post, we will talk about "Insiders" who exceed authorized access, that is access in a way not entitled.  Typically employees or others in the business supply chain, who may have the use of a password or key to gain access to information only known or available by another employee, such as a supervisor or system administrator.

It is imperative here to state the importance of finding an attorney that truly understands this law, from a civil, not a criminal perspective.  The complaint must provide factual content that the Plaintiff has suffered the type of damage to "data, a program, a system or information."  Think more about business interruption and the expenses related to investigation, remediation and integrity of operations.  An employee who leaves the company and has e-mailed proprietary information of clients or proposals to their personal account, is not what we are talking about here.

What about the employee who decides to damage or destroy organizational records or of their primary area of responsibility, (database of client contacts, meeting notes, reports and proposals) or even those of the entire company.

The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.  Here is just one example:

Tech Systems, Inc. v. Pyles, 2013 WL 4033650 (ED VA Aug. 6, 2013) (4th Cir)
After being terminated, former employee forwarded company emails and deleted company emails from mobile device before returning it to employer because they contained incriminating evidence. Court granted spoliation finding and jury returned verdict for violating Computer Fraud and Abuse Act, among other claims.

This is just a single case of how a single disgruntled employee, decided to proactively get revenge with a former employer, Tech Systems, Inc. of Alexandria, VA, a U.S. defense contractor.  Why organizations do not utilize the tools such as CFAA to find civil remedy, on a more regular basis is the question at hand.

CFAA is designed to be legally effective on a broad scale and for good reason.  It does however, require that someone uses it with the right intent and legal purpose.  We predict that more civil cases will be filed, as General Counsels and attorneys better understand how to effectively utilize it, in combination with other laws associated with Intellectual Property Theft.  As judges and more cases are tried, the momentum will pick up.  So what?

Booz Allen Hamilton v. Snowden.  Not yet?  Just a Violation of a "Code of Ethics" and fired?  Not likely.

The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. 

One provision of the bill would earmark a classified sum of money - estimated as less than $100 million - to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization. 

The bill also requires that the Director of National Intelligence set up a system requiring intelligence contractors to quickly report to spy agencies on incidents in which data networks have been penetrated by unauthorized persons.

 United States of America v. Edward J. Snowden.  Filed under seal June 14th, 2013. Offenses include 18 U.S.C. 641, Theft of Government Property.  18 U.S.C. 793(d), Unauthorized Communication of National Defense Information.  18 U.S.C. 7989a)(3), Willful Communication of Classified Communications Intelligence to an Unauthorized Person.

Civil CFAA Legal Risk Strategy can be utilized in many cases where the magnitude of the loss and the economic exposure to a U.S. government contractor, is not on the radar of the U.S. Attorney.  Keep it in mind...

eDiscovery Risk: The Marketing of Privacy...

Operational Risk Management (ORM) professionals from London to Paris, Berlin to Brasilia and Silicon Valley to Washington, DC are quietly smiling these days.  It is ironic, that now privacy is the new vogue marketing strategy.  After so many years of trying to explain to executives the risks that exist around confidentiality, integrity and assurance of data--now a rogue U.S. citizen charged with espionage, finally has convinced some senior business executives of the value of marketing increased privacy of their technology products and services.  Chris Strohm explains:

While Google, Yahoo, Microsoft and Facebook Inc. provide data to the government under court orders, they are trying to prevent the NSA from gaining unauthorized access to information flowing between computer servers by using encryption. That scrambles data using a mathematical formula that can be decoded only with a special digital key. 

The NSA has tapped fiber-optic cables abroad to siphon data from Google and Yahoo, circumvented or cracked encryption, and covertly introduced weaknesses and back doors into coding, according to reports in the Washington Post, the New York Times and the U.K.’s Guardian newspaper based on Snowden documents. He is now in Russia under temporary asylum.

Mitigating the risks of being hacked by a group of criminals stealing personal identifiable information from consumers on a transnational basis has not motivated these same executives to move towards investing in more effective data and information assurance strategies.  Yet now that the adversary has been described by the mainstream media as the U.S. Government, industry executives have started to listen.  Go figure...

What are the industry executives motivation for now improving the confidentiality, integrity and assurance of customers information?  Improved market share and presence.  The payback will be rapid and those organizations that have been in denial that customers expect and demand more systems and tools to protect their information, are now doing an about face.

As we quickly approach Cyber Monday and the commerce of the Internet is at a peak of annual transaction volume, some servers will be talking to each other on encrypted networks for the first time. All seamless to the end user and consumer, yet not to the adversary.  So who really is the adversary these days; the criminal organizations or the U.S. Government?  The strategists mitigating risks at commercial private organizations unfortunately in many cases, see both in the same category.  This is a real mistake and one that should be evaluated, discussed and agreed upon.

You see, U.S. based companies must have an effective symbiosis with it's legal system and rule of law. What does that mean?  Operational Risk encompasses the risks to the institution from a legal perspective.  That means that the process of processing, storing, archiving and retrieving information is subject to the laws of electronic discovery and forensic evidence.  It means that as an organization, having an effective way to encrypt information to stay ahead of the criminal organizations simultaneously requires that your organization is also adaptive to current legal statutes.  Tomorrow, you may need to identify, decrypt and produce evidence to the U.S. Government or as a result of another legal order.

As organization executives embark on the "new new" trend of marketing privacy to their customers, they should also be working along side the legal staff.  The risk management and information technology professionals should be briefing both corporate executives on the implications of being responsive to their consumers and non-responsive to plaintiff lawyers, or the U.S. Attorney or State Attorney General:

Fearful of adverse consequences if they inadvertently discard electronic documents that are deemed to be relevant in litigation, some of the biggest companies in the U.S. are simply saving all documents, including email sent via employees' electronic devices. 

A minority of federal courts say companies can be sanctioned even if they discard documents without intending to. All allow sanctions, which can mean the loss of a big case, when documents are intentionally destroyed. So companies including Exxon Mobil Corp. and Microsoft Corp. are asking the federal Judicial Conference to recommend a new rule that would provide uniform standards for document retention and allow sanctions only when documents are destroyed willfully or in bad faith, reports the Wall Street Journal(sub. req.).

So this is where the marketeers and the legal staff need to get their heads together.  The privacy vs. government legal requests space is still not widely understood inside corporations let alone the average John Q. Citizen, who has never even heard of eDiscovery:

Microsoft General Counsel Brad Smith said yesterday that there are "significant inaccuracies" in last week's news reports. He added in a blog post, referring to Outlook.com: "When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency."

HSI Governance: Equilibrium of Privacy and Security...

When people are faced with increasing Operational Risk uncertainty in their organization, our inherent DNA makes us gravitate towards avoiding new risk at all costs. What any new bold policy shift requires to succeed for the masses is to face risk squarely in the eye and to manage it effectively. This is exactly how many private sector intelligence organizations have evolved and continue to thrive in a vast universe of "Open Source" and Electronically Stored Information (ESI).

The U.S. government "Homeland Security Intelligence" (HSI) enterprise has the same opportunity to embrace risk and simultaneously manage it more efficiently and effectively. Over the course of the past decade the U.S. Patriot Act has several controversial provisions that have been implemented, tested and refined. Several of these include Sec. 203(b) and (d) that allow information from criminal probes to be shared with intelligence agencies and other parts of the U.S. government. Another is Sec. 206 that allows one wiretap authorization to cover multiple devices, eliminating the need for separate court authorizations for a suspect's cell phone, PC and Blackberry, for example. The civil liberties debate on Sec. 215 known as the "libraries provision" allows access to records such as what books were checked out at the library or purchased from a bookstore, as long as the records are sought "in connection with" a terror investigation.

The governance of information by the private sector may have either accelerated or detained HSI enterprises in terrorism investigations. One example are the policies private sector Internet Service Providers utilize for records management and "Electronically Stored Information" (ESI) readiness. Electronic discovery amendments to the Federal Rules of Civil Procedure (FRCP) have created the requirement for private sector companies to be more prudent in "Achieving a Defensible Standard of Care."

The risk associated with non-compliance of the Federal Rules of Civil Procedure (FRCP) is a major facet of Operational Risk Management. The fusion of the Corporate Governance Strategy Execution comes together with a dedicated internal "Task Force" inside the enterprise. Comprised of the General Counsel, CIO, CISO and VP of Human Resources, this team provides the mechanism for effective policy implementation and operations accountability. The mission is to carry out the fiduciary duty to create a culture of legal compliance within the organization.

The evidence obtained for Homeland Security Intelligence (HSI) investigations may only be as accessible and obtainable as the effectiveness of a private sector companies ESI policies. How often do they purge their e-mail from databases? How much data storage does the enterprise allow for each person's mailbox? Are there people circumventing the information governance policies in the private or public workplace in order to get their daily business accomplished?

The collection of information for HSI has a parallel path with the collection of evidence and it must be done according to the civil liberties and privacy laws of the United States. It is this balance and equilibrium between the governance of information and the legality of obtaining it for the purpose of a terrorism related investigation that brings us to a potential digital paradox.

Where action against a person or organization involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence.

In Joshua Cooper Ramo's book "The Age of the Unthinkable","Why the New World Disorder Constantly Surprises Us and What We Can Do About It" the author discusses the concept of Deep Security. His analogy of how to think about "Deep Security" is the biological immune system. "A reactive instinct for identifying dangers, adapting to deal with them, and then moving to control and contain the risk they present."

The key word in Ramo's writing is "Adapt". Being Adaptive. However, prior to this there are two other very vital words that we feel are even more imperative. Instinct. Identifying. In other words, Proactive Intuition.

Ask any savvy law enforcement investigator or intelligence analyst on how she solved the case and you may hear just that, "I had a hunch." Talk with a Chief Privacy Officer in any Global 500 company and you might get them to admit they have a sense that their organization will be the target of a data breach incident in the coming year or two. The complexity of IT systems, data networks and the hundreds of laptops circling the globe with company executives is enough to predict that a major breach will occur.

Being adaptive and having proactive intuition in the modern Homeland Security Intelligence enterprise or private sector company does not come natural. You have to work at it and it requires a substantial investment in time and resources to make it work effectively. Once you realize that all of the legal controls, technology and physical security are not going to keep you out of harms way, you are well on your way to reaching the clairvoyance of "The Age of the Unthinkable."

Privacy 3.0: The Genesis of EarthCom...

Information classification in the private sector is gaining traction again as the nature of sensitive national security leaks are published in the popular press.  Data breach laws and cyber legislation is a daily discussion on Capitol Hill.  CISOs and CSOs even at the Washington Post are in "Incident Response Mode" after a successful phishing exploit by the Syrian Electronic Army.  These Operational Risk Management (ORM) challenges are not only on the rise because of the amount of information that is exchanged each day in an era of the "Internet of Things"; these risks are now front and center as "Privacy 3.0" evolves in the Cloud.

Andrew Serwin of The Lares Institute puts it all in context:

The question confronting modern-day privacy scholars is this: Can a common law based theory adequately address the shifting societal norms and rapid technological changes of today’s Web 2.0 world where legislatures and government agencies, not courts, are more proactive on privacy protections?

As private sector companies produce the technology solutions to accomodate the exponential expansion of our global ICT ecosystem, we must acknowledge the genesis of it's origin.  Human beings.  The products, systems, software and patents are the result of inventions by mankind.  Yet there is evidence that the evolution of ICT, whether it be in hardware, software or the data itself has similarity to biological evolution.  For decades scientists have studied the similarity of the ecosystems of information to the biology of immune systems.  These same smart and bold people have written books, journals and peer tested papers on the subject of transformational systems thinking.  Growth and change in the digital universe follows a biological path found in nature.

The organizational growth cycles are:

• Forming = entrepreneurship
• Norming = production
• Integrating = diversification

This cycle of growth has many labels, yet systems and organizational experts will say that the integrating phase of growth will encounter a bifurcation point, where it is necessary for the system to again innovate and form something new.  To adapt to its new environment.  If the system does not break away and create a new forming stage of the growth cycle, it will eventually perish.  This is why organizational change experts invented such innovations as the "Skunk Works" or why a private sector company breaks off a business unit and creates a whole new company.

Privacy 3.0 is now four years old.  Are we now at the bifurcation stage of the societal information growth cycle and the speed of business is leaving existing government rule of law in the rear view mirror?  Andy Serwin from his 2009 paper said:

Given the changes in society, as well as the enforcement mechanisms that exist today, particularly given the FTC's new focus on “unfairness,” and the well-recognized need to balance regulation and innovation, a different theoretical construct must be created--one that cannot be based upon precluding information sharing via common law methods. Instead, the overarching principle of privacy of today should not be the right to be let alone, but rather the principle of proportionality. This is Privacy 3.0.

As information flows through the manmade veins of supersonic light or invisible waves of zeros and ones around our planet, we are approaching a "Breakpoint."  A place in time, where the system will need to bifurcate in order to survive.  The system of privacy proportionality in government circles has been four levels of classification:

• Restricted = For Official Use Only (FOUO)
• Confidential
• Secret
• Top Secret (TS)

In the years ahead, as you hold your IP Phone (iPhone) to update Twitter, Foursquare, Facebook or WordPress App, you are behaving in the Privacy 3.0 ecosystem.  While you are at work in the public or private sector using Google Business Apps in the cloud, your behavior and your words including personal data such as your semantics or GPS coordinates, are entering one of four levels of sensitivity.

In order to make the leap to our next systemic "Breakpoint", we will need to design in proportional privacy to our Operational Risk Framework.  Without it, the system will decay and ultimately cease to exist.  Is privacy an after thought in your organization?  What information governance education takes place on a continuous basis?  How do you monitor and measure?  Have you tagged the information into four levels of sensitivity?  These are just a few of the questions that the Privacy 3.0 enterprise is encountering, at the genesis of an ICT "EarthCom."

Reputation Risk: Organizational Stewardship Revisited...

Reputation risk is becoming more of a topic of discussion these days. The loss of reputation results in several outcomes both economic and personal. The fact is that most of the time organizations are "Reacting" to a crisis, news leak or some other corporate failure.

You don't have to name names of people or companies to understand the impact that reputation has on the success or demise of an organization. What has to change to lower the severity and likelihood of loss events associated with "Reputation"?

First you have to ask yourself a couple of key questions:

1. What is your reputation worth?
2. Are you being Proactive or Reactive in managing and safeguarding your reputation?

The PR and marketing communications processes in your organization may have certain facets of the solution to better reputation risk management. However, these processes are designed with out the consciousness of proactive threat anticipation, detection, prevention and remediation.

What has become more clear to executives in proactive oriented companies is the requirement for a specific and strategic approach to Reputation Risk Management. This approach encompasses an emerging theme from the early nineties pioneered by author Peter Block. We call it Organizational Stewardship.

Organizational Stewardship as a core guiding principle is the cornerstone in managing an institutional reputation risk management process. It has three components that support this rekindled idea of applying the concepts of stewardship to the organization:

• Economic Accountability
• Information Management
• Business Integrity

Reputation Risk Management is about the proactive monitoring and management of a portfolio of threats in the organization. Several categories include:

1. Intellectual Property and Information Assets
2. Demonstrations, planned boycotts and social activism
3. Physical infrastructure including employees and suppliers
4. Legal threats including class actions, insider trading or whistle-blowers

Microsoft closed its free Internet chat rooms in 28 countries many years ago because of threats from pedophiles and junk e-mailers. This is an example of proactive reputation risk management. Unfortunately, this has opened the door to another related threat of hackers hijacking other Social Media accounts.

Organizational Stewardship is a guiding principle. Once it is embedded into the organization it begins to permeate the mindsets of the individuals who are responsible for the conscious reputation risk management processes. Over time, these individuals help influence the corporate mindset, philosophy and ethics to a new found level.

Someday soon the executives in the board room will realize that managing reputation is not about keeping secrets and fighting fires. They will realize that they need to find a proactive, preventive and relevant strategy for achieving Organizational Stewardship in their company.

ID Analytics: Risk of the Unknown...

Operational Risk Management (ORM) has been at the top of the news in the past few weeks.  Digital media and the metadata of "Big Data" is the topic of choice.  It is a revealing look behind the curtain of what is possible these days, with the tools and capabilities that exist for exploitation and analysis.  Is too much privacy an operational risk to your personal and professional well being?

In the spirit of full disclosure, if you are reading this now, we tracked how you found this blog and perhaps what search terms you used to be referred here.  Some of you, revealed their company identity.  So why do we do this?  The main reason is that we want to make sure that we understand what is on your mind these days, when it comes to the global Operational Risk Management (ORM) universe.  Here are a few examples in the past day or so that caught our eye:

• management of operational risk - Latvia
• operational risk management - Nigeria, Illinois, South Dakota, The Vanguard Group
• common board of directors mistakes - Turkey
• lessons learning from fail in operational risk - Malaysia
• predictive intelligence - North America
• rogue trader operational risk - United Kingdom
• fund industry operation management discussion topic - Luxembourg
• operational risk management game - Unknown
• reputation risk management process - Unknown
• operational risks in bank call center - Qatar
• coso definition of operational risk - Unknown
• black swan incident that occurs once in a lifetime - Unknown
• ubs operational risk case analysis - Unknown
• business resiliency definition - JP Morgan Chase
• "operational risk" outliers - France
• a risk effect on a daily operation - DeVry
• examples of smart objectives risk - United Kingdom
• black swan incident\ - South Carolina
• black swan incident - Computer Sciences Corporation
• what is a black swan incident - South Carolina
• duty of care board of directors - United Kingdom

Collection of data is one thing.  Relevance and sense-making is another.  Can you imagine some of the search terms that are tracked just by Google or Bing?

What about the companies that know us the best?  Those marketing and personal data sites that keep track of where you live, how much you spend on your credit cards and where, or even the name of your pets.  How often do you give them your phone number or e-mail address at the point-of-sale (POS) to get a discount at the local retailer, gas station or pharmacy?  Believe us when we say that there are hundreds of organizations that know more about you in the private sector than some government across the world.

The trail of "digital finger prints" you leave behind everyday are vast.  A snap shot of your face at the local ATM or a snap shot of your desktop when you login to the online banking web site.  In either case, these examples are just a few of the ways that your habits, locations, preferences and lifestyle are profiled each and every day.  Where did all of this begin?  Fraud Management.  Not Homeland Security.

As a citizen traveling across the country or a consumer, you willingly give up these digital bread crumbs of your journey through life.  Your goal now, is to make sure that you are not mistaken for someone else.  After all, you or your organization have developed a profile and a reputation that is being recorded and therefore, it could be a prudent strategy to make sure that you are not mixed up with another person or organization with the same name or brand identity.

How can you do this?  Operational Risk Management (ORM) is about monitoring yourself and your organization to make sure you understand your competition (good or bad) for the same personal or business identity space.  Do you have Biometric and DNA samples of all of your key executives?  If you don't, then the question is why not?  You may have considered this in light of some of the places that your executives are traveling.  Cities and countries across the globe with the risk of kidnapping, improvised explosive devices (IED) and other risks to their lives.

As we look into the crystal ball of our digital futures, we see the scenes from movies past that have already captured our own human imagination.  A world where everyone is known and you may even choose to "opt-in" to be tracked.  After all, you are unique.  You make your own choices in life.  The risks that you face may very well be greater, for those who choose a life to remain private, anonymous and even unknown.

Legal Risk: Over-The-Horizon Digital Radar...

Operational Risk Management is a primary responsibility with an organizations General Counsel. Why?

"The definition includes Legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of an institution’s activities."

So if you are a General Counsel or the Chief Legal Officer, your radar is consistently tuned to the "Over -The-Horizon" (OTH) risks that may impact your company, right?  The fact is that managing risk from the General Counsels office may be significantly different than what managing risk means from the CIOs office.

Loss events associated with peoples workplace behavior are many times treated differently than those events associated with a computer "intrusion" or a data breach, that was also caused by human behavior.  The law is a battleground that continues to keep an entire industry busy with offensive and defensive activities and the transfer of risks from one party to another.

What is the legal risk difference between the diversion of company funds to pay bribes in a foreign country and the theft of company trade secrets?  You see, the laws associated with these loss events have different statutes, penalties and legal risk:

On December 17, 2012, Germany-based insurance and asset management company Allianz SE paid more than $12.4 million to settle with the SEC over violations of the books and records and internal control provisions of the FCPA. The activity in question concerned improper payments to government officials in Indonesia. Following common FCPA procedure, Allianz did not deny or admit the SEC’s inquiry. The company disgorged $5.3 million in profits, paid a penalty of $5.3 million, with $1.8 million in prejudgment interest. 

The SEC stated that it uncovered 295 insurance contracts on government projects that were obtained or kept by improper payments totaling $650,626. The payments were made by Allianz’s Indonesian subsidiary. 

The conduct occurred from 2001 to 2008, at which time Allianz was considered an “issuer” under the FCPA because of its activity on the New York Stock Exchange. Even though it was not listed on the exchange, the presence of its bonds and shares on the market made it an issuer and subjecting it to the jurisdiction of the FCPA. The investigation was initiated internally using outside counsel after a whistleblower complaint in 2009.

On December 28, 2012, President Obama signed the Theft of Trade Secrets Clarification Act. S. 3642 (112th). The Clarification Act is a direct response to the Second Circuit’s decision in U.S. v. Aleynikov, 676 F.3d 71 (2nd Cir. 2012). (See details below.) In Aleynikov, the Second Circuit overturned a criminal conviction under the Economic Espionage Act 18 U.S.C. § 1831, et seq., after the court determined that the stolen source code was only used internally for a high-frequency trading system and was not “related to or included in a product that is produced for or placed in interstate or foreign commerce.” The Clarification Act expands Section 1832(a) to cover internal trade secrets “related to a product or service used in or intended for use in” commerce. In addition to the source code at issue in Aleynikov, this expansion could include internal processes of doing business or gathering information that may not qualify for traditional patent protection. More broadly, the quick reaction shows the importance that Congress attaches to this area of the law and puts individuals and companies on notice that increased indictments may occur down the line.

The ethics, compliance and legal components of Operational Risk Management comes down to "Achieving a Defensible Standard of Care" in your organization.  The risk exposures that face your organization will also occur from a more immediate impact, due to a loss of reputation and potential loss of market value.  On all fronts, the stakes remain high.

The modern day legal enterprise is still reactive and slow to respond to the changing environment around it.  The daily battle with legal risk is slow, compared with other risk management fronts within the institution.  The speed of response and the focus on preventive, preemptive or proactive actions is what sets apart the mental states of all of your security risk professionals.  Some people have seconds or minutes to decide and act, others have the luxury of days, months and years.

Unfortunately, for most the costs associated with legal risk are high, no matter who prevails in an incident or case. This fact alone, is why the introduction of a new generation of automated tools and the memory of computer-based evidence is so important.  Decision Advantage.  The law and the law industry is quickly playing catch up.  Practitioners from the technology and legal industry are now even more integrated, while the courts interpret the implications of their rulings on an accelerating mobile digital global society.

You and your team have a tremendous amount of new knowledge to gain, or your enterprise will be consumed by the volume of new Operational Risks unfolding before it.  How complex could this be?

From 'WarGames' to Aaron Swartz: How U.S. anti-hacking law went astray

The 1983 movie "WarGames" led to an anti-hacking law with felony penalties aimed at deterring intrusions into NORAD. Over time, it became broad and vague enough to ensnare the late Aaron Swartz.