1. FRAUD 2.0
Helping Businesses Prepare for
Computer Fraud and
Data Breaches
The Association ofAccountants and Financial
Professionals in Business
May 16, 2013
13. 13
As of September 2012, cybercrime
• costs $110 billion annually
• 18 adults every second are victims
• 556,000,000 adults every year are victims
• 46% of online adults are victims
• mobile devices are trending
2012 Norton Cybercrime Report
www.brittontuma.com
14. 14
What is fraud?
• Fraud is, in its simplest form, deception
• Black’s Law Dictionary
• all multifarious means which human ingenuity
can devise, and which are resorted to by one
individual to get advantage over another by
false suggestions or suppression of the truth
www.brittontuma.com #fraud20
15. 15
Traditional vehicles for fraud?
• verbal communication
• written communication
• in person
• through mail
• via wire
www.brittontuma.com #fraud20
18. 18
Computer Fraud = Fraud 2.0
• Deception, through the use of a computer
• “old crimes committed in new ways … using computers
and the Internet to make the task[s] easier”
• computer hacking, data theft, theft of money, breaches
of data security, corporate espionage, privacy
breaches, computer worms,Trojan
horses, viruses, malware, denial of service attacks
• mouse and keyboard = modern fraudster tools of choice
www.brittontuma.com #fraud20
19. 19
Who knows the percentage of
businesses that suffered at least one act
of computer fraud in last year?
90%
(Ponemon Institute Study)
www.brittontuma.com #fraud20
27. 27www.brittontuma.com
has a processor or stores data
“the term ‘computer’ means an
electronic, magnetic, optical, electrochemical, or other high
speed data processing device performing logical, arithmetic, or
storage functions, and includes any data storage facility or
communications facility directly related to or operating in
conjunction with such device, but …”
IMPORTANT! “such term does not include an automated
typewriter or typesetter, a portable hand held calculator, or other
similar device;”
The CFAA says
#fraud20
29. 29www.brittontuma.com
“’That category can include coffeemakers, microwave
ovens, watches, telephones, children’s toys, MP3
players, refrigerators, heating and air-conditioning
units, radios, alarm clocks, televisions, and DVD
players, . . . .”
-UnitedStates v. Kramer
The Fourth Circuit says
#fraud20
30. 30www.brittontuma.com
This may limit the problem of applying it to alarm
clocks, toasters, and coffee makers – for now?
The CFAA applies only to “protected” computers
Protected = connected to the Internet
Any situations where these devices are connected?
#fraud20
35. 35
CFAA prohibits the access of a protected
computer that is
Without authorization, or
Exceeds authorized access
www.brittontuma.com #fraud20
36. 36
Where the person accessing
Obtains information
Commits a fraud
Obtains something of value
Transmits damaging information
Causes damage
Traffics in passwords
Commits extortion
www.brittontuma.com #fraud20
37. 37
Overly simplistic list
Very complex statute
Appears deceptively straightforward
Many pitfalls
www.brittontuma.com
“I am the wisest man
alive, for I know one
thing, and that is that I know
nothing.”
-Socrates
#fraud20
38. 38
Two Most Problematic Issues
“Loss” Requirement
• Confuses lawyers and judges alike
Unauthorized / Exceeding Authorized Access
• Evolving jurisprudence
• Interpreted by many Circuits
• New conflict on April 10, 2012
www.brittontuma.com #fraud20
39. 39
Limited civil remedy
Procedurally complex with many cross-
references
“damage” ≠ “damages”
Must have $5,000 “loss” (i.e., cost)
Loss requirement is jurisdictional threshold
www.brittontuma.com #fraud20
40. 40
What is a “loss”?
“any reasonable cost to any victim, including the cost of
responding to an offense, conducting a damage assessment, and
restoring the data, program, system, or information to its
condition prior to the offense, and any revenue lost, cost
incurred, or other consequential damages incurred because of
interruption of service.”
Loss = cost (unless interruption of service)
www.brittontuma.com #fraud20
41. 41
Remedies
Available
• Economic damages
• Loss damage
• Injunctive relief
Not Available
• Exemplary damages
• Attorneys’ fees
www.brittontuma.com #fraud20
42. 42
Elements of broadest CFAA Claim
1. Intentionally access computer;
2. Without authorization or exceeding authorized
access;
3. Obtained information from any protected
computer; and
4. Victim incurred a loss to one or more persons
during any 1-year period of at least $5,000.
www.brittontuma.com #fraud20
43. 43
Elements of CFAA Fraud Claim
1. Knowingly and with intent to defraud;
2. Accesses a protected computer;
3. Without authorization or exceeding authorized
access;
4. By doing so, furthers the intended fraud and
obtains anything of value; and
5. Victim incurred a loss to one or more persons
during any 1-year period of at least $5,000.
www.brittontuma.com #fraud20
45. 45
General Access Principles
Access by informational / data use
≠ technician
Must be knowing or intentional access
≠ accidental access
www.brittontuma.com #fraud20
46. “without authorization”
Outsiders
No rights
Not defined
Only requires intent to
access, not harm
Hacker!
“exceeds authorized”
Insiders
Some rights
CFAA defines: access in
a way not entitled
Necessarily requires
limits of authorization
Employees, web
users, etc.
46www.brittontuma.com
TwoTypes of Wrongful Access
#fraud20
47. 47
When does authorization terminate?
Trilogy of AccessTheories
• AgencyTheory
• Intended-Use Theory
• Strict AccessTheory
www.brittontuma.com #fraud20
48. 48
Ways to establish limits for Intended-Use
Contractual
• Policies: computer use, employment & manuals
• WebsiteTerms of Service
Technological
• Login and access restrictions
• System warnings
Training and other evidence of notification
Notices of intent to use CFAA
www.brittontuma.com #fraud20
49. 49
Employment Situations
Most common scenario is employment
• Employee access and take customer account information
• Employee accesses and takes or emails confidential information
to competitor
• Employee improperly deletes data and email
• Employee deletes browser history
• Employee accessing their Facebook, Gmail,Chase accounts at
work
www.brittontuma.com #fraud20
50. 50
Family Law Situations
Have you ever logged into your significant other’s email or Facebook
to see what they’re saying to others?
DON’TANSWERTHAT!
• Estranged spouse inArkansas did after separation
• NTTA account?
• Bank account?
• Cancelling services via online accounts?
www.brittontuma.com #fraud20
51. 51
SharingWebsite Logins
Have you ever borrowed or shared website login credentials and
passwords for limited access sites (i.e., online accounts)?
DON’TANSWERTHAT!
• Recent case held that permitting others to use login credentials
for paid website was viable CFAA claim
• The key factor here was the conduct was prohibited by the
website’s agreed toTerms of Service
www.brittontuma.com #fraud20
52. 52
Misuse ofWebsites
Ever created a fake profile or used a website for
something other than its intended purpose?
DON’T ANSWERTHAT!
• Myspace Mom case – United States v. Drew
• Fake login to disrupt legitimate website sales
• Accessing website to gain competitive information when
prohibited byTOS
• Creating fake Facebook to research opposing parties
www.brittontuma.com #fraud20
53. 53www.brittontuma.com
Have you ever heard of?
• Aaron Swartz – information liberator!
• SandraTeague – Obama’s academic records
• Bradley Manning –released classified info
• Stuxnet – variations for corporate espionage
• Active Defense – fun stuff – call me!
#fraud20
55. 55
Data Breach
• product of computer fraud
• on the rise
• major risk to virtually all businesses
• PII, PHI, financial data, cardholder data
• disruption and data loss
• claims from data subjects
• fines and penalties from govts, agencies, indust. groups
• impossible to prevent
• plan ahead to reduce harm
www.brittontuma.com #fraud20
58. 58
Prevention
• Software and Systems Updates
• RemediateVulnerabilities
• Encrypt, Encrypt, Encrypt
• Data Surveillence & IT Alerts
• Cyber CounterIntelligence / CounterEspionage
• ITAlerts
www.brittontuma.com #fraud20
59. 59
Understanding Laws, Rules & Regulations
• No Federal Breach Notification Law (yet)
• 46 States’ Have Laws
• ≠Alabama, Kentucky, New Mexico, South Dakota
• Massachusetts is an oddball
• 45 days (FL, OH,VT,WI) otherwise expeditious without
unreasonable delay
• Consumers + State Attorney General
• Agencies (FTC, HHS, OCR, DOL, SEC)
• Industries (FINRA, PCI)
• International
www.brittontuma.com #fraud20
60. 60
Responding to a Breach – Just Execute the Plan!
• ContactAttorney
• Assemble ResponseTeam
• Contact Forensics
• ContactVendor for Notification
• Investigate Breach
• Remediate ResponsibleVulnerabilities
• Reporting & Notification
• Law Enforcement First
• AGs,Admin. Agencies, Industries, Cred. Rpt, Consumers
www.brittontuma.com #fraud20
63. 63
Texas Laws for Combating Fraud 2.0
• Breach of Computer Security Act (Tx. Penal Code § 33.02)
• knowingly access a computer without effective consent of owner
• Fraudulent Use or Possession of Identifying Info (TPC § 32.51
• Unlawful Interception, Use, or Disclosure ofWire, Oral or Electronic
Communications (TPC § 16.02)
• UnlawfulAccess to Stored Communications (TPC § 16.04)
• IdentityTheft Enforcement and ProtectionAct (BCC § 48.001)
• Consumer ProtectionAgainstComputer Spyware Act (BCC § 48.051)
• Anti-PhishingAct (BCC § 48.003)
www.brittontuma.com #fraud20
64. 64
• Welcome to the world of Fraud 2.0!
• Why? Remember what Jobs said
• CFAA is very broad and covers all kinds of
computer fraud (sometimes) – evolving!
• Data Breaches – be prepared – it will happen!
• Many other Federal andTexas laws also available
for combating computer fraud
• Cyber Insurance
www.brittontuma.com #fraud20