Cutting Edge Legal Issues Relating To Mobile Devices Nick Akerman Dorsey & Whitney LLP

Size: px

Start display at page:

Download "Cutting Edge Legal Issues Relating To Mobile Devices Nick Akerman Dorsey & Whitney LLP"

Loren Nora Robertson
5 years ago
Views:

1 Cutting Edge Legal Issues Relating To Mobile Devices Nick Akerman Dorsey & Whitney LLP

2 Companies can mitigate their risk by re-evaluating 7 areas of their business Hiring Practices Company Rules Appropriate Agreements Use of Technology Termination Practices Protocols for Response Company Compliance Program

3 HIRING PRACTICES

4 The Hiring Process Honor Prior Employment Agreements Explain Company Obligations Company Policy Employment Agreements Criminal Exposure for the Company

5 COMPANY RULES

6 The Computer Fraud and Abuse Act

7 Overview of the Federal Computer Crime Statute The statute and its scope Legal requirements How the courts have interpreted the statute Current issues in play regarding employees Proactive steps a company can take to be able to use the statute to protect its data

Computer Fraud and Abuse Act Title 18 U.S.C. 1030 Enacted in 1984 Federal computer crime statute including data theft Civil remedy in 1994

8 Computer Fraud and Abuse Act Title 18 U.S.C Enacted in 1984 Federal computer crime statute including data theft Civil remedy in 1994 amendment Computers used in interstate commerce Amended in 2001 and 2008 Computers in foreign countries Provides for damages and injunction

password or similar information with intent to defraud

9 Various Causes of Action Stealing valuable computer data Schemes to defraud Trafficking in a computer password or similar information with intent to defraud Damaging computer data Hacking Extortion Sending computer viruses

anything of value Damage to data permanent $5,000 loss Limited to

10 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything of value Damage to data permanent $5,000 loss Limited to economic damages Compensatory damages Two-year statute of limitations

The $5,000 Jurisdictional Limit Loss during any 1 year period aggregating at least $5,000 Loss is defined in the statute as any reasonable cost to any victim, including the cost of responding to an

11 The $5,000 Jurisdictional Limit Loss during any 1 year period aggregating at least $5,000 Loss is defined in the statute as any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. 1030(e)(11).

12 Responding to an Offense Conducting a damage assessment Restoring computer system to its condition prior to the offense U.S. Middleton, 231 F.3d 1207 (9th Cir. 2000) Investigating and repairing damage Lost Revenue to the business caused by employee responding to offense Use of outside investigator to determine whether computer compromised

13 Lost Revenue, Costs or Damages Incurred Because of Loss of Service Must be interruption of service Nexans Wires S.A. v. Sark-USA Inc., 166 Fed. Appx, 559 (2d Cir. 2006) Plaintiff claimed theft of confidential information caused it to lose at least $10 million in profits Does not apply to loss of profits from theft of data

14 Key Issue is an Unauthorized Access Section 1030(a)(2)(C) - Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer [commits a crime]

15 Ways to Establish Lack of Authorization Hacking by outsider who breaks into computer Violating company policies and rules Exceeding expected norms of intended use Employee terminating agency relationship with employer by disloyal conduct Accessing for non-business purpose

Authorization terminates with disloyal act Judge Posner found that authorization terminated

16 International Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006) Employee destroyed data on company laptop Authorization based on law of agency Authorization terminates with disloyal act Judge Posner found that authorization terminated when employee resolved to destroy files that incriminated himself and other files that were also the property of his employer.

17 U.S. v. Tolliver, 2011 WL (3rd Cir. 2011) Regina Tolliver, a former bank teller for Citizen s Bank, provided customer account information to check runners who cashed fraudulent checks Employee policies not at issue Court found there was sufficient evidence to convict Tolliver of the CFAA violation because she exceeded her authorized access to the bank computers because she did not have a business purpose to access the customers accounts

18 U.S. v. Rodriquez, 628 F.3d 1258 (11 th Cir. 2010) Court affirmed the CFAA conviction of a Social Security Administration employee Access social security information for personal reasons Violated Agency s policy against obtaining Information from its databases without a business reason.

public website Robot created with confidential information Used robot to download pricing

19 EF Cultural Travel v. Explorica, 274 F.3d 577(1st Cir. 2001) Ex-employees set up competing student travel company Information was accessed through public website Robot created with confidential information Used robot to download pricing data First Circuit upheld injunction based on confidentiality agreement Authorization established by contract Pricing data was valuable

Authorization as Defined by Company Policies First Circuit: the CFAA is primarily a statute imposing limits on access and enhancing control by

20 Authorization as Defined by Company Policies First Circuit: the CFAA is primarily a statute imposing limits on access and enhancing control by information providers Companies can set predicate for CFAA violation Rules on limiting authorized access Agreements can set limits Similar to criminal trespass

21 U.S. v. Nosal, 676 F.3d 854 (9 th Cir. 2012) Employees cannot access without authorization since they are authorized to access the company computers CFAA does not extend to violations of use restrictions but is limited to circumvention of technological barriers Concern over criminalizing common violations of terms of use and rules Followed: WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (2012)

22 Company Rules Employee Handbook Compliance Code of Conduct Terms of Use on company Web site Place in Agreements Training

23 Doe v. Darthmouth Hitchcock Medical Center, 2001 WL (D.N.H. July 19, 2001) Hospital s Graduate Training Manual prohibited intern from accessing patient records absent need to know Hospital and resident sued Court dismissed hospital holding that it had been victimized by its own policies and that it would be inconsistent with the purpose of the CFAA to find the hospital vicariously liable for resident s actions

24 APPROPRIATE AGREEMENTS

25 Agreements Officers/Employees/Third Parties Among related companies Confidentiality/Non-Disclosure Agreement to search personal computers Permissions re scope of access Post employment restrictive covenants Anti-Raiding Covenants

26 Working with Vendors Warranty and representation on compliance Indemnification Certification of compliance with EU Safe Harbor Framework Adequate insurance coverage General due diligence

27 Terms of Use Require users to provide accurate registration information Limit use of account to registered user at one computer at a time Prohibit use of web crawlers, robots and similar devices Post acceptable use guidelines that prohibit abuse, harassment and similar conduct Specify limitations on use of materials obtained (e.g., no commercial use)

28 PROTOCOLS FOR RESPONSE

29 City of Ontario, Ca. v. Quon (S.Ct. 2010) Police officers texted messages on City pagers Quon exceeded character limit and reimbursed the City rather than be audited City s computer policy stated and Internet usage would be monitored Supervisor s statements negated policy by making audits of the texts unnecessary if officers paid for the overages A later audit to determine if limit on texts was tood low found Quon had texted sexually explicit messages and was disciplined Texts in one month reflected 57 work related messages out of 456

30 City of Ontario, Ca. v. Quon (S.Ct. 2010) 9th Circuit held there was no reasonable expectation of privacy based on employer s operational realities and the search was unreasonable Supreme Court reversed holding that on the facts the search was reasonable despite expectation of privacy Search was justified by noninvestigatory work-related purpose of determining whether the character limit was sufficient to meet the City s needs Highlights importance of employer s policies reasonable expectation of privacy and other technology-related policies and the need for enforcing those policies

31 Riley v. California Supreme Court held that the police must obtain a search warrant to review a cellphone a cell phone search would typically expose to the government far more than the most exhaustive search of a house: A phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of private information never found in a home in any form unless the phone is. Access to cloud storage

32 Pietrylo v. Hillstone Restaurant Group (D.N.J. 2009) Restaurant employees created an invitation-only Myspace group where employees could vent Management found out about,asked for password, viewed the page and fired two employees Employer found liable for violation of the Stored Communications Act

33 Using Technology to Capture Evidence Audit trail Retention Imaging computers Forensic review

34 USE OF TECHNOLOGY

35 Use of Technology Risks re transportable media Password protection is simplest Two step verification Access based on need to know Encryption

36 TERMINATION PRACTICES

37 The Termination Process Employees must return all company property Standard Exit Interview Form Explain post employment obligations Retain evidence

38 COMPANY COMPLIANCE PROGRAM

39 Compliance New York Stock Exchange listed company compliance program must protect confidential information that might be of use to competitors, or harmful to the company or its customers, if disclosed. Effective as of October 31, 2004 Part of Compliance standards and procedures Annual CEO certification Massachusetts Cover competitively sensitive data and personal data

40 State Data Compliance Statutes Nevada personal information must be encrypted when it is transferred effective October 1, 2008 Connecticut businesses must safeguard the data, computer files and documents containing the information from misuse by third parties. effective October 1, 2008 Massachusetts Data Compliance rules effective March 1, 2010 Applies to a business located anywhere that stores or maintains personal information about a Massachusetts resident Mandates a compliance program consistent with the Federal Sentencing Guidelines Washington State personal information encrypted effective July 1, 2010

41 Massachusetts Administrative, Technical and Physical Safeguards Develop Security Policies that are enforced through encryption Appoint Security Coordinator Minimize risks from third parties terminated access to former employees and ensuring compliance by vendors Train the workforce on importance of personal information security Conduct regular audits at least annually Enforce the policies through disciplinary measures and document responsive actions Respond to incidents encouraging employees to report violations

42 Nick Akerman Dorsey & Whitney LLP For On-going Updates Go to

INFORMATION AND CYBER SECURITY POLICY V1.1

Future Generali 1 INFORMATION AND CYBER SECURITY V1.1 Future Generali 2 Revision History Revision / Version No. 1.0 1.1 Rollout Date Location of change 14-07- 2017 Mumbai 25.04.20 18 Thane Changed by Original