Legal Report February 2010
U.S. JUDICIAL DECISIONS
COMPUTER POLICIES. A federal appeals court has ruled that while an employee breached internal corporate policy when he downloaded company documents without permission, he did not violate federal law. The company sued the former employee under a law that makes it illegal for unauthorized personnel to access a corporate network.
LVRC Holdings operates Fountain Ridge, a residential treatment center for drug addicts, in Nevada. In April 2003, LVRC hired Christopher Brekka to conduct Internet marketing and help maintain the company’s Web site. When Brekka was hired, he owned two consulting businesses that directed potential patients to rehabilitation facilities like Fountain Ridge. LVRC’s owner, Stuart Smith, was aware of these businesses when he hired Brekka.
During his employment with LVRC, Brekka lived in Florida, where one of his consulting businesses was located. He commuted between his home and Nevada, where LVRC and his other consultancy were based. Brekka was assigned a computer at LVRC. However, when he was commuting, he often e-mailed documents to and from his personal computer.
In June 2003, Brekka requested administrative access to LVRC’s computer network. Smith granted the request and Brekka was assigned an administrative e-mail account and password. Using this account, Brekka was able to access information about LVRC’s Web site including usage statistics.
In August, Brekka expressed interest in purchasing an ownership interest in LVRC. During these negotiations, Brekka emailed several LVRC documents to his personal e-mail account and to his wife’s personal account. These documents included financial statements, marketing budgets, and a master admissions report that included names of past and current patients.
Talks broke down in mid-September and Brekka left LVRC. He left his company computer in Nevada and did not delete any e-mails from that computer. In November, 2004, a routine audit found that someone had remotely logged into LVRC’s network using Brekka’s old account. LVRC deactivated the account the same day and filed a report with the FBI alleging that Brekka had unlawfully logged into the company’s network.
LVRC filed a lawsuit against Brekka claiming that he violated the federal Computer Fraud and Abuse Act (CFAA) by e-mailing corporate documents to himself in 2003 and accessing the company network in 2004, long after he had stopped working for LVRC. Brekka requested summary judgment—a hearing based on the facts of the case without a trial. He argued that he had full authorization to e-mail the documents to himself and, thus, could not have violated the CFAA. Further, he denied accessing LVRC’s network in 2004.
The U.S. District Court for the District of Nevada granted the summary judgment ruling that because Brekka had been granted administrative access by LVRC he was an authorized user of the network. The court ruled that Brekka could not have violated the CFAA because the law, which was designed to address hacking incidents, explicitly outlaws only unauthorized access.
The court also noted that LVRC lacked evidence to prove that Brekka had accessed the company network after he left his employment, though such an action would have violated the CFAA. Besides Brekka, two other LVRC employees had knowledge of and access to the administrative username and password assigned to Brekka. Other employees also had access to Brekka’s computer, where the login information was stored, after he left the company. The company tracked the log-in attempt to a regional ISP server but could not prove that Brekka accessed the account.
While the court acknowledged that Brekka exceeded his authorization when he downloaded documents that his employer clearly did not want him to have, he did not violate the letter of the law. In the written opinion of the case, the court wrote that “for purposes of the CFAA, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations.” (LVRC Holdings LLC v. Brekka, U.S. Court of Appeals for the Ninth Circuit, No. 07-17116, 2009)
CYBERSECURITY. A federal appeals court has ruled that a couple may pursue a lawsuit against their bank for negligent security after a hacker broke into the couple’s online account and stole thousands of dollars. The court allowed the suit to proceed, finding that the bank’s lax security procedures could have led to the theft.
Michael and Martha Shames-Yeakel had a home equity line of credit with Citizens Financial Bank, which has branch locations in Chicago and northwest Indiana. In February 2007, an unknown person accessed the line of credit and, using the Shames-Yeakel’s username and password, ordered a $26,500 advance. The thieves initially deposited the money into the Shames-Yeakel’s business checking account. From there, the funds were wired to a bank in Hawaii and then to a bank in Austria.
Ten days after the transaction, the Shames-Yeakels noticed the transfer. Though it launched an investigation into the matter, the bank was unable to retrieve the funds. The bank then notified the Shames-Yeakels that because they failed to report the theft in a timely manner, they would be liable for the loss. The bank then reported the account as delinquent to credit agencies.
After pursuing the matter through the credit agencies, the Shames-Yeakels filed a lawsuit against the bank claiming violations of several federal laws. The Shames-Yeakels also claimed that the bank was negligent because its security lagged behind industry standards. Specifically, the plaintiffs argued that the bank used single-factor identification—a username and password—rather than the more robust multifactor identification method, which would use a username, password, and a token, for example. A token is an object possessed by a user, such as digital object saved to the user’s computer or as a physical device carried by the user.
At the time of the theft, Citizens was in the process of issuing physical tokens to its customers. The plaintiffs argued that the bank should have issued the tokens much earlier. As evidence, plaintiffs referenced a 2005 paper issued by the Federal Financial Institutions Examination Council (FFIEC), an independent body that advises federal agencies on the regulation of financial institutions. In the paper, FFIEC urged the adoption of multifactor identification and pointed to single-factor identification as particularly vulnerable to exploitation.
Citizens claimed that it had taken adequate security measures to protect the Shames-Yeakel account and that it was the duty of the plaintiff to inform the bank of the breach in a more timely fashion.
The U.S. District Court for the Northern District of Illinois allowed the plaintiffs to proceed with their negligence claim. The decision referenced Indiana cases that have imposed a duty on banks not to disclose customer information. The appellate court found that “if this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers’ online accounts.”
The court also noted that the bank’s delay in meeting FFIEC security standards could lead a reasonable person to conclude that the bank breached its duty to protect the Shames-Yeakel account against fraudulent access. (Shames-Yeakel v. Citizens Financial Bank, U.S. District Court for the Northern District of Illinois, No. 07-C-5387, 2009)
U.S. CONGRESSIONAL LEGISLATION
DATA PROTECTION. A bill (S. 139) that would require that companies notify consumers if their personally identifiable information has been accessed has been approved by the Senate Judiciary Committee. Under the bill, companies that possess such data would be required to disclose any data breach.
A company is not required to disclose a breach if doing so would damage national security or jeopardize a law enforcement investigation. Companies may also be exempt from notification requirements if a risk assessment concludes that the unauthorized access caused no harm. The risk assessment must be sent to the U.S. Secret Service within 45 days of the breach.
Under the bill, a company can presume that no significant risk was caused by the theft of information that was encrypted or rendered harmless through redaction or other industry-recognized methods.
Companies may notify consumers via telephone, mail, or e-mail. The notice must contain information on what type of information was accessed, a toll-free number to contact the company, and toll-free numbers for the major credit reporting agencies.
Violations are punishable by fines of up to $1,000 per day for each individual whose information has been breached. Companies can be charged a maximum of $1 million per violation.
FEMA. A bill (H.R. 1174) that would reorganize the structure of disaster management agencies within the government has been approved by the House Transportation and Infrastructure Committee. The bill is still pending in the House Homeland Security Committee.
H.R. 1174 would reestablish the Federal Emergency Management Agency (FEMA) as an independent agency within the Executive Branch. (FEMA was placed under the Department of Homeland Security after the 9-11 attacks.) The bill would also restate FEMA’s mission to reduce the loss of life and property and protect the nation from all hazards both natural and man-made.
BIOTERRORISM. A bill (S. 1649) that would strengthen security at laboratories that handle dangerous pathogens has been approved by the Senate Homeland Security and Governmental Affairs Committee. The Senate has not announced whether it will consider the measure.
The bill would require that the Department of Homeland Security (DHS) designate which pathogens have the potential to be used most successfully in a biological attack. DHS would then be required to establish new security standards for laboratories that handle these types of pathogens. The security standards would include risk assessments, employee screening, and training.
FOOD SAFETY. A bill (S. 510) that would allow the government to suspend the registration of a food production facility due to unsafe conditions and issue a recall of adulterated food has been approved by the Senate Health, Education, Labor, and Pensions Committee. The Senate has not announced whether it will consider the bill.
S. 510, which has a companion bill (H.R. 1332) in the House of Representatives, would require food manufacturing companies to pay fees for the inspection and recall programs. The bill would also establish a food safety verification program for foreign suppliers and would provide for the inspection of foreign facilities registered to import food into the United States.
WORKPLACE VIOLENCE. Colorado Governor Bill Ritter, Jr., has issued an executive order requiring the state to draft a policy to address domestic violence that spills over into the workplace. The policy, which is to be in place by August, will include a training program to increase awareness of the issue and the resources available for victims.
STALKING. A new law (formerly H.B. 1856) establishes new rights for tenants who are being stalked or harassed by their landlords or employees of their landlords. Under the new law, such victims may be released from the terms of their rental agreement. If the victim wishes to stay in the property, he or she may change the locks on their doors without the landlord’s permission. If the harasser has left the landlord’s employ, the tenant must provide the landlord with a key to the new lock. If the tenant has a restraining order against the landlord, the tenant need not provide a key. In such cases, the landlord may enter the rental property in an emergency only if accompanied by law enforcement or a fire official acting in his or her official capacity.
This column should not be construed as legal or legislative advice.