2013.05.16 cfaa powerpoint for ima.v1

FRAUD 2.0Helping Businesses Prepare for

Computer Fraud and Data Breaches

Shawn E. Tumawww.brittontuma.com

The Association of Accountants and Financial Professionals in Business

May 16, 2013

2

#fraud20

www.brittontuma.com

3

have you ever

heard of …

www.brittontuma.com #fraud20

4

Aaron Swartz?

www.brittontuma.com #fraud20

5

Sandra Teague?

www.brittontuma.com #fraud20

6

Bradley Manning?

www.brittontuma.com #fraud20

7

Hacking?

www.brittontuma.com #fraud20

8

Data Breach?

www.brittontuma.com #fraud20

9

Identity Theft?

www.brittontuma.com #fraud20

10

Stuxnet?

www.brittontuma.com #fraud20

11

Active Defense?

www.brittontuma.com #fraud20

12

NON COMPUTER

RELATED FRAUD?

www.brittontuma.com #fraud20

13

As of September 2012, cybercrime

• costs $110 billion annually

• 18 adults every second are victims

• 556,000,000 adults every year are victims

• 46% of online adults are victims

• mobile devices are trending

2012 Norton Cybercrime Reportwww.brittontuma.com

The Statistics

14

What is fraud?• Fraud is, in its simplest form, deception

• Black’s Law Dictionary

• all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by false suggestions or suppression of the truthwww.brittontuma.com

Fraud?

#fraud20

15

Traditional vehicles for fraud?• verbal communication

• written communication

• in person

• through mail

• via wirewww.brittontuma.com

Fraud?

#fraud20

16

What do computers do?

EFFICIENCY!www.brittontuma.com #fraud20

17

FRAUD 2.0

www.brittontuma.com #fraud20

18

Computer Fraud = Fraud 2.0• Deception, through the use of a computer

• “old crimes committed in new ways … using computers and the Internet to make the task[s] easier”

• computer hacking, data theft, theft of money, breaches of data security, corporate espionage, privacy breaches, computer worms, Trojan horses, viruses, malware, denial of service attacks

• mouse and keyboard = modern fraudster tools of choice

www.brittontuma.com

Fraud 2.0

#fraud20

19

Who knows the percentage of businesses that suffered at least one act of computer fraud in last

year?

90%(Ponemon Institute Study)

www.brittontuma.com

Fraud 2.0

#fraud20

20

BRIEF HISTORY OF THE COMPUTER FRAUD

AND ABUSE ACT (CFAA)

#fraud20

21

Computer Fraud and Abuse Act

Federal Law – 18 U.S.C § 1030

www.brittontuma.com

The Law!

#fraud20

22

History of CFAA

www.brittontuma.com #fraud20

23

History of CFAA

www.brittontuma.com #fraud20

24

Why?

Primary Law for Misuse of Computers

Computers …

Why is the Computer Fraud and Abuse Act important?

www.brittontuma.com #fraud20

25www.brittontuma.com

“Everything has a computer in it nowadays.”

-Steve Jobs

Why Computers?

#fraud20

26

WHAT IS A COMPUTER?

#fraud20

27www.brittontuma.com

has a processor or stores data

“the term ‘computer’ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but …”

IMPORTANT! “such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;”

The CFAA says

What is a computer?

#fraud20

28www.brittontuma.com

What about . . .

What is a computer?

#fraud20

29www.brittontuma.com

“’That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, . . . .”

-United States v. Kramer

The Fourth Circuit says

Anything with a microchip

#fraud20

30www.brittontuma.com

This may limit the problem of applying it to alarm clocks, toasters, and coffee makers – for now?

The CFAA applies only to “protected” computers

Protected = connected to the Internet

Any situations where these devices are connected?

What is a “protected” computer?

#fraud20

31www.brittontuma.com

seriously . . .

What is a computer?

#fraud20

32www.brittontuma.com

•TI-99 •3.3 MHz Processor•16 KB of RAM

•Leap Frog Leapster•96 MHz Processor•128 MB of RAM

•iPhone 5•1.02 GHz Processer•1 GB of RAM

Perspective

#fraud20

33www.brittontuma.com

66 MHz = fastest desktop in 80s

96 MHz = child’s toy today

250 MHz = fastest super computer in 80s

1.02 GHz = telephone today

Perspective

#fraud20

34

WHAT DOES THE CFAA PROHIBIT?

#fraud20

35

Statutory Language

CFAA prohibits the access of a protected computer that is

Without authorization, or Exceeds authorized access

www.brittontuma.com #fraud20

36

Statutory Language

Where the person accessing Obtains information

Commits a fraud

Obtains something of value

Transmits damaging information

Causes damage

Traffics in passwords

Commits extortion

www.brittontuma.com #fraud20

37

Very Complex Statute

Overly simplistic list

Very complex statute

Appears deceptively straightforward

Many pitfalls

www.brittontuma.com

“I am the wisest man alive, for I know one thing, and that is that I know nothing.”

-Socrates

#fraud20

38

Very Complex Statute

Two Most Problematic Issues

“Loss” Requirement

• Confuses lawyers and judges alike

Unauthorized / Exceeding Authorized Access

• Evolving jurisprudence

• Interpreted by many Circuits

• New conflict on April 10, 2012www.brittontuma.com #fraud20

39

Civil Remedy

Limited civil remedy Procedurally complex with many

cross-references

“damage” ≠ “damages”

Must have $5,000 “loss” (i.e., cost)

Loss requirement is jurisdictional threshold

www.brittontuma.com #fraud20

40

Civil Remedy

What is a “loss”?“any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

Loss = cost (unless interruption of service)

www.brittontuma.com #fraud20

41

Civil Remedy

Remedies Available

• Economic damages

• Loss damage

• Injunctive relief

Not Available• Exemplary damages

• Attorneys’ fees

www.brittontuma.com #fraud20

42

Basic Elements

Elements of broadest CFAA Claim1. Intentionally access computer;

2. Without authorization or exceeding authorized access;

3. Obtained information from any protected computer; and

4. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.

www.brittontuma.com #fraud20

43

Basic Elements

Elements of CFAA Fraud Claim1. Knowingly and with intent to defraud;

2. Accesses a protected computer;

3. Without authorization or exceeding authorized access;

4. By doing so, furthers the intended fraud and obtains anything of value; and

5. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.

www.brittontuma.com #fraud20

44

WRONGFUL ACCESS

#fraud20

45

Wrongful Access

General Access Principles Access by informational / data use

≠ technician

Must be knowing or intentional access

≠ accidental access

www.brittontuma.com #fraud20

46

Wrongful Access

“without authorization” Outsiders No rights Not defined Only requires intent to

access, not harm Hacker!

“exceeds authorized” Insiders Some rights CFAA defines: access

in a way not entitled Necessarily requires

limits of authorization Employees, web

users, etc.

www.brittontuma.com

Two Types of Wrongful Access

#fraud20

47

Wrongful Access

When does authorization terminate?

Trilogy of Access Theories

• Agency Theory

• Intended-Use Theory

• Strict Access Theory

www.brittontuma.com #fraud20

48

Wrongful Access

Ways to establish limits for Intended-Use

Contractual• Policies: computer use, employment & manuals

• Website Terms of Service

Technological• Login and access restrictions

• System warnings

Training and other evidence of notification

Notices of intent to use CFAA

www.brittontuma.com #fraud20

49

Wrongful AccessExamples

Employment SituationsMost common scenario is employment• Employee access and take customer account

information

• Employee accesses and takes or emails confidential information to competitor

• Employee improperly deletes data and email

• Employee deletes browser history

• Employee accessing their Facebook, Gmail, Chase accounts at work

www.brittontuma.com #fraud20

50

Wrongful AccessExamples

Family Law SituationsHave you ever logged into your significant other’s email or Facebook to see what they’re saying to others?

DON’T ANSWER THAT!

• Estranged spouse in Arkansas did after separation

• NTTA account?

• Bank account?

• Cancelling services via online accounts?

www.brittontuma.com #fraud20

51

Wrongful AccessExamples

Sharing Website LoginsHave you ever borrowed or shared website login credentials and passwords for limited access sites (i.e., online accounts)?

DON’T ANSWER THAT!

• Recent case held that permitting others to use login credentials for paid website was viable CFAA claim

• The key factor here was the conduct was prohibited by the website’s agreed to Terms of Service

www.brittontuma.com #fraud20

52

Wrongful AccessExamples

Misuse of WebsitesEver created a fake profile or used a website for something other than its intended purpose?

DON’T ANSWER THAT!

• Myspace Mom case – United States v. Drew

• Fake login to disrupt legitimate website sales

• Accessing website to gain competitive information when prohibited by TOS

• Creating fake Facebook to research opposing parties

www.brittontuma.com #fraud20

53www.brittontuma.com

Earlier Questions?

Have you ever heard of?

• Aaron Swartz – information liberator!

• Sandra Teague – Obama’s academic records

• Bradley Manning –released classified info

• Stuxnet – variations for corporate espionage

• Active Defense – fun stuff – call me! #fraud20

54

DATA BREACHWHAT DO YOU DO?

#fraud20

55

Data Breach

Data Breach

• product of computer fraud• on the rise• major risk to virtually all businesses

• PII, PHI, financial data, cardholder data• disruption and data loss• claims from data subjects• fines and penalties from govts, agencies, indust.

groups

• impossible to prevent• plan ahead to reduce harm

www.brittontuma.com #fraud20

56

Data Breach

4 Phases of Data Breach

• Preparation

• Prevention

• Understanding • Laws, Rules & Regulations

• Responding

www.brittontuma.com #fraud20

57

Data Breach

Preparation

• Breach Response Plan• Goal Execute!• Who, What, When, How

• Attorney – privilege

• Adopted Notification Form

• Educate Team• IT Security Audit / Penetration

Testing• Compliance Audit

• HIPAA, ERISA, OSHA, PCI, FINRA

• Cyber Insurancewww.brittontuma.com #fraud20

58

Data Breach

Prevention

• Software and Systems Updates

• Remediate Vulnerabilities

• Encrypt, Encrypt, Encrypt

• Data Surveillence & IT Alerts• Cyber CounterIntelligence / CounterEspionage

• IT Alerts

www.brittontuma.com #fraud20

59

Data Breach

Understanding Laws, Rules & Regulations• No Federal Breach Notification Law

(yet)• 46 States’ Have Laws

• ≠ Alabama, Kentucky, New Mexico, South Dakota

• Massachusetts is an oddball• 45 days (FL, OH, VT, WI) otherwise expeditious

without unreasonable delay• Consumers + State Attorney General

• Agencies (FTC, HHS, OCR, DOL, SEC)• Industries (FINRA, PCI)• International

www.brittontuma.com #fraud20

60

Data Breach

Responding to a Breach – Just Execute the Plan!• Contact Attorney• Assemble Response Team• Contact Forensics• Contact Vendor for Notification• Investigate Breach• Remediate Responsible Vulnerabilities• Reporting & Notification

• Law Enforcement First• AGs, Admin. Agencies, Industries, Cred. Rpt,

Consumerswww.brittontuma.com #fraud20

61

OTHER LAWS FOR COMBATING FRAUD

2.0

#fraud20

62

Federal Laws

Federal Laws for Combating Fraud 2.0• Electronic Communications Privacy Act - 18

U.S.C. § 2510

• Wiretap Act ≠ intercept communications

• Stored Communications Act ≠ comm. at rest

• Fraud with Access Devices - 18 U.S.C. § 1029

• devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards

• Identity Theft – 18 U.S.C. § 1028

www.brittontuma.com #fraud20

63

Texas Laws

Texas Laws for Combating Fraud 2.0• Breach of Computer Security Act (Tx. Penal Code §

33.02)

• knowingly access a computer without effective consent of owner

• Fraudulent Use or Possession of Identifying Info (TPC § 32.51

• Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02)

• Unlawful Access to Stored Communications (TPC § 16.04)

• Identity Theft Enforcement and Protection Act (BCC § 48.001)

• Consumer Protection Against Computer Spyware Act (BCC § 48.051)

• Anti-Phishing Act (BCC § 48.003)

www.brittontuma.com #fraud20

64

• Welcome to the world of Fraud 2.0!

• Why? Remember what Jobs said

• CFAA is very broad and covers all kinds of computer fraud (sometimes) – evolving!

• Data Breaches – be prepared – it will happen!

• Many other Federal and Texas laws also available for combating computer fraud

• Cyber Insurancewww.brittontuma.com

Conclusion

#fraud20

65www.brittontuma.com

Do You Want to Know More?

www.brittontuma.com

www.shawnetuma.com

Shawn E. Tumad. 469.635.1335m. 214.726.2808

e. stuma@brittontuma.com@shawnetuma

Copyright © 2012