Computer Security Law

Transcription

1 Computer Security Law Seminar Topic: This material provides an in-depth examination of the process and procedure as it relates to computer security law. This material is intended to be a guide in general. As always, if you have any specific question regarding the state of the law in any particular jurisdiction, we recommend that you seek legal guidance relating to your particular fact situation. The course materials will provide the attendee with the knowledge and tools necessary to identify the current legal trends with respect to these issues. The course materials are designed to provide the attendee with current law, impending issues and future trends that can be applied in practical situations. Page 1

2 Copyright 2013 Printed in the United States of America. All rights reserved. No part of this monograph may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, except for citation within legal documents filed with a tribunal, without permission in writing from the publisher. Disclaimer: The views expressed herein are not a legal opinion. Every fact situation is different and the reader is encouraged to seek legal advice for their particular situation. The Apex Jurist, is Published by ApexCLE, Inc South Emerson St., Suite 248 Mount Prospect, Illinois Toll Free South Spring Street Springfield, Illinois Toll Free Ordering Information: Copies of this monograph may be ordered direct from the publisher for $24.95 plus $4.25 shipping and handling. Please enclose your check or money order and shipping information. For educational, government or multiple copy pricing, please contact the publisher. Library of Congress Cataloging-in-Publication Data ApexCLE, Inc. 1. ApexCLE, Inc. 2. Law-United States Guide-books. 3. Legal Guide 4. Legal Education. Page 2

3 About The Author Bruce degrazia has been a lawyer since 1984, when he began his career in the U.S. Navy, serving as a prosecutor and an advisor to the Commander, Naval Surface Force Atlantic Fleet. He then worked for Burditt, Bowles and Radius in Chicago, specializing in environmental litigation and international business law. From he was in-house attorney for Cummins Engine Company and United Technologies. In 1997, Mr. degrazia was appointed to be Assistant Deputy Under Secretary of Defense for Environmental Quality, in which position he was responsible for Defense Department policy in the areas of environmental compliance, conservation, pollution prevention, cultural resources, and American Indian issues. While there he supported the Vieques Commission in their determination that the Navy should find an alternative training area than the island of Vieques, near Puerto Rico. He also worked on the projects to raise the CSS Hunley and U.S.S. Monito After the Clinton Administration, he became Deputy General Counsel at Versar, an environmental and engineering company, where he saved the company over a million dollars in an environmental remediation case. In 2003 he joined Aitken Berlin. Author s Address: Author s Website: degrazia@ghsadvisors.com Author s Mailing Address: 2512 Babcock Road Vienna, VA Author s Phone Number: Page 3

4 I. Nature of computer security law Older than you think Both criminal and civil application Almost always a step (or two, or three...) behind technology A trap for the unwary or uninformed II. Major statutes relating to computer security Computer Fraud and Abuse Act of 1986 Related Illinois laws Sarbanes-Oxley Gramm-Leach-Bliley HIPAA Last three relate to specific business types Computer Fraud and Abuse Act of 1986, 18 U.S.C Oldest computer security law on the books Vague Amended to reflect homeland security concerns Both criminal and civil application Page 4

5 History of the CFAA Originally passed to protect access to government computers and the banking system Reach subsequently greatly extended Criminal application of the CFAA accessing a computer containing classified information accessing a computer and obtaining financial information, government information, or any information on a computer involved in interstate or foreign communication accessing a non-public government computer accesses a protected computer with intent to defraud and fraud is worth more than $5,000 sends malware that causes harm to a protected computer or damages and causes loss to a protected computer through unauthorized use traffics in passwords with intent to defraud or access government computer threatens to damage any protected computer or obtain information from it conspires to do any of the above Page 5

6 Criminal application of the CFAA (2) Terminology: protected computer is any computer used by U.S. government or a financial institution or any computer which is used in interstate or foreign commerce or communication (18 U.S.C. 1030(e)(2)) damage is any impairment to the integrity or availability of data, a program, a system, or information (18 U.S.C. 1030(e)(8)) loss is any reasonable cost to any victim, including response, damage assessment, restoration, and lost revenue as a result of interruption of service (18 U.S.C. 1030(e)(11)) Criminal application of the CFAA (3) Elements knowledge or intent to access unauthorized access or exceeding authorized access interstate or foreign commerce or communication causes damage or loss Penalties fine prison for up to twenty years for each offense Page 6

7 Notable criminal cases under the CFAA U.S. v. Mitra, 405 F.3d 492 (7th Cir. 2005) -- police radio system is a protected computer and is used in interstate commerce U.S. v. Kramer, 631 F.3d 900 (8th Cir.), cert. denied, 131 S.Ct (2011) -- cell phone is a computer even if it cannot access the Internet United States v. Aaron Swartz Case never went to trial Facts Charges Disposition Reaction Civil application of CFAA Most cases brought under the CFAA are civil A civil action under the statute will lie for any person who suffers loss by reason of a violation of this section (18 U.S.C. 1030(g)) Damages or equitable relief Must include loss of at least $5,000 (limited to economic damages) modification or impairment of medical diagnosis or treatment physical injury threat to public health or safety, or Page 7

8 Civil cases under CFAA International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) using an erasure or deletion program is a transmission under (a)(5)(a)(i) -- the malware section authorization for a for an employee to use a computer ends when the employee decides to leave employment YourNetDating, LLC v. Mitchell, 88 F.Supp 2d 870 (N.D. Ill. 2000) -- TRO against further hacking is appropriate remedy Civil cases under CFAA (2) Penrose Computer Marketgroup v. Camin, 682 F.Supp 2d 202 (N.D.N.Y. 2010) -- deleting s and customer lists of employer does not violate CFAA access section if employment still active Scope of CFAA and possible changes Leaves significant discretion in the hands of prosecutors Numerous attempts in Congress to narrow scope Aaron s Law Illinois Computer Tampering Act, 720 ILCS 5/17-51 Follows CFAA with certain additions adds computer network, program and data to accessed areas Page 8

9 includes section prohibiting the falsification or altering of routing information civil action will lie for damaging computer, network, program, or data, or for damages as a result of spam 720 ICS 5/17-52 establishes the crime of aggravated computer tampering if the act interferes with government services creates strong probability of death or great bodily harm to one or more individuals Other Illinois statutes regarding computer security 720 ILCS 5/17-50 addresses computer fraud by prohibiting use of a computer, or damage to a computer, program or data, in connection with a fraudulent act all violations of this statute are felonies forfeiture of property is authorized 720 ILCS 5/17-50 prohibits the use of encryption as part of a crime, or to conceal it or its perpetrator(s) Anti-Phishing Act, 740 ILCS 7 Prohibits phishing Provides civil action for violation Damages of three times actual or $5,000, whichever is greater, for individual plaintiff actual damages or $500,000, whichever is greater for an aggrieved Internet provider or a trademark injunctive relief appropriate Page 9

10 attorneys fees recoverable court may increase damages if defendant engaged in pattern Sarbanes-Oxley Act of 2002 Official title: Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act of 2002 (SOX) (also known as the Corporate and Criminal Fraud Accountability Act of 2002) 15 U.S.7262 History Application to computer security Section 404 SEC CF Disclosure Guidance Topic No. 2 - cyber security (2011) Recent developments public companies are starting to disclose cyber security risks and attacks Mostly banks, but expected to expand Page 10