Cyberattack Risk: Not Just For Personal Data

Szpak_Markharrington_sethsullivan_lindsey

by Mark Szpak, Seth Harrington and Lindsey Sullivan

Practice Tips

In August, the United States Department of Justice (“DOJ”) and the Securities Exchange Commission (“SEC”) unsealed complaints alleging a scheme to hack into computer systems of newswire services in order to steal material nonpublic information, which the hackers then allegedly used to place trades.

This case is strikingly different than many other recently reported data-breach cases.  Typically such cases have involved an attacker breaking into a company’s network to access personal nonpublic information (e.g., credit card numbers, medical history, social security numbers) that potentially could be sold to other criminals who would use it to attempt to commit identity theft or fraud.  This hack involved information concerning publicly traded companies, obtained not from the companies themselves, but third-party newswire services.  These complaints highlight that cyberattack risk is not limited to the theft of personal information but extends to any confidential information that hackers may seek to exploit for financial gain – trade secrets, insider information, customer prospects, bid packages, marketing data, business plans, etc. Companies need to understand this risk as well as how to prevent it and manage it if it occurs.

The Alleged Hacking and “Insider” Trading Scheme

The criminal complaints filed by the DOJ allege that nine individuals hacked into the computer systems of newswire services Marketwired, PR Newswire, and Business Wire, accessed nonpublic information, and allegedly used it to generate $30 million in illegal profits.   The civil complaint, brought by the SEC against 32 individuals, alleges that the defendants generated more than $100 million in illegal profits by trading on the stolen nonpublic information in violation of federal antifraud laws and related SEC rules.

These newswire services were engaged by major publicly traded companies to publish corporate releases and, as a result, received confidential information hours and even days before the information was publicly released.  By infiltrating the computer systems of these newswire services, the criminals were able to access – and act upon– the releases ahead of the market.

Few are surprised that the newswire services were targeted, but the extent of the scheme is drawing attention.  The hacking allegedly lasted five years, during which the criminal attackers allegedly accessed over 150,000 press releases.  In one instance, according to the SEC complaint, the hackers and traders were able to act within the 36-minute period between when the press release was provided to the newswire service and public disclosure of the release, executing trades that resulted in $511,000 in profit.

Potential Exposure

Compared to other cybercases, these complaints represent the relatively rare occurrence in which claims are brought against the perpetrators of the data breach and the individuals who seek to use and profit from the stolen information.   As this article goes to press, no litigation is known to have been initiated against either the newswire services or the companies whose information is alleged to have been stolen in this attack.   Yet, based on trends in litigation and regulatory enforcement efforts in matters involving data breaches of personal information, one can expect that claims against hacked entities or their clients may begin also to arise even where only nonpersonal information is involved.

With respect to private litigation, potential claims could face a number of hurdles.  Any potential plaintiff would have to allege a cognizable injury as well as the breach of a duty owed by the defendant to the particular plaintiff.  Many courts in breach cases have dismissed claims (under both tort and contract theories) based on the attenuated relationship between the plaintiff and defendant regarding an alleged duty to safeguard information for the benefit of the plaintiff.  As we move beyond personal information, each new digital information context will raise questions regarding whether a duty to anticipate and protect against criminal cybertheft can be fairly imposed, in what  circumstances, pursuant to what standards, and, if so, to whom is it owed.

With respect to regulators, the SEC has made clear its position regarding the importance of cybersecurity.  In March 2014, Chair Mary Jo White explained that “the SEC have been focused on cybersecurity-related issues for some time” because “[c]yber threats [] pose non-discriminating risks across our economy to all of our critical infrastructures, our financial markets, banks, intellectual property, and, as recent events have emphasized, the private data of the American consumer.”  Other regulators (most notably the FTC) have also staked out a position of overlapping jurisdiction.

Best Practices for Companies

In a world where the electronic landscape and the sophistication of cyberhackers are both moving at high speed, here are nonetheless a few best practices that companies facing an actual or potential data security incident (i.e., all companies) can follow to mitigate potential risk:

  • Think carefully about third-party vendors— Companies rely on numerous third parties for everything from corporate disclosures to marketing advice. Thoughtful contracting and training can go a long way to reducing the risk of loss or misuse.
  • Supplement perimeter detection systems— According to the indictments in the newswire case, the criminal hackers were resident in the victims’ systems for years. The case illustrates the potential significance of taking a “defense-in-depth” approach to security and system monitoring.
  • Be realistic about law enforcement and regulators— Notifying and cooperating with law enforcement can be important for many reasons, and the same is true for governmental regulators.  But law enforcement usually focuses on getting the criminal attacker, while regulators (by comparison) often focus instead on examining any role the company had in having been criminally attacked.  Keeping that difference in mind can be significant in dealing simultaneously with these respective governmental actors.
  • Involve outside experts (both legal and forensic) at the earliest sign of a possible problem— Never guess or assume what may have taken place. Forensic experts can help your team assess whether an attack or breach has occurred, the actual scope of the breach, and how to contain it, while legal experts (both internal and outside counsel) can direct that forensic review and assess potential legal obligations involving notification, public statements, remediation, responding to law enforcement, dealing with regulators, preparing for litigation, and protecting the record.
  • Carefully draft external statements— When an incident occurs, all outward facing statements should be carefully crafted to say only what is necessary, and to avoid committing to specifics until facts are definitely known. Before an incident occurs, promising any level of protection is risky because, if a hacker makes it into the system, the company’s statements will inevitably be second-guessed.
  • Check your insurance— For the sake of planning, assume that erstwhile attackers will be able to access any system in your network. Consider, then, what kind of attack or what kind of data loss could cause the most exposure or disruption.  Then make sure your insurance will actually cover those costs and that any related exposure to liability is indeed included.  Evaluate your incident response preparedness through “tabletop exercises” to confirm that you have identified the potential risks and expenses.
  • Avoid creating a bad record— Preservation of evidence after discovering a data breach often involves much more than just the usual email and paper files. In a network attack, the relevant evidence may include large groups of servers, firewall configuration records, network access logs, security management databases, vulnerability scan results, software hotfix schedules, or any number of other forensic or technical data sources that in most litigation rarely come into play.  Identifying that relevant forensic and technical evidence and then maintaining it, while preserving applicable privileges and minimizing the interruption of critical ongoing company operations, can in many cases pose enormous challenges.

The panoply of costs that a cyberhack can impose make it clear that a well-developed program to secure all types of business information, not just personal information, can provide a competitive advantage.  And when data thieves strike, regardless of the type of data they target, following a prompt and careful response protocol can pay significant legal dividends.

Mark Szpak is a partner in Ropes & Gray’s privacy & data security practice. He focuses on the wide range of challenges that arise after a computer network intrusion, including defending against multidistrict class actions in the U.S. and Canada, handling forensic investigations and responding to regulators.

Seth Harrington, also a partner in Ropes & Gray’s privacy & data security practice, represents clients in all aspects of the response to a privacy or data security incident, and he regularly advises clients on indemnification and insurance matters, including cyber risk insurance.

Lindsey Sullivan is an associate in Ropes & Gray’s business & securities litigation practice, where she focuses on assisting clients through forensic investigations and preservation efforts around privacy and data security breaches.

 


When Is Hacking A Crime? Potential Revisions to the CFAA

Nutter Web Page Mockup.ppt Nutter Web Page Mockup.ppt Nutter Web Page Mockup.pptby Allison D. Burroughs, Benjamin L. Mack, and Heather B. Repicky

Viewpoint

In the wake of the much-publicized federal criminal prosecution and suicide of Aaron Swartz, the Computer Fraud and Abuse Act (“CFAA”) (codified at 18 USC §1030) has drawn deserved criticism from legal commentators and lawmakers.  Indeed, the CFAA is an outdated, patchwork statute, in need of revision.

Swartz, a computer programmer, entrepreneur, and activist, was accused of accessing restricted portions of MIT’s computer network in order to download millions of journal articles from a digital library.  He faced as much as 35 years in prison and a $1 million fine under the CFAA and related statutes.

Prominent critics, like Congresswoman Zoe Lofgren (D-CA), contend that the CFAA imposes substantial criminal liability and punishment for relatively innocuous conduct.  In 2011, in the wake of the Swartz case, Congresswoman Lofgren introduced “Aaron’s Law” to prevent arguably disproportionate penalties for certain CFAA violations.  However, the proposed statute would also seemingly insulate “authorized users” of computers from prosecution, regardless of the nature of their conduct or the harm it causes.  Congress should not seek to fix the CFAA by opening unnecessary gaps in the statute.  Instead, a more careful revision would ensure that violations of, for example, terms of service agreements would not trigger criminal liability for users, while also giving law enforcement means to punish malicious, damaging conduct by even “authorized” computer users.

The Computer Fraud and Abuse Act

The CFAA criminalizes many activities done after “knowingly access[ing] a computer without authorization or exceeding authorized access.”  Generally speaking, the seven provisions of the CFAA punish: (1) obtaining national security information; (2) obtaining information of a government agency or of a confidential nature (e.g., financial information); (3) trespassing in a government computer; (4) accessing a computer to commit a fraud; (5) damaging a computer (e.g., by worm, virus, or denial of service attack); (6) trafficking in computer passwords; and (7) threatening to damage a computer.

The CFAA punishes computer access “without authorization” or “exceeding authorized access.”  Penalties under the CFAA range from a misdemeanor (imprisonment for not more than one year) to 20 years incarceration, with the majority of offenses carrying a penalty of five years incarceration for a first offense and ten years for a second.  There is a jurisdictional requirement of $5,000 worth of damage which is, in effect, a technicality since that amount can be satisfied by investigative and administrative costs related to understanding and assessing an intrusion.

Aaron Swartz

Late in 2010, Swartz entered a restricted network wiring closet in the basement of an MIT building.  He then rigged a laptop and external hard drive to retrieve 4.8 million articles from JSTOR, a not-for-profit digital library that offered paid subscribers access to 2,000 academic journals.  Swartz was apprehended and arrested on January 6, 2011, as he sought to retrieve the laptop and hard drive, while obscuring his identity with a bicycle helmet.

The operative 13 count indictment was returned against Swartz on September 12, 2012 and included five counts charging violations of §1030(a)(4) (computer fraud, 5 year maximum penalty), five counts charging violations of §1030(a)(2) (unlawfully obtaining information from a protected computer, 5 year maximum penalty), one count charging a violation of §1030(a)(5) (recklessly damaging a protected computer, misdemeanor), and two wire fraud counts.

The original CFAA counts against Swartz were premised on Swartz accessing protected computers without authorization and in excess of authorized access.  In the superseding indictment, the United States alleged only that Swartz accessed protected computers without authorization.

Circuit Split

The Courts have long debated the meaning of both “without authorization” and “exceed[ing] authorized access” under the CFAA.  There have been inter and even intra circuit splits on this issue for some time.  The Fifth, Seventh and Eleventh Circuits all have held that the CFAA broadly covers violations of corporate computer use restrictions.  See U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); U.S. v. John, 597 F.3d 263 (5th Cir. 2010); and Int’l Airport Ctrs. LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).

In contrast, more recently the Ninth and Fourth Circuits have narrowly interpreted “exceeds authorized access” as not to include mere violations of corporate computer restrictions.  In the leading case, United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), the Ninth Circuit en banc dismissed the indictment of David Nosal, a former employee of a search firm, who convinced his former colleagues to download and provide him with confidential firm information.  The CFAA counts against Nosal were grounded in a theory that he aided and abetted his former colleagues to “exceed [their] authorized access” with intent to defraud.  In other words, he was alleged to have violated the CFAA by persuading his former co-workers to use a company computer in a way prohibited by company policy.  The court expressed great concern over the government’s attempt to “transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.”  It ultimately held that there was no liability under the CFAA because it covers only the “unauthorized procurement or alteration of information, not its misuse or misappropriation.”  Thus, violating company policy regarding computer use is not an actionable offense, according to the Ninth Circuit, under the CFAA.  See also WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 202, 207 (4th Cir. 2012) (affirming the dismissal of a complaint for failure to state a claim under the CFAA).

It is clear that the meanings of “without authorization” and “exceeding authorized access” are subject to varying interpretations.  The trend among courts, however, appears to be narrowing the scope of the CFAA rather than broadening it.

Aaron’s Law

The latest version of Aaron’s Law dates to June 20, 2013 and has been stalled in the House Subcommittee on Crime, Terrorism, Homeland Security, and Investigations since July 2013.

Aaron’s Law would make changes to both the CFAA and the wire fraud statute (18 U.S.C. §1343).  In substance, the proposal would eliminate the “exceeds authorized access” language.  It would further define “access without authorization” to include only obtaining “information on a protected computer,” that the “accesser lacks authorization to obtain,” by “knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining or altering that information.”

With the prohibition on “exceed[ing] authorized access” abolished, Aaron’s Law would decriminalize violations of an agreement, policy, duty, or contractual obligation regarding Internet or computer use, such as an acceptable use policy or a terms of service agreement.  No longer would use of a computer service by a 16-year-old arguably create criminal liability where the operative service agreement provides that the user must be over 18.  This change would bring the statute in line with the cases like Nosal that have construed the CFAA narrowly.

By limiting the applicability of the CFAA to outside computer hacking, Aaron’s Law would re-write the CFAA such that even malicious, destructive conduct by a person with legitimate access to information on a computer would not seem to be prohibited.  By eliminating “exceeding authorized access” as a basis for criminal liability, Aaron’s Law might be going too far in its efforts to limit criminal liability only to hackers.

Although Nosal and some other cases focus on whether violations of terms of service agreements should be a basis for criminal liability, “exceeding authorized access” covers a much broader swath of conduct, including users with authorized access who steal or destroy valuable information.  Under Aaron’s Law there would arguably be no liability for even the most serious misconduct undertaken by legitimate users like subscribers or employees.

The CFAA should, instead, differentiate authorized users who access immaterial, non-sensitive information from authorized users who exceed their access rights in a malicious and destructive way.  A more comprehensive amendment to the CFAA would (i) define what types of information are worthy of greater protection and (2) ensure that benign activities such as violations of terms of service agreements would not risk criminal liability.  The CFAA must still allow prosecution both of true hackers, regardless of content accessed, and authorized users who access or compromise a defined subset of sensitive or valuable information and thereby cause meaningful harm.

Finally, even had they been in place in 2010, the amendments proposed by Aaron’s Law may not have shielded Swartz from prosecution.  After all, the superseding indictment charged Swartz with “unauthorized access” of the MIT network and he allegedly circumvented both technological and physical measures to obtain JSTOR information.  Such conduct is very likely prohibited by the current version of CFAA and would have been explicitly prohibited by Aaron’s Law.

 

Allison D. Burroughs, a partner in the Litigation Department at Nutter McClennen & Fish LLP, focuses her practice on white collar criminal defense and government investigations, computer fraud and abuse and complex civil litigation.

Benjamin L. Mack, a partner in the Litigation Department at Nutter McClennen & Fish LLP, focuses his practice on securities litigation, government investigations, commercial business disputes, bankruptcy litigation and intellectual property litigation.

Heather B. Repicky, a partner in the Litigation Department at Nutter McClennen & Fish LLP, focuses her practice on civil litigation, with an emphasis on IP and complex commercial matters.