CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Cutting Edge Legal Issues
Relating To Mobile Devices
Nick Akerman
Dorsey & Whitney LLP
www.computerfraud.us
212-415-9217
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Companies can mitigate their “risk” by
re-evaluating 7 areas of their business
• Hiring Practices
• Company Rules
• Appropriate Agreements
• Use of Technology
• Termination Practices
• Protocols for Response
• Company Compliance Program
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
The Hiring Process
• Honor Prior Employment Agreements
• Explain Company Obligations
– Company Policy
– Employment Agreements
• Criminal Exposure for the Company
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Overview of the Federal Computer Crime
Statute
• The statute and its scope
• Legal requirements
• How the courts have interpreted the statute
• Current issues in play regarding employees
• Proactive steps a company can take to be able to use the statute to protect its data
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Computer Fraud and Abuse Act
• Title 18 U.S.C. § 1030 – Enacted in 1984
• Federal computer crime statute including data theft
• Civil remedy in 1994 amendment
• Computers used in interstate commerce
• Amended in 2001 and 2008
• Computers in foreign countries
• Provides for damages and injunction
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Various Causes of Action
• Stealing valuable computer data
• Schemes to defraud
• Trafficking in a computer password or similar information with intent to defraud
• Damaging computer data
• Hacking
• Extortion
• Sending computer viruses
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Legal Requirements
• Protected computer
• Lack of authorization or exceeding authorization to access computer
• Theft of information or anything of value
• Damage to data permanent
• $5,000 loss
• Limited to economic damages
• Compensatory damages
• Two-year statute of limitations
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
The $5,000 Jurisdictional Limit
Loss during any 1 year period aggregating at least $5,000
“Loss” is defined in the statute as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 1030(e)(11).
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Responding to an Offense
• Conducting a damage assessment
• Restoring computer system to its condition prior to the offense
• U.S. Middleton, 231 F.3d 1207 (9th Cir. 2000) – Investigating and repairing damage
• Lost Revenue to the business caused by employee responding to offense
• Use of outside investigator to determine whether computer compromised
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Lost Revenue, Costs or Damages
Incurred Because of Loss of Service
• Must be interruption of service
• Nexans Wires S.A. v. Sark-USA Inc., 166 Fed. Appx, 559 (2d Cir. 2006)
– Plaintiff claimed theft of confidential information caused it to lose at least $10 million in profits
– Does not apply to loss of profits from theft of data
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Key Issue is an Unauthorized Access
Section 1030(a)(2)(C) - “Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer [commits a crime]”
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Ways to Establish Lack of Authorization
• Hacking by outsider who breaks into computer
• Violating company policies and rules
• Exceeding expected norms of intended use
• Employee terminating agency relationship with employer by disloyal conduct
• Accessing for non-business purpose
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
International Airport Centers
v. Citrin, 440 F.3d 418 (7th Cir. 2006)
• Employee destroyed data on company laptop
• Authorization based on law of agency
• Authorization terminates with disloyal act
• Judge Posner found that authorization terminated when employee “resolved to destroy files that incriminated himself and other files that were also the property of his employer.”
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
U.S. v. Tolliver, 2011 WL 4090472 (3rd Cir.
2011)
• Regina Tolliver, a former bank teller for Citizen’s Bank, provided customer account information to check runners who cashed fraudulent checks
• Employee policies not at issue
• Court found there was sufficient evidence to convict Tolliver of the CFAA violation because she exceeded her authorized access to the bank computers because she did not have a business purpose to access the customers’ accounts
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
U.S. v. Rodriquez, 628 F.3d 1258 (11th Cir.
2010)
• Court affirmed the CFAA conviction of a Social Security Administration employee
• Access social security information for personal reasons
• Violated Agency’s policy against “obtaining Information from its databases without a business reason.”
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
EF Cultural Travel v. Explorica, 274 F.3d
577(1st Cir. 2001)
• Ex-employees set up competing student travel company
• Information was accessed through public website
• Robot created with confidential information
• Used robot to download pricing data
• First Circuit upheld injunction based on confidentiality agreement
• Authorization established by contract
• Pricing data was valuable
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Authorization as Defined by
Company Policies
• First Circuit: the CFAA “is primarily a statute imposing limits on access and enhancing control by information providers”
• Companies can set predicate for CFAA violation
• Rules on limiting authorized access
• Agreements can set limits
• Similar to criminal trespass
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012)
• Employees cannot access without authorization since they are authorized to access the company computers
• CFAA does not extend to violations of use restrictions but is limited to circumvention of technological barriers
• Concern over criminalizing common violations of terms of use and rules
• Followed: WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (2012)
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Company Rules
• Employee Handbook
• Compliance Code of Conduct
• Terms of Use on company Web site
• Place in Agreements
• Training
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Doe v. Darthmouth Hitchcock Medical
Center, 2001 WL 873063 (D.N.H. July
19, 2001) • Hospital’s Graduate Training Manual prohibited
intern from accessing patient records absent need to know
• Hospital and resident sued
• Court dismissed hospital holding that it had been victimized by its “own policies” and that it would be inconsistent with the purpose of the CFAA to find the hospital vicariously liable for resident’s actions
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Agreements
• Officers/Employees/Third Parties
• Among related companies
• Confidentiality/Non-Disclosure
• Agreement to search personal computers
• Permissions re scope of access
• Post employment restrictive covenants
• Anti-Raiding Covenants
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Working with Vendors
• Warranty and representation on compliance
• Indemnification
• Certification of compliance with EU Safe Harbor Framework
• Adequate insurance coverage
• General due diligence
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Terms of Use
• Require users to provide accurate registration information
• Limit use of account to registered user at one computer at a time
• Prohibit use of web crawlers, robots and similar devices
• Post acceptable use guidelines that prohibit abuse, harassment and similar conduct
• Specify limitations on use of materials obtained (e.g., no commercial use)
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
City of Ontario, Ca. v. Quon (S.Ct. 2010)
• Police officers texted messages on City pagers
• Quon exceeded character limit and reimbursed the City rather than be audited
• City’s computer policy stated email and Internet usage would be monitored
• Supervisor’s statements negated policy by making audits of the texts unnecessary if officers paid for the overages
• A later audit to determine if limit on texts was tood low found Quon had texted sexually explicit messages and was disciplined
• Texts in one month reflected 57 work related messages out of 456
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
City of Ontario, Ca. v. Quon (S.Ct. 2010)
• 9th Circuit held there was no reasonable expectation of privacy based on employer’s “operational realities” and the search was unreasonable
• Supreme Court reversed holding that on the facts the search was reasonable despite expectation of privacy
• Search was justified by noninvestigatory work-related purpose of determining whether the character limit was sufficient to meet the City’s needs
• Highlights importance of employer’s policies reasonable expectation of privacy and other technology-related policies and the need for enforcing those policies
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Riley v. California
• Supreme Court held that the police must obtain a search warrant to review a cellphone
• “a cell phone search would typically expose to the government far more than the most exhaustive search of a house: A phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of private information never found in a home in any form – unless the phone is.”
• Access to cloud storage
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Pietrylo v. Hillstone Restaurant Group
(D.N.J. 2009)
• Restaurant employees created an invitation-only Myspace group where employees could vent
• Management found out about,asked for password, viewed the page and fired two employees
• Employer found liable for violation of the Stored Communications Act
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Using Technology to Capture Evidence
• Audit trail
• Email Retention
• Imaging computers
• Forensic review
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Use of Technology
• Risks re transportable media
• Password protection is simplest
• Two step verification
• Access based on need to know
• Encryption
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
The Termination Process
• Employees must return all
company property
• Standard Exit Interview Form
• Explain post employment obligations
• Retain evidence
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Compliance
• New York Stock Exchange listed company compliance program must protect confidential information that “might be of use to competitors, or harmful to the company or its customers, if disclosed.”
• Effective as of October 31, 2004
• Part of Compliance standards and procedures
• Annual CEO certification
• Massachusetts
• Cover competitively sensitive data and personal data
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
State Data Compliance Statutes
• Nevada – personal information must be encrypted when it is transferred – effective October 1, 2008
• Connecticut – businesses must “safeguard the data, computer files and documents containing the information from misuse by third parties.” – effective October 1, 2008
• Massachusetts Data Compliance rules effective March 1, 2010
– Applies to a business located anywhere that stores or maintains personal information about a Massachusetts resident
– Mandates a compliance program consistent with the Federal Sentencing Guidelines
• Washington State – personal information encrypted effective July 1, 2010
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Massachusetts – Administrative,
Technical and Physical Safeguards
• Develop Security Policies that are enforced through encryption
• Appoint Security Coordinator
• Minimize risks from third parties terminated access to former employees and ensuring compliance by vendors
• Train the workforce on importance of personal information security
• Conduct regular audits at least annually
• Enforce the policies through disciplinary measures and document responsive actions
• Respond to incidents encouraging employees to report violations
CUTTING EDGE LEGAL ISSUES RELATING TO MOBILE DEVICES
Nick Akerman
Dorsey & Whitney LLP
212-415-9217
For On-going Updates Go to
http://computerfraud.us