15 December 2013

Unauthorized Access: Civil CFAA Legal Risk Strategy...

A tutorial on the definition of a "loss event" is appropriate for those who seek greater understanding of "Operational Risk Management" (ORM).   Specifically when it comes to the civil litigation strategy utilizing the "Computer Fraud and Abuse Act" (CFAA) 18 U.S.C. 1030.

What is a loss?  Easy:  Loss = cost.  "Any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment and restoring the data, program, system or information to its condition prior to the offense and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service."

So the remedies available are economic damages, loss damage and injunctive relief.  Not exemplary damages or attorneys fees.  Don't let that last one scare you from using CFAA, as an effective deterrent in your arsenal as a General Counsel.  The basic threshold is that the victim incurred a loss during any one year period, of at least $5,000.00.
For the focus of this blog post, we will talk about "Insiders" who exceed authorized access, that is access in a way not entitled.  Typically employees or others in the business supply chain, who may have the use of a password or key to gain access to information only known or available by another employee, such as a supervisor or system administrator.
It is imperative here to state the importance of finding an attorney that truly understands this law, from a civil, not a criminal perspective.  The complaint must provide factual content that the Plaintiff has suffered the type of damage to "data, a program, a system or information."  Think more about business interruption and the expenses related to investigation, remediation and integrity of operations.  An employee who leaves the company and has e-mailed proprietary information of clients or proposals to their personal account, is not what we are talking about here.

What about the employee who decides to damage or destroy organizational records or of their primary area of responsibility, (database of client contacts, meeting notes, reports and proposals) or even those of the entire company.

The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.  Here is just one example:
Tech Systems, Inc. v. Pyles, 2013 WL 4033650 (ED VA Aug. 6, 2013) (4th Cir)
After being terminated, former employee forwarded company emails and deleted company emails from mobile device before returning it to employer because they contained incriminating evidence. Court granted spoliation finding and jury returned verdict for violating Computer Fraud and Abuse Act, among other claims.
This is just a single case of how a single disgruntled employee, decided to proactively get revenge with a former employer, Tech Systems, Inc. of Alexandria, VA, a U.S. defense contractor.  Why organizations do not utilize the tools such as CFAA to find civil remedy, on a more regular basis is the question at hand.

CFAA is designed to be legally effective on a broad scale and for good reason.  It does however, require that someone uses it with the right intent and legal purpose.  We predict that more civil cases will be filed, as General Counsels and attorneys better understand how to effectively utilize it, in combination with other laws associated with Intellectual Property Theft.  As judges and more cases are tried, the momentum will pick up.  So what?

Booz Allen Hamilton v. Snowden.  Not yet?  Just a Violation of a "Code of Ethics" and fired?  Not likely.
The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. 
One provision of the bill would earmark a classified sum of money - estimated as less than $100 million - to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization. 
The bill also requires that the Director of National Intelligence set up a system requiring intelligence contractors to quickly report to spy agencies on incidents in which data networks have been penetrated by unauthorized persons.
 United States of America v. Edward J. Snowden.  Filed under seal June 14th, 2013. Offenses include 18 U.S.C. 641, Theft of Government Property.  18 U.S.C. 793(d), Unauthorized Communication of National Defense Information.  18 U.S.C. 7989a)(3), Willful Communication of Classified Communications Intelligence to an Unauthorized Person.

Civil CFAA Legal Risk Strategy can be utilized in many cases where the magnitude of the loss and the economic exposure to a U.S. government contractor, is not on the radar of the U.S. Attorney.  Keep it in mind...