2013.05.16 cfaa powerpoint for ima.v1

FRAUD 2.0
Helping Businesses Prepare for
Computer Fraud and
Data Breaches
The Association ofAccountants and Financial
Professionals in Business
May 16, 2013

2
#fraud20
www.brittontuma.com

3
have you ever
heard of …
www.brittontuma.com #fraud20

4
Aaron Swartz?

5
SandraTeague?

6
Bradley Manning?

7
Hacking?

8
Data Breach?

9
IdentityTheft?

10
Stuxnet?

11
Active Defense?

12
NON COMPUTER
RELATED FRAUD?

13
As of September 2012, cybercrime
• costs $110 billion annually
• 18 adults every second are victims
• 556,000,000 adults every year are victims
• 46% of online adults are victims
• mobile devices are trending
2012 Norton Cybercrime Report
www.brittontuma.com

14
What is fraud?
• Fraud is, in its simplest form, deception
• Black’s Law Dictionary
• all multifarious means which human ingenuity
can devise, and which are resorted to by one
individual to get advantage over another by
false suggestions or suppression of the truth

15
Traditional vehicles for fraud?
• verbal communication
• written communication
• in person
• through mail
• via wire

16
What do computers do?
EFFICIENCY!

17
FRAUD 2.0

18
Computer Fraud = Fraud 2.0
• Deception, through the use of a computer
• “old crimes committed in new ways … using computers
and the Internet to make the task[s] easier”
• computer hacking, data theft, theft of money, breaches
of data security, corporate espionage, privacy
breaches, computer worms,Trojan
horses, viruses, malware, denial of service attacks
• mouse and keyboard = modern fraudster tools of choice

19
Who knows the percentage of
businesses that suffered at least one act
of computer fraud in last year?
90%
(Ponemon Institute Study)

20
BRIEF HISTORY OF
THE COMPUTER FRAUD
AND ABUSE ACT
(CFAA)
#fraud20

21
Computer Fraud and Abuse Act
Federal Law – 18 U.S.C § 1030

22www.brittontuma.com #fraud20

23www.brittontuma.com #fraud20

24
 Primary Law for Misuse of Computers
 Computers …
Why is the Computer Fraud
and Abuse Act important?

25www.brittontuma.com
“Everything has a
computer in it nowadays.”
-Steve Jobs
#fraud20

26
WHAT IS A COMPUTER?
#fraud20

has a processor or stores data
“the term ‘computer’ means an
electronic, magnetic, optical, electrochemical, or other high
speed data processing device performing logical, arithmetic, or
storage functions, and includes any data storage facility or
communications facility directly related to or operating in
conjunction with such device, but …”
IMPORTANT! “such term does not include an automated
typewriter or typesetter, a portable hand held calculator, or other
similar device;”
The CFAA says
#fraud20

What about . . .
#fraud20

“’That category can include coffeemakers, microwave
ovens, watches, telephones, children’s toys, MP3
players, refrigerators, heating and air-conditioning
units, radios, alarm clocks, televisions, and DVD
players, . . . .”
-UnitedStates v. Kramer
The Fourth Circuit says
#fraud20

This may limit the problem of applying it to alarm
clocks, toasters, and coffee makers – for now?
The CFAA applies only to “protected” computers
Protected = connected to the Internet
Any situations where these devices are connected?
#fraud20

seriously . . .
#fraud20

• TI-99
• 3.3 MHz Processor
• 16 KB of RAM
• Leap Frog Leapster
• 96 MHz Processor
• 128 MB of RAM
• iPhone 5
• 1.02GHz Processer
• 1 GB of RAM
#fraud20

66 MHz =
fastest
desktop in 80s
96 MHz = child’s
toy today
250 MHz =
fastest super
computer in 80s
1.02 GHz =
telephone today
#fraud20

34
WHAT DOES THE CFAA
PROHIBIT?
#fraud20

35
CFAA prohibits the access of a protected
computer that is
 Without authorization, or
 Exceeds authorized access

36
Where the person accessing
 Obtains information
 Commits a fraud
 Obtains something of value
 Transmits damaging information
 Causes damage
 Traffics in passwords
 Commits extortion

37
 Overly simplistic list
 Very complex statute
 Appears deceptively straightforward
 Many pitfalls
www.brittontuma.com
“I am the wisest man
alive, for I know one
thing, and that is that I know
nothing.”
-Socrates
#fraud20

38
Two Most Problematic Issues
 “Loss” Requirement
• Confuses lawyers and judges alike
 Unauthorized / Exceeding Authorized Access
• Evolving jurisprudence
• Interpreted by many Circuits
• New conflict on April 10, 2012

39
Limited civil remedy
 Procedurally complex with many cross-
references
 “damage” ≠ “damages”
 Must have $5,000 “loss” (i.e., cost)
 Loss requirement is jurisdictional threshold

40
What is a “loss”?
“any reasonable cost to any victim, including the cost of
responding to an offense, conducting a damage assessment, and
restoring the data, program, system, or information to its
condition prior to the offense, and any revenue lost, cost
incurred, or other consequential damages incurred because of
interruption of service.”
Loss = cost (unless interruption of service)

41
Remedies
 Available
• Economic damages
• Loss damage
• Injunctive relief
 Not Available
• Exemplary damages
• Attorneys’ fees

42
Elements of broadest CFAA Claim
1. Intentionally access computer;
2. Without authorization or exceeding authorized
access;
3. Obtained information from any protected
computer; and
4. Victim incurred a loss to one or more persons
during any 1-year period of at least $5,000.

43
Elements of CFAA Fraud Claim
1. Knowingly and with intent to defraud;
2. Accesses a protected computer;
3. Without authorization or exceeding authorized
access;
4. By doing so, furthers the intended fraud and
obtains anything of value; and
5. Victim incurred a loss to one or more persons
during any 1-year period of at least $5,000.

45
General Access Principles
 Access by informational / data use
 ≠ technician
 Must be knowing or intentional access
 ≠ accidental access

“without authorization”
 Outsiders
 No rights
 Not defined
 Only requires intent to
access, not harm
 Hacker!
“exceeds authorized”
 Insiders
 Some rights
 CFAA defines: access in
a way not entitled
 Necessarily requires
limits of authorization
 Employees, web
users, etc.
TwoTypes of Wrongful Access
#fraud20

47
When does authorization terminate?
Trilogy of AccessTheories
• AgencyTheory
• Intended-Use Theory
• Strict AccessTheory

48
Ways to establish limits for Intended-Use
 Contractual
• Policies: computer use, employment & manuals
• WebsiteTerms of Service
 Technological
• Login and access restrictions
• System warnings
 Training and other evidence of notification
 Notices of intent to use CFAA

49
Employment Situations
Most common scenario is employment
• Employee access and take customer account information
• Employee accesses and takes or emails confidential information
to competitor
• Employee improperly deletes data and email
• Employee deletes browser history 
• Employee accessing their Facebook, Gmail,Chase accounts at
work 

50
Family Law Situations
Have you ever logged into your significant other’s email or Facebook
to see what they’re saying to others?
DON’TANSWERTHAT!
• Estranged spouse inArkansas did after separation
• NTTA account?
• Bank account?
• Cancelling services via online accounts?

51
SharingWebsite Logins
Have you ever borrowed or shared website login credentials and
passwords for limited access sites (i.e., online accounts)?
DON’TANSWERTHAT!
• Recent case held that permitting others to use login credentials
for paid website was viable CFAA claim
• The key factor here was the conduct was prohibited by the
website’s agreed toTerms of Service

52
Misuse ofWebsites
Ever created a fake profile or used a website for
something other than its intended purpose?
DON’T ANSWERTHAT!
• Myspace Mom case – United States v. Drew
• Fake login to disrupt legitimate website sales
• Accessing website to gain competitive information when
prohibited byTOS
• Creating fake Facebook to research opposing parties

Have you ever heard of?
• Aaron Swartz – information liberator!
• SandraTeague – Obama’s academic records
• Bradley Manning –released classified info
• Stuxnet – variations for corporate espionage
• Active Defense – fun stuff – call me!
#fraud20

54
DATA BREACH
WHAT DO YOU DO?
#fraud20

55
Data Breach
• product of computer fraud
• on the rise
• major risk to virtually all businesses
• PII, PHI, financial data, cardholder data
• disruption and data loss
• claims from data subjects
• fines and penalties from govts, agencies, indust. groups
• impossible to prevent
• plan ahead to reduce harm

56
4 Phases of Data Breach
• Preparation
• Prevention
• Understanding
• Laws, Rules & Regulations
• Responding

57
Preparation
• Breach Response Plan
• Goal  Execute!
• Who,What,When, How
• Attorney – privilege
• Adopted Notification Form
• EducateTeam
• IT Security Audit / PenetrationTesting
• Compliance Audit
• HIPAA, ERISA, OSHA, PCI, FINRA
• Cyber Insurance

58
Prevention
• Software and Systems Updates
• RemediateVulnerabilities
• Encrypt, Encrypt, Encrypt
• Data Surveillence & IT Alerts
• Cyber CounterIntelligence / CounterEspionage
• ITAlerts

59
Understanding Laws, Rules & Regulations
• No Federal Breach Notification Law (yet)
• 46 States’ Have Laws
• ≠Alabama, Kentucky, New Mexico, South Dakota
• Massachusetts is an oddball
• 45 days (FL, OH,VT,WI) otherwise expeditious without
unreasonable delay
• Consumers + State Attorney General
• Agencies (FTC, HHS, OCR, DOL, SEC)
• Industries (FINRA, PCI)
• International

60
Responding to a Breach – Just Execute the Plan!
• ContactAttorney
• Assemble ResponseTeam
• Contact Forensics
• ContactVendor for Notification
• Investigate Breach
• Remediate ResponsibleVulnerabilities
• Reporting & Notification
• Law Enforcement First
• AGs,Admin. Agencies, Industries, Cred. Rpt, Consumers

61
OTHER LAWS FOR
COMBATING FRAUD 2.0
#fraud20

62
Federal Laws for Combating Fraud 2.0
• Electronic Communications Privacy Act - 18 U.S.C. § 2510
• Wiretap Act ≠ intercept communications
• Stored CommunicationsAct ≠ comm. at rest
• Fraud with Access Devices - 18 U.S.C. § 1029
• devices to obtain passwords, phishing, counterfeit
devices, scanning receivers, drive through swipe cards
• IdentityTheft – 18 U.S.C. § 1028

63
Texas Laws for Combating Fraud 2.0
• Breach of Computer Security Act (Tx. Penal Code § 33.02)
• knowingly access a computer without effective consent of owner
• Fraudulent Use or Possession of Identifying Info (TPC § 32.51
• Unlawful Interception, Use, or Disclosure ofWire, Oral or Electronic
Communications (TPC § 16.02)
• UnlawfulAccess to Stored Communications (TPC § 16.04)
• IdentityTheft Enforcement and ProtectionAct (BCC § 48.001)
• Consumer ProtectionAgainstComputer Spyware Act (BCC § 48.051)
• Anti-PhishingAct (BCC § 48.003)

64
• Welcome to the world of Fraud 2.0!
• Why? Remember what Jobs said
• CFAA is very broad and covers all kinds of
computer fraud (sometimes) – evolving!
• Data Breaches – be prepared – it will happen!
• Many other Federal andTexas laws also available
for combating computer fraud
• Cyber Insurance

2013.05.16 cfaa powerpoint for ima.v1

More Related Content

What's hot (19)

Similar to 2013.05.16 cfaa powerpoint for ima.v1 (20)

More from Shawn Tuma (20)

2013.05.16 cfaa powerpoint for ima.v1