What is Fraud 2.0? Computer fraud is the fraud of the century and it is increasing exponentially each year. Shawn Tuma provides an in-depth analysis of the federal Computer Fraud and Abuse Act, the primary law that is available to help businesses and individuals combat the threat of computer fraud and obtain both civil and criminal remedies for those frauds. Tuma explains how the Computer Fraud and Abuse Act works, some of the practical steps that need to be taken in advance to ensure it is available should a computer fraud occur, and give practical examples of several situations where the Computer Fraud and Abuse Act has been used successfully. He also provides a brief overview of some of the other laws that can be used to combat computer fraud – Fraud 2.0.
This presentation was made to Association of Certified Fraud Examiners (ACFE) - Dallas on November 8, 2012.
Fraud 2.0 - The Laws that Help Businesses Combat Computer Fraud
1. FRAUD 2.0
An Overview of the Laws that Help
Businesses and Individuals Combat
Computer Fraud
Association of Certified
Fraud Examiners
November 8, 2012
6. NON COMPUTER
RELATED FRAUD?
www.brittontuma.com 6
7. As of September 2012, cybercrime
• costs $110 billion annually
• 18 adults every second are victims
• 556,000,000 adults every year are victims
• 46% of online adults are victims
• mobile devices are trending
2012 Norton Cybercrime Report
www.brittontuma.com 7
8. What is fraud?
• Fraud is, in its simplest form, deception
• Black’s Law Dictionary
• all multifarious means which human ingenuity
can devise, and which are resorted to by one
individual to get advantage over another by
false suggestions or suppression of the truth
www.brittontuma.com 8
9. Traditional vehicles for fraud?
• verbal communication
• written communication
• in person
• through mail
• over wire
www.brittontuma.com 9
12. Computer Fraud = Fraud 2.0
• Deception, through the use of a computer
• “old crimes committed in new ways … using computers
and the Internet to make the task[s] easier”
• computer hacking, data theft, theft of money, breaches
of data security, privacy breaches, computer worms,
Trojan horses, viruses, malware, denial of service attacks
• mouse and keyboard = modern fraudster tools of choice
www.brittontuma.com 12
13. Who knows the percentage of
businesses that suffered at least one act
of computer fraud in last year?
90%
(Ponemon Institute Study)
www.brittontuma.com 13
14. Computer Fraud and Abuse Act
Federal Law – 18 U.S.C § 1030
www.brittontuma.com 14
21. The CFAA says
has a processor or stores data
“the term ‘computer’ means an electronic, magnetic, optical,
electrochemical, or other high speed data processing device
performing logical, arithmetic, or storage functions, and
includes any data storage facility or communications facility
directly related to or operating in conjunction with such device,
but …”
IMPORTANT! “such term does not include an automated
typewriter or typesetter, a portable hand held calculator, or other
similar device;”
www.brittontuma.com 21
23. The Fourth Circuit says
“’Just think of the common household items that
include microchips and electronic storage devices, and
thus will satisfy the statutory definition of “computer.”’
“’That category can include coffeemakers, microwave
ovens, watches, telephones, children’s toys, MP3
players, refrigerators, heating and air-conditioning
units, radios, alarm clocks, televisions, and DVD
players, . . . .”
-United States v. Kramer
www.brittontuma.com 23
24. The CFAA applies only to “protected” computers
This may limit the problem of applying it to alarm
clocks, toasters, and coffee makers
Protected = connected to the Internet
Any situations where these devices are connected?
www.brittontuma.com 24
28. CFAA prohibits the access of a protected
computer that is
Without authorization, or
Exceeds authorized access
www.brittontuma.com 28
29. Where the person accessing
Obtains information
Commits a fraud
Obtains something of value
Transmits damaging information
Causes damage
Traffics in passwords
Commits extortion
www.brittontuma.com 29
30. “I am the wisest man alive,
for I know one thing, and that
is that I know nothing.”
-Socrates
Overly simplistic list
Very complex statute
Superficially it appears deceptively straightforward
Many pitfalls
www.brittontuma.com 30
31. Two Most Problematic Issues
“Loss” Requirement
• Confuses lawyers and judges alike
Unauthorized / Exceeding Authorized Access
• Evolving jurisprudence
• Interpreted by many Circuits
• New conflict on April 10, 2012
www.brittontuma.com 31
32. Limited civil remedy
Procedurally complex with many cross-
references
“damage” ≠ “damages”
Must have $5,000 “loss”
Loss requirement is jurisdictional threshold
www.brittontuma.com 32
33. What is a “loss”?
“any reasonable cost to any victim, including the cost of
responding to an offense, conducting a damage assessment, and
restoring the data, program, system, or information to its
condition prior to the offense, and any revenue lost, cost
incurred, or other consequential damages incurred because of
interruption of service.”
Loss = cost (unless interruption of service)
www.brittontuma.com 33
34. What can qualify as a “loss”?
Investigation and response costs
• Forensics analysis and investigation
• Diagnostic measures
• Restoration of system
• Bartered services for investigation / restoration
Value of employees’ time
Attorneys’ fees if leading investigation
www.brittontuma.com 34
35. What is not a “loss”?
Lost revenue (unless interruption of service)
Value of trade secrets
Lost profits
Lost customers
Lost business opportunities
Privacy and Personally Identifiable Information
www.brittontuma.com 35
36. Privacy and Personally Identifiable Information
iTracking
Hacking / data breach
Browser cookies
REMEMBER: Loss is only required for civil remedy –
not criminal violation
www.brittontuma.com 36
37. What would you advise?
Wrongful access of your client’s
computer
Considering a CFAA claim
Your advice would be to ________?
www.brittontuma.com 37
38. Remedies
Available
• Economic damages
• Loss damage
• Injunctive relief
Not Available
• Exemplary damages
• Attorneys’ fees
www.brittontuma.com 38
39. Elements of broadest CFAA Claim
1. Intentionally access computer;
2. Without authorization or exceeding authorized
access;
3. Obtained information from any protected
computer; and
4. Victim incurred a loss to one or more persons
during any 1-year period of at least $5,000.
www.brittontuma.com 39
40. Elements of CFAA Fraud Claim
1. Knowingly and with intent to defraud;
2. Accesses a protected computer;
3. Without authorization or exceeding authorized
access;
4. By doing so, furthers the intended fraud and
obtains anything of value; and
5. Victim incurred a loss to one or more persons
during any 1-year period of at least $5,000.
www.brittontuma.com 40
42. General Access Principles
Access by informational / data use
≠ technician
Must be knowing or intentional access
≠ accidental access
www.brittontuma.com 42
43. Two Types of Wrongful Access
“without authorization” “exceeds authorized”
Outsiders Insiders
No rights Some rights
Not defined CFAA defines: access in
Only requires intent to a way not entitled
access, not harm Necessarily requires
Hacker! limits of authorization
Employees, web users,
etc.
www.brittontuma.com 43
44. When does authorization terminate?
As of April 10, 2012, there are (once again) three
general lines of cases: Trilogy of Access Theories
• Agency Theory
• Intended-Use Analysis
• Access Means Access
www.brittontuma.com 44
45. Ways to establish limits for Intended-Use
Contractual
• Policies: computer use, employment & manuals
• Website Terms of Service
Technological
• Login and access restrictions
• System warnings
Training and other evidence of notification
Notices of intent to use CFAA
www.brittontuma.com 45
46. Contractual limits should
Clearly notify of limits
Limit authorization to access information
Limit use of information accessed
Terminate access rights upon violation
Indicate intent to enforce by CFAA
Goal: limit or terminate authorization
www.brittontuma.com 46
47. Employment Situations
Most common scenario is employment
• Employee access and take customer account information
• Employee accesses and takes or emails confidential information
to competitor
• Employee improperly deletes data and email
• Employee deletes browser history
• Employee accessing their Facebook, Gmail, Chase accounts at
work
www.brittontuma.com 47
48. Family Law Situations
Have you ever logged into your significant other’s email or Facebook
to see what they’re saying to others?
DON’T ANSWER THAT!
• Estranged spouse in Arkansas did after separation
• NTTA account?
• Bank account?
• Cancelling services via online accounts?
www.brittontuma.com 48
49. Sharing Website Logins
Have you ever borrowed or shared website login credentials and
passwords for limited access sites (i.e., online accounts)?
DON’T ANSWER THAT!
• Recent case held that permitting others to use login credentials
for paid website was viable CFAA claim
• The key factor here was the conduct was prohibited by the
website’s agreed to Terms of Service
www.brittontuma.com 49
50. Misuse of Websites
Ever created a fake profile or used a website for
something other than its intended purpose?
DON’T ANSWER THAT!
• Myspace Mom case
• Fake login to disrupt legitimate website sales
• Accessing website to gain competitive information when
prohibited by TOS
• Creating fake Facebook to research opposing parties
www.brittontuma.com 50
51. Hacking & Private Information
Hacking was original purpose for CFAA
• Hacking and obtaining private information
• (president’s educational records)
• Tracking individuals through geo-tagging
• Website collection of private information
• All fit within the prohibitions of the CFAA
• Loss is the problem, from a civil standpoint
www.brittontuma.com 51
52. What about …
• Hacking a car?
• Hacking a person?
• What else?
www.brittontuma.com 52
53. What about …
• Denial of Service Attacks
• Password Trafficking
www.brittontuma.com 53
56. Texas Laws for Combating Fraud 2.0
• Breach of Computer Security Act (Tx. Penal Code § 33.02)
• knowingly access a computer without effective consent of owner
• Fraudulent Use or Possession of Identifying Info (TPC § 32.51
• Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic
Communications (TPC § 16.02)
• Unlawful Access to Stored Communications (TPC § 16.04)
• Identity Theft Enforcement and Protection Act (BCC § 48.001)
• Consumer Protection Against Computer Spyware Act (BCC § 48.051)
• Anti-Phishing Act (BCC § 48.003)
www.brittontuma.com 56
57. • Welcome to the world of Fraud 2.0!
• Why? Remember what Jobs said
• CFAA is very broad and covers all kinds of
computer fraud (sometimes)
• Courts’ interpretation of the CFAA is changing all
the time – you must stay updated!
• Many other Federal and Texas laws also available
for combating computer fraud
www.brittontuma.com 57
Who knows what movie this was from?Anyone remember?Early 80s – 1983
Movie War Games!
Why? Because this is the primary law that is used to pursue those who misuse a computer to commit crimes, defraud, etc. Computers are everywhere and are involved in virtually everything!
CFAA’s definition of computer:Remember the “But”!!!
Now that we know what it applies to, let’s take about what the CFAA prohibits.
Not too long ago I was talking with someone about a case they had involving criminal indictment for the CFAA.I offered help but was rebuffed – told: “I’ve read the statute, I’ve got it”Ok – best of luck to you (and your clients!)!
What would your advice, as a lawyer, be in this situation?
Why? (Remember what Steve Jobs said last December – everything has a computer in it nowadays!)The CFAA is what is most commonly used to deal with misuse of computers.
Why? (Remember what Steve Jobs said last December – everything has a computer in it nowadays!)The CFAA is what is most commonly used to deal with misuse of computers.