Cybercrime Fighters: Companies Have More Legal Weapons to Defend Against Attacks on Their Computer Systems

August 1, 2003
From the August ABA Journal, ABA Connection, Thursday, July 31, 2003
Companies Have More Legal Weapons to Defend Against Attacks on Their Computer Systems
By Jenny B. Davis
Imagine yourself at a business that out of the blue receives an e-mail from an anonymous sender claiming that he can log into the company’s supposedly secure computer system using your secret password. And he has your credit card number. And he knows secrets about your company’s internal functions. And if you don’t pay him, he’ll tell your customers that he’s been able to hack into your system—which they also had believed was secure.
That exact scenario unfolded within the past few years for Michael Bloomberg, the head of financial information services giant Bloomberg Inc., and perhaps better known as the current mayor of New York City.
The perpetrator was operating his scheme from a location about as far from Manhattan as he could be. Oleg Zezev broke into the Bloomberg computer system from his home in Kazakhstan, in central Asia. Using the alias “Alex” and two free Hotmail accounts, Zezev attempted to extort money from Bloomberg in exchange for staying mum about breaking into the company’s computer system, according to reports by the U.S. Department of Justice.
Bloomberg chose not to buy Zezev off. Instead, he worked with law enforcement authorities in the United States, Great Britain and Kazakhstan. Eventually, they lured Zezev to London, where he was arrested and later deported to the United States on criminal charges.
In February, Zezev was convicted in federal court on all four counts brought against him, including attempted extortion and computer intrusion. He was sentenced on June 30 to 51 months in prison.
But you don’t have to be a mogul to face the threat of incursions into your company’s computer systems. Such electronic attacks—which have come to be known as cybercrime—are being committed with increasing frequency against businesses of all sizes.
In a 2002 survey of computer security experts working for the U.S. private sector and federal government, conducted by the San Francisco-based Computer Security Institute, some 90 percent of the respondents reported that they had logged a computer security breach within the past 12 months. Eighty percent of these breaches resulted in financial loss.
While concerns about cybercrime already were growing before Sept. 11, 2001, that day’s attacks on New York City and Washington, D.C., sharpened fears that terrorists might target computer systems as well. Acknowledging the critical nature of the nation’s private computer infrastructure, the U.S. Department of Homeland Security in June established the National Cyber Security Division to address threats to government and corporate computer systems.
The new division will work in tandem with the private sector to protect against foreign and domestic cyberterrorism. It also will strive to safeguard computer systems against corporate crimes like espionage that could jeopardize information vital to national security, financial institutions and other economic sectors.
The National Cyber Security Division joins several government-backed initiatives focusing on cybersecurity, including the President’s Critical Infrastructure Protection Board and the Partnership for Critical Infrastructure Security.
Using a computer to commit theft, fraud, extortion or money laundering doesn’t automatically qualify as a cybercrime, says Jody R. Westby of Denver, who chairs the Privacy and Computer Crime Committee in the ABA Section of Science and Technology. Those types of crimes can be prosecuted largely under existing criminal laws even if they involve the extensive use of computers to facilitate the wrongdoing, says Westby, who edited the International Guide to Combating Cybercrime, published by the section.
“There is a difference between cybercrime and crimes facilitated by a computer,” says Westby. In a cybercrime, a perpetrator typically gains access to a computer system without the owner’s authorization; exceeds the scope of authorization to access the system; accesses, modifies or destroys computer data without authorization; or uses computer time and resources without authorization.
“When you’re talking about sending viruses and worms, hacking into systems and stealing data electronically, e-mailing that data out of system, walking out the door with a disc, unlawfully accessing or misusing electronic data, that’s cybercrime,” says Westby.
The potential losses from cybercrime also can reach far beyond the stakes in most conventional financial crimes. By its nature, cybercrime compromises the integrity of entire computer networks whose primary purposes include protecting the security of information about a company and its customers. Intrusions into those systems can undermine the credibility of the company in the eyes of its customers and the general marketplace.
“I tell clients that if there’s a computer breach, they can’t just write it off as the work of a teenage hacker and forget about it,” says Joseph M. Burton of Duane Morris in San Francisco. “Every breach has the possibility of being both a criminal issue and a civil issue.”
One misperception about cybercrime is that attacks on a company’s computer system are a matter for the technology staff, rather than the legal department, says Mark Heaphy, a lawyer at Wiggin & Dana in New Haven, Conn., and an adjunct professor of software and Internet law at Quinnipiac University School of Law in nearby Hamden.
Another misperception is that cybercrime only affects technology companies, says W. Scott Creasman of Powell, Goldstein, Frazer & Murphy in Atlanta. “Companies don’t realize how much they rely on technology to run their businesses,” he says. “If you’re in the hotel business, for example, you’re not a tech company, but you need computer systems to do things like take reservations and store credit card information. The security of your network means a lot.”
But cybercrime is just that—a crime—not just a part of tech lingo. And there is a growing body of statutory law at the federal and state levels specifically designed to address cybercrime, offering victims significant remedies in both civil and criminal courts.
One of the principal cybercrime statutes is the U.S. Computer Fraud and Abuse Act, which criminalizes certain activities that undermine the confidentiality, integrity and availability of data. The civil component of this statute allows targets of cybercrime to obtain compensatory damages, injunctive relief and equitable remedies.
Originally passed in 1984 to protect classified information on government computers, the act was broadened in 1986 to apply to “federal interest computers.” In 1996, this phrase was replaced by the more general concept of “protected computer,” making the statute more widely applicable to the private sector, regardless of governmental interest or involvement.
An early case to apply the broader scope of the Computer Fraud and Abuse Act was Shurgard Storage Center Inc. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000). In this case, a Shurgard employee left to join Safeguard, a competitor. In the course of his departure, the employee allegedly sent e-mails to Safeguard that contained Shurgard trade secrets. Shurgard brought the expected causes of action against Safeguard, including tortious interference and unfair competition, but it also alleged a violation of the computer fraud act.
In a case of first impression, the court rejected Safeguard’s motion to dismiss. The court held that Shurgard may proceed with its lawsuit in light of the 1996 amendments that broadened the act’s scope defining “simply protected” computers as those “used in interstate or foreign commerce or communication,” in the words of the statute. (The case settled in 2001.)
In addition to statutes that target cybercrimes, companies are finding increasing success in pursuing civil remedies under traditional common-law theories of liability like negligence and trespass to chattels (a nontech term if there ever was one).
And businesses also are starting to realize that they may themselves face liability if they fail to address unauthorized computer intrusions.
Respondents in last year’s computer security institute survey said two of the main reasons for not reporting computer intrusions are concerns about negative publicity and giving ammunition to competitors.
But Heaphy says the information rarely stays under wraps for long. “Hackers tend to be very public about it, and it spreads through the rumor mill, where the significance of the intrusion can even be escalated,” he says.
That can result in an even greater public relations nightmare, says Creasman. “If the public finds out about a hacking that happened six months ago, you come out looking like Enron,” he says. “Even if you’re not necessarily a high-profile company—if you’re a small business or you’re in the health care industry and have privacy concerns—you’re always better coming out with it. You have a better chance of managing the way the matter is handled.”
Disclosing a computer intrusion also can save a company from significant potential liability, experts point out. Say, for example, that company officials knew about a hole in security, and information was accessed through that hole—information the company had a contractual duty to hold confidential. Shareholders could charge the company with breach of a fiduciary duty, especially if it knew about the security breach but did nothing to correct it.
“The possibility for shareholder lawsuits for security breaches is there, especially if there is a loss in stock value,” says Burton.
And just because there was no damage caused by the hack attack doesn’t get a company off the hook for liability if it fails to respond.
“Hackers often hop from computer to computer to cover their tracks, so they might have hacked into one computer not to access files but to cover their tracks on their way to hack into someone else’s system,” Burton says. “Even if you did not know the hacker was coming after someone else, as long as you knew the hacker was there and you didn’t do anything about it, you could be sued by the downstream company.”
This situation already has played out in “denial of service” cases, in which a company is deprived of services, such as e-mail or Web site access, through the actions of another company or an individual. Even if nothing is stolen or destroyed, these electronic incursions can cost the target company a great deal of money and time.
An oftcited denial-of-service case is eBay Inc. v. Bidder’s Edge Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000), in which the popular online auction site sought a preliminary injunction against Bidder’s Edge on a trespass-to-chattels claim.
Bidder’s Edge wasn’t actually a competitor of eBay; rather, it ran what’s called an “aggregation site,” where consumers can search several online auction sites at once. Bidder’s Edge gathered information from eBay by using software robots—computer programs that perform search, copy and retrieval functions on multiple Web sites.
Software robots are a boon to Internet users who want to conduct multisite searches, but they can be bad news for companies that own the sites being searched because they consume processing and storage resources of the system they’re searching. That can slow down a site, cause it to malfunction, lose data and even crash completely, translating into significant monetary losses.
In the case, eBay alleged that Bidder’s Edge was accessing its Web site without authorization, diminishing its quality and value. The U.S. district court granted eBay a preliminary injunction prohibiting Bidder’s Edge robots from crawling its site. In addition to ruling that Bidder’s Edge was not given permission to access the eBay site, the court held that simply by taking up bandwidth and capacity on eBay’s servers, Bidder’s Edge was compromising the quality and value of eBay’s property even though the company could not prove tangible damage.
Case law on cybercrime issues may start to develop further in the wake of emerging standards and best practices for computer security, which are being crafted in industry sectors like insurance, banking and finance, and oil and gas. Industry groups often work with government bodies that promote public-private partnerships, such as the President’s Critical Infrastructure Protection Board.
Creasman says it’s only a matter of time before such standards adopted by various industries are used in court. “Say your system is hacked and your stock drops as a result,” he says. “Class action lawyers will start salivating if you didn’t take the actions recommended by this or that organization.”
While it is becoming increasingly apparent that cybercrime incidents can’t be ignored, the best course for responding to them is less clear.
“It’s really case by case,” says Heaphy. “It depends on who you are, what your sensitivities are and what was hacked.”
There are, for instance, clear benefits to reporting cybercrime to law enforcement authorities. “Not only will the government take the matter out of your hands, but the investigation will be on their nickel,” says Heaphy. “And you get the photo op of the hacker getting led off in handcuffs.”
Filing criminal reports about computer attacks from inside a company also can have pre-emptive advantages, says Creasman. “Some companies will want to go after these folks for the in terrorem effect, as a deterrent to other would-be hackers,” he says. “If you deal with it internally, employees know that. You have to let them know it won’t be swept under the rug.”
But handing a case over to police authorities also has its drawbacks. Most notably, says Heaphy, is that the government’s broader enforcement goals aren’t always compatible with the narrow agenda of a company that wants to minimize the impact of the incident on its own operations.
There are practical concerns as well, says Creasman, such as dealing with the FBI. “If you think they will be [at your company] for an afternoon and they decide they want to take three weeks, they will be taking that three weeks.”
Instead of going directly to the FBI or local police, Creasman tells many of his clients to first try the CERT Coordination Center (CERT/CC), located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University in Pittsburgh ( CERT/CC, originally known as the Computer Emergency Response Team, gives technical advice to government, law enforcement, academia, the business community and the general public in the wake of computer security breaches, and helps coordinate responses to intrusions.
“They can tell you whether you have a ‘microproblem’ or a ‘macroproblem,’ whether you’re alone or one of a series of 50 attacks,” says Creasman. That kind of information influences whether any specific case will be a priority for law enforcement.
A company hit by cybercrime may choose to pursue a civil cause of action, either in addition to or in lieu of criminal action.
“When you bring a civil suit,” says Heaphy, “you have more control—you control the settlement, you can control the impact.”
While common-law remedies exist for many computer-related transgressions, such as theft of trade secrets and breach of contract, computer law experts say bringing an action under newer statutes like the Computer Fraud and Abuse Act also offers advantages.
“These statutes can get you jurisdiction in federal court where you might not otherwise be entitled to it,” says Peter Black of Verrill & Dana in Portland, Maine. “People like to stay away from state courts for many reasons, including speed and complexity of issues. Some cases are just more suitable for federal court, and if you can find a way to get them there you might get a better result for your client.”
Moreover, says Creasman, bringing a civil action might be the best assurance that a particular case will be dealt with. “The FBI deals with the real bad guys out there—the people who threaten national security and stalk 13-year-old girls,” he says.
“They are very helpful if you have a really serious problem,” Creasman says, “but a lot of times they will come in and say, ‘Yes, you fall under criminal statutes, but you’re not going to be a high priority for us—your best remedy will be in the civil realm.’
Meanwhile, local police agencies often lack the resources to pursue cybercrime, says Creasman.
Many investigations, for instance, lead to suspects or servers located in foreign countries. And even when that may not be the case, international investigations still may be necessary due to the circuitous route most e-mail messages take between servers, called “packet switching.”
International investigations—especially in developing countries—can pose myriad complications, says Westby of the ABA’s Science and Technology Section. Among the hurdles she cites are jurisdictional issues, evidentiary considerations like maintaining a chain of custody, and privacy issues. There also might be inconsistency between laws; some action that is illegal in the United States might not be prohibited by another country. Many countries, she says, require that an action be considered criminal under both their laws and U.S. law before they will assist in an investigation.
And even then, foreign authorities still may not be willing to assist a company’s cybercrime investigation. Often, their resources are stretched so thin that investigating an American computer intrusion is hardly a top priority.
Ultimately, says Westby, there is a very real possibility that the investigation will lead to a dead end. “Through the whole process, you just have to hope that someone somewhere kept a record,” she says.
Lawyers in the field say companies should prepare for an intrusion into their computer systems.
“My own preference is that companies have this as a board item where they examine what kind of security measures they have in place, whether they have a plan, how it works, what are the risks to the system,” says Creasman of Atlanta. “You also have to have a rational plan for allocating resources. You may have a 50 percent risk that someone could hack into your system, but if that’s just the chance that someone can make a smiley face appear when you log in, that’s not a big deal. But if there’s a 2 percent chance that you won’t be able to check people into your hotel, that’s a huge problem.”
One protective measure can be found in the legalese of a terms-of-use agreement—that small print on a Web site accompanied by “I Agree” and “I Do Not Agree” buttons. Hit “I Agree” and obtain access to the rest of the site; refuse and you are often logged out.
These agreements amount to contracts binding the customer to certain terms of use for the information contained on the site. And breaches of the terms of use can provide another basis for recovery in cybercrime cases.
Terms-of-use agreements are especially useful in data mining or data scraping cases, where information is being lifted off a publicly available Web site and used in an unauthorized manner, says W. Reid Wittliff of Graves, Dougherty, Hearon & Moody in Austin, Texas. “If a person or company is crawling your Web site and looking for information—perhaps they are scraping it from your Web site to repackage and sell it—this is one avenue to stop it.”
It is also imperative to establish a protocol for saving and maintaining data once an intrusion into a computer system has been detected. “If the information isn’t saved in a manner in which it can be used in court—and very often the information isn’t saved at all—there may be no evidence left if, two weeks later, you have a change of heart and want to report it,” says Burton.
“There’s not an expectation that anyone’s system is perfect,” says Creasman. “People see stories all the time about hacking and getting into systems. It’s a question of what you are doing about it, how you responded to it.”