Legal Report March 2016
U.S. JUDICIAL DECISIONS
Data Breaches. Target will pay $39 million to settle a lawsuit filed by a group of banks in the first class-wide data breach pact ever reached by a group of financial institutions.
The settlement stems from Target’s massive data breach in 2013, which compromised more than 40 million credit and debit cards used at the retailer over a three-week period during the holiday season.
After the breach, banks and credit unions came together to file a class action lawsuit against the retailer, claiming they had lost money as a result of the data breach. Last December, the two parties ultimately reached a settlement, which won preliminary approval from U.S. District Judge Paul A. Magnuson.
The settlement calls for Target to pay up to $20.5 million to banks and credit unions, and $19.11 million to reimburse MasterCard Inc. card issuers. Target will also cover the plaintiffs’ legal fees and will not appeal any sum of $20 million or less. A final approval hearing for the settlement is scheduled for May 10, 2016.
This settlement agreement is the latest in a series reached by Target in the aftermath of the 2013 data breach. For instance, it reached an agreement with Visa card issuers to pay up to $67 million and a settlement with consumers to pay $10 million. (In re: Target Corporation Customer Data Security Breach Litigation, U.S. District Court for the District of Minnesota, No. 14-md-02522, 2015)
Computer fraud and abuse. An employee was not criminally liable under a federal hacking statute for violating his employer-imposed computer use restrictions, a federal appeals court ruled.
Gilberto Valle, an officer in the New York City Police Department (NYPD), lived with his wife and their infant daughter in Forest Hills, Queens. Valle was an active member of an Internet sex fetish community called Dark Fetish Network (DFN), communicating with other individuals in the community via e-mail or Web chat after his work shift.
These communications typically involved the transmission of photographs of women Valle knew—including his wife—to other DFN users and discussions of committing “horrific acts of sexual violence,” including kidnapping, torturing, cooking, raping, murdering, and cannibalizing women, according to court documents.
As an NYPD officer, Valle had access to the Omnixx Force Mobile (OFM), a computer program that allows officers to search restricted databases that contain sensitive information about individuals, such as home addresses and dates of birth.
Officers are allowed to access the OFM only in the course of official duties—as part of an employment policy. Valle, however, used it to search for Maureen Hartigan, a woman that he discussed kidnapping with his DFN contacts—violating the NYPD’s policy for accessing the OFM.
After looking at Valle’s computer, his wife became aware of his DFN activities, confronted him about them, and, after moving out of their house with their daughter, contacted the authorities, who arrested him.
He was charged with conspiracy to kidnap several of the women he talked about in the DFN community and with violating the Computer Fraud and Abuse Act (CFAA) by improperly accessing a government computer and obtaining information on Hartigan.
In his initial trial, a jury convicted Valle on both counts. However, the conspiracy charge was later overturned by another court, which upheld the CFAA conviction. Valle appealed the ruling, which reached the U.S. Court of Appeals for the Second Circuit.
The appeal focused on the issue of whether an individual “exceeds authorized access” to a computer if, with an improper purpose, he accesses a computer to obtain or alter information he otherwise is authorized to access; or if “exceeds authorized access” is only when he obtains or alters information that he does not have authorization or access to—for any purpose—that is on a computer he is authorized to use.
Valle claimed that while he violated the terms of his employment with the NYPD by looking up information on a woman for an unofficial purpose, he did not violate the CFAA because he never “used his access to obtain any information he was not entitled to obtain,” court documents explain. Valle said he did not “exceed authorized access” because he was authorized to obtain information about Hartigan.
The government, however, claimed that Valle did “exceed authorized access” because “his authorization to access OFM was limited to law enforcement purposes,” and he conducted a search on Hartigan for no such purpose.
The appeals court ruled in favor of Valle and overturned his CFAA conviction because it could not accept the government’s construction of the CFAA. This is because it would “criminalize the conduct of millions of ordinary computer users,” the court explained in its opinion.
The government’s interpretation of exceeding authorized access “will not only affect those who improperly access information from a government computer—a result some readers might find palatable—but also those who improperly access ‘any protected computer’ and thereby obtain information,” such as checking personal e-mails, sports games scores, and social media accounts in violation of workplace policies prohibiting that activity.
“While the government might promise that it would not prosecute an individual for checking Facebook at work, we are not at liberty to take prosecutors at their word in such matters,” the court added. “A court should not uphold a highly problematic interpretation of a statute merely because the government promises to use it responsibly.” (U.S. v. Valle, U.S. Court of Appeals for the Second Circuit, No. 14-2710-cr and No. 14-4396-cr, 2015)
U.S. REGULATIONS
Visas. The United States is boosting security for the Visa Waiver Program (VWP), which allows 20 million people per year to visit the United States from 38 partner countries without obtaining a visa.
As part of the effort, the U.S. Department of Homeland Security (DHS) is modifying its Electronic System for Travel Authorization (ESTA) applications to include information from VWP travelers about any past travel to countries constituting a terrorist haven.
DHS also accelerated its review process for VWP partner countries with the secretary of state, making a full report to President Barack Obama at the end of January. Within the report, DHS identified countries that are deficient in key areas of cooperation, along with options to “engender compliance using a range of penalties and incentives,” according to a White House fact sheet.
The report also identified possible pilot programs designed to assess the collection and use of biometrics for the VWP to increase security.
“DHS and the Terrorist Screening Center will assist all interested VWP countries in screening refugees or asylum seekers, including through the application of extensive terrorism information already provided to VWP members and through piloting capability for conducting near real time biometric checks,” the White House explained.
Other changes for travelers to the United States include accelerating the requirement for 100 percent of VWP travelers to use e-passports (passports with embedded security chips), maximizing the use of international agencies to track lost and stolen travel documents, and expanding DHS’s Customs and Border Protection Preclearance program to include collecting and screening biometrics where appropriate.
U.S. LEGISLATION
Cybersecurity. The U.S. House of Representatives passed legislation that creates a cybersecurity training center.
The bill (H.R. 3490) establishes a DHS National Computer Forensics Institute operated by the U.S. Secret Service to share cybersecurity information related to investigations and prevention of cyber and electronic crime. The institute would share this information and train and equip state, local, tribal, and territorial law enforcement officers, prosecutors, and judges.
As part of this educational effort, the institute would provide education and training on investigation methods, computer and mobile device forensic examinations, network intrusion incidents, and methods to obtain, process, store, and admit digital evidence in court.
Rep. John Ratcliffe (R-TX) introduced the bill, which has three bipartisan cosponsors. It will now move to the Senate.
