What is Fraud 2.0? Computer fraud is the fraud of the century and it is increasing exponentially each year. Shawn Tuma provides an in-depth analysis of the federal Computer Fraud and Abuse Act, the primary law that is available to help businesses and individuals combat the threat of computer fraud and obtain both civil and criminal remedies for those frauds. Tuma explains how the Computer Fraud and Abuse Act works, some of the practical steps that need to be taken in advance to ensure it is available should a computer fraud occur, and give practical examples of several situations where the Computer Fraud and Abuse Act has been used successfully. He also provides a brief overview of some of the other laws that can be used to combat computer fraud – Fraud 2.0. This presentation was made to Association of Certified Fraud Examiners (ACFE) - Dallas on November 8, 2012.

1. FRAUD 2.0
An Overview of the Laws that Help
Businesses and Individuals Combat
Computer Fraud
Association of Certified
Fraud Examiners
November 8, 2012

2. THINK ABOUT THIS …
www.brittontuma.com 2

3. [SEE FOLLOING VIDEO]
https://vimeo.com/2030361
www.brittontuma.com 3

4. WHAT DOES THAT MEAN
TO YOU?
www.brittontuma.com 4

5. STUXNET?
www.brittontuma.com 5

6. NON COMPUTER
RELATED FRAUD?
www.brittontuma.com 6

7. As of September 2012, cybercrime
• costs $110 billion annually
• 18 adults every second are victims
• 556,000,000 adults every year are victims
• 46% of online adults are victims
• mobile devices are trending
2012 Norton Cybercrime Report
www.brittontuma.com 7

8. What is fraud?
• Fraud is, in its simplest form, deception
• Black’s Law Dictionary
• all multifarious means which human ingenuity
can devise, and which are resorted to by one
individual to get advantage over another by
false suggestions or suppression of the truth
www.brittontuma.com 8

9. Traditional vehicles for fraud?
• verbal communication
• written communication
• in person
• through mail
• over wire
www.brittontuma.com 9

10. What do computers do?
EFFICIENCY!
www.brittontuma.com 10

11. FRAUD 2.0
www.brittontuma.com 11

12. Computer Fraud = Fraud 2.0
• Deception, through the use of a computer
• “old crimes committed in new ways … using computers
and the Internet to make the task[s] easier”
• computer hacking, data theft, theft of money, breaches
of data security, privacy breaches, computer worms,
Trojan horses, viruses, malware, denial of service attacks
• mouse and keyboard = modern fraudster tools of choice
www.brittontuma.com 12

13. Who knows the percentage of
businesses that suffered at least one act
of computer fraud in last year?
90%
(Ponemon Institute Study)
www.brittontuma.com 13

14. Computer Fraud and Abuse Act
Federal Law – 18 U.S.C § 1030
www.brittontuma.com 14

15. BRIEF HISTORY OF
THE CFAA
15

16. www.brittontuma.com 16

17. www.brittontuma.com 17

18. Why is the Computer Fraud
and Abuse Act important?
 Primary Law for Misuse of Computers
 Computers …
www.brittontuma.com 18

19. “Everything has a
computer in it nowadays.”
-Steve Jobs
www.brittontuma.com 19

20. WHAT IS A COMPUTER?
20

21. The CFAA says
has a processor or stores data
“the term ‘computer’ means an electronic, magnetic, optical,
electrochemical, or other high speed data processing device
performing logical, arithmetic, or storage functions, and
includes any data storage facility or communications facility
directly related to or operating in conjunction with such device,
but …”
IMPORTANT! “such term does not include an automated
typewriter or typesetter, a portable hand held calculator, or other
similar device;”
www.brittontuma.com 21

22. What about
www.brittontuma.com 22

23. The Fourth Circuit says
“’Just think of the common household items that
include microchips and electronic storage devices, and
thus will satisfy the statutory definition of “computer.”’
“’That category can include coffeemakers, microwave
ovens, watches, telephones, children’s toys, MP3
players, refrigerators, heating and air-conditioning
units, radios, alarm clocks, televisions, and DVD
players, . . . .”
-United States v. Kramer
www.brittontuma.com 23

24. The CFAA applies only to “protected” computers
This may limit the problem of applying it to alarm
clocks, toasters, and coffee makers
Protected = connected to the Internet
Any situations where these devices are connected?
www.brittontuma.com 24

25. • TI-99 • Leap Frog Leapster • iPhone 5
• 3.3 MHz Processor • 96 MHz Processor • 1.02 GHz Processer
• 16 KB of RAM • 128 MB of RAM • 1 GB of RAM
www.brittontuma.com 25

26. 66 MHz =
fastest
desktop in 80s
96 MHz = child’s
toy today
250 MHz =
fastest super
computer in 80s
1.02 GHz =
telephone today
www.brittontuma.com 26

27. WHAT DOES THE CFAA
PROHIBIT?
27

28. CFAA prohibits the access of a protected
computer that is
 Without authorization, or
 Exceeds authorized access
www.brittontuma.com 28

29. Where the person accessing
 Obtains information
 Commits a fraud
 Obtains something of value
 Transmits damaging information
 Causes damage
 Traffics in passwords
 Commits extortion
www.brittontuma.com 29

30. “I am the wisest man alive,
for I know one thing, and that
is that I know nothing.”
-Socrates
 Overly simplistic list
 Very complex statute
 Superficially it appears deceptively straightforward
 Many pitfalls
www.brittontuma.com 30

31. Two Most Problematic Issues
 “Loss” Requirement
• Confuses lawyers and judges alike
 Unauthorized / Exceeding Authorized Access
• Evolving jurisprudence
• Interpreted by many Circuits
• New conflict on April 10, 2012
www.brittontuma.com 31

32. Limited civil remedy
 Procedurally complex with many cross-
references
 “damage” ≠ “damages”
 Must have $5,000 “loss”
 Loss requirement is jurisdictional threshold
www.brittontuma.com 32

33. What is a “loss”?
“any reasonable cost to any victim, including the cost of
responding to an offense, conducting a damage assessment, and
restoring the data, program, system, or information to its
condition prior to the offense, and any revenue lost, cost
incurred, or other consequential damages incurred because of
interruption of service.”
Loss = cost (unless interruption of service)
www.brittontuma.com 33

34. What can qualify as a “loss”?
 Investigation and response costs
• Forensics analysis and investigation
• Diagnostic measures
• Restoration of system
• Bartered services for investigation / restoration
 Value of employees’ time
 Attorneys’ fees if leading investigation
www.brittontuma.com 34

35. What is not a “loss”?
 Lost revenue (unless interruption of service)
 Value of trade secrets
 Lost profits
 Lost customers
 Lost business opportunities
 Privacy and Personally Identifiable Information
www.brittontuma.com 35

36. Privacy and Personally Identifiable Information
 iTracking
 Hacking / data breach
 Browser cookies
REMEMBER: Loss is only required for civil remedy –
not criminal violation
www.brittontuma.com 36

37. What would you advise?
 Wrongful access of your client’s
computer
 Considering a CFAA claim
 Your advice would be to ________?
www.brittontuma.com 37

38. Remedies
 Available
• Economic damages
• Loss damage
• Injunctive relief
 Not Available
• Exemplary damages
• Attorneys’ fees
www.brittontuma.com 38

39. Elements of broadest CFAA Claim
1. Intentionally access computer;
2. Without authorization or exceeding authorized
access;
3. Obtained information from any protected
computer; and
4. Victim incurred a loss to one or more persons
during any 1-year period of at least $5,000.
www.brittontuma.com 39

40. Elements of CFAA Fraud Claim
1. Knowingly and with intent to defraud;
2. Accesses a protected computer;
3. Without authorization or exceeding authorized
access;
4. By doing so, furthers the intended fraud and
obtains anything of value; and
5. Victim incurred a loss to one or more persons
during any 1-year period of at least $5,000.
www.brittontuma.com 40

41. WRONGFUL ACCESS
41

42. General Access Principles
 Access by informational / data use
 ≠ technician
 Must be knowing or intentional access
 ≠ accidental access
www.brittontuma.com 42

43. Two Types of Wrongful Access
“without authorization” “exceeds authorized”
 Outsiders  Insiders
 No rights  Some rights
 Not defined  CFAA defines: access in
 Only requires intent to a way not entitled
access, not harm  Necessarily requires
 Hacker! limits of authorization
 Employees, web users,
etc.
www.brittontuma.com 43

44. When does authorization terminate?
As of April 10, 2012, there are (once again) three
general lines of cases: Trilogy of Access Theories
• Agency Theory
• Intended-Use Analysis
• Access Means Access
www.brittontuma.com 44

45. Ways to establish limits for Intended-Use
 Contractual
• Policies: computer use, employment & manuals
• Website Terms of Service
 Technological
• Login and access restrictions
• System warnings
 Training and other evidence of notification
 Notices of intent to use CFAA
www.brittontuma.com 45

46. Contractual limits should
 Clearly notify of limits
 Limit authorization to access information
 Limit use of information accessed
 Terminate access rights upon violation
 Indicate intent to enforce by CFAA
Goal: limit or terminate authorization
www.brittontuma.com 46

47. Employment Situations
Most common scenario is employment
• Employee access and take customer account information
• Employee accesses and takes or emails confidential information
to competitor
• Employee improperly deletes data and email
• Employee deletes browser history 
• Employee accessing their Facebook, Gmail, Chase accounts at
work 
www.brittontuma.com 47

48. Family Law Situations
Have you ever logged into your significant other’s email or Facebook
to see what they’re saying to others?
DON’T ANSWER THAT!
• Estranged spouse in Arkansas did after separation
• NTTA account?
• Bank account?
• Cancelling services via online accounts?
www.brittontuma.com 48

49. Sharing Website Logins
Have you ever borrowed or shared website login credentials and
passwords for limited access sites (i.e., online accounts)?
DON’T ANSWER THAT!
• Recent case held that permitting others to use login credentials
for paid website was viable CFAA claim
• The key factor here was the conduct was prohibited by the
website’s agreed to Terms of Service
www.brittontuma.com 49

50. Misuse of Websites
Ever created a fake profile or used a website for
something other than its intended purpose?
DON’T ANSWER THAT!
• Myspace Mom case
• Fake login to disrupt legitimate website sales
• Accessing website to gain competitive information when
prohibited by TOS
• Creating fake Facebook to research opposing parties
www.brittontuma.com 50

51. Hacking & Private Information
Hacking was original purpose for CFAA
• Hacking and obtaining private information
• (president’s educational records)
• Tracking individuals through geo-tagging
• Website collection of private information
• All fit within the prohibitions of the CFAA
• Loss is the problem, from a civil standpoint
www.brittontuma.com 51

52. What about …
• Hacking a car?
• Hacking a person?
• What else?
www.brittontuma.com 52

53. What about …
• Denial of Service Attacks
• Password Trafficking
www.brittontuma.com 53

54. OTHER LAWS FOR
COMBATING FRAUD 2.0
54

55. Federal Laws for Combating Fraud 2.0
• Electronic Communications Privacy Act - 18 U.S.C. § 2510
• Wiretap Act ≠ intercept communications
• Stored Communications Act ≠ comm. at rest
• Fraud with Access Devices - 18 U.S.C. § 1029
• devices to obtain passwords, phishing, counterfeit
devices, scanning receivers, drive through swipe cards
• Identity Theft – 18 U.S.C. § 1028
www.brittontuma.com 55

56. Texas Laws for Combating Fraud 2.0
• Breach of Computer Security Act (Tx. Penal Code § 33.02)
• knowingly access a computer without effective consent of owner
• Fraudulent Use or Possession of Identifying Info (TPC § 32.51
• Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic
Communications (TPC § 16.02)
• Unlawful Access to Stored Communications (TPC § 16.04)
• Identity Theft Enforcement and Protection Act (BCC § 48.001)
• Consumer Protection Against Computer Spyware Act (BCC § 48.051)
• Anti-Phishing Act (BCC § 48.003)
www.brittontuma.com 56

57. • Welcome to the world of Fraud 2.0!
• Why? Remember what Jobs said
• CFAA is very broad and covers all kinds of
computer fraud (sometimes)
• Courts’ interpretation of the CFAA is changing all
the time – you must stay updated!
• Many other Federal and Texas laws also available
for combating computer fraud
www.brittontuma.com 57

58. www.brittontuma.com 58