March 2018 Legal Report
Print Issue: March 2018
Three men pleaded guilty to creating and operating two botnets used to target Internet of Things (IoT) devices to conduct distributed denial-of-service (DDoS) attacks.
Paras Jha, 21; Josiah White, 20; and Dalton Norman, 21; pleaded guilty to conspiracy to violate the Computer Fraud and Abuse Act (CFAA) by operating the Mirai Botnet. The three men created the botnet in the summer and fall of 2016 and designed it to target IoT devices.
"The defendants attempted to discover both known and previously undisclosed vulnerabilities that allowed them to surreptitiously attain control over the victim devices for the purpose of forcing the devices to participate in the Mirai Botnet," according to the U.S. Department of Justice (DOJ).
The botnet, at its peak, was made up of hundreds of thousands of devices that were then used to carry out DDoS attacks.
Jha later posted Mirai's source code on an online forum, allowing other criminal actors to use it for attacks and marking the end of his, White's, and Norman's involvement in the botnet.
Following the Mirai project, Jha and Norman went on to create a new botnet that ultimately infected more than 100,000 U.S.-based devices with malicious software. The botnet was then used for advertising fraud.
Jha also pleaded guilty to violating the Computer Fraud and Abuse Act for executing a series of attacks against Rutgers University's networks.
"Jha's attacks effectively shut down Rutgers University's central authentication server, which maintained, among other things, the gateway portal through which staff, faculty, and students delivered assignments and assessments," the DOJ said. "At times, Jha succeeded in taking the portal offline for multi-day periods, harming Rutgers University, its faculty, and its students."
Jha, White, and Norman had not been sentenced as of Security Management's press time, but could face up to five years in U.S. federal prison and a fine of $250,000 for each count of violating the CFAA.
FITNESS FOR DUTY
A U.S. federal appellate court granted summary judgment to an employer, finding that a reasonable jury would have found its mental-health examinations of an administrator at a traffic safety office "job related and consistent with business necessity."
Deanna Painter was assigned to the position of office administrator at Traffic Safety, a division of the Illinois Department of Transportation (IDOT), in September 2010. In the spring of 2011, Director of Traffic Safety Mike Stout became aware of an incident between Painter and a colleague, where Painter accused the person of prank calling her at the office.
Other employees also said that Painter had accused them of spying on her while at work, and Painter admitted that she'd had "issues with several employees," according to court documents.
Stout wrote to IDOT's manager of the employee assistance program, explaining safety concerns he had with Painter. He also placed Painter on administrative leave in April 2011, and more employees continued to come forward to disclose issues with Painter and concerns about working with her.
Dr. David Fletcher conducted a fit-for-duty examination of Painter and determined that she was fit for duty. However, he recommended a reevaluation in 45 days for continued observation, based on her pattern of mood swings and speech during the evaluation. His report did not indicate whether he reviewed any employee statements in making his determination.
After Fletcher's examination, Stout wrote a memo to IDOT's manager of employee assistance program detailing his concerns for his employees' safety if Painter were returned to work at Traffic Safety. For instance, during Painter's leave, two or three employees requested security escorts to their vehicles at the end of the day due to concerns that Painter might approach them.
Painter was sent back to Fletcher for another fit-for-duty exam in July 2011, during which Fletcher said he "reviewed additional documentation that shows disturbing inter-personal skills," according to court documents.
Fletcher did not make a fitness for duty recommendation; instead, he referred Painter to Karen Lee, a psychologist. Lee began treating Painter and did not submit a copy of her report to IDOT.
In September 2011, Painter returned to work and in October was transferred to day labor—another division of IDOT—as an office administrator. She then began keeping a daily detailed log of her colleagues' actions and conversations.
The purpose of the log was to "document every single thing that was said to [her] so [she] could try to figure out why [she] was put on leave," according to court documents, despite the fact that no one in her new division was involved in the decision to put her on administrative leave.
Painter's new supervisor also began receiving complaints about her from other employees that she was "violent and dangerous" and emails from her during the evening and in the middle of the night that were "not work-related and nonsensical," the lawsuit said.
Painter's supervisor contacted IDOT's Labor Relations, which recommended Painter go on paid administrative leave. Painter was placed on leave in November 2011, and in December 2012 went to Dr. Terry Killian for another fit-for-duty exam.
Killian determined that Painter was psychiatrically fit for duty, and she returned to work in January 2012. Painter's colleagues then began submitting complaints about her behavior in the workplace, and her supervisor issued a written reprimand to her for being argumentative.
In April 2012, Painter emailed her union representative and said "for the record, the clock in the small conference room being set to 4:30 p.m. when it was only 4:00 p.m.—that's a telltale sign for me. It told me everything I need to know," according to court documents. When asked for clarification about her email, Painter responded with "something's dead alright—however, I prefer to be 'a lady' and not say what I think is dead."
The email was treated as a potential threat by IDOT, which contacted the Illinois State Police. Painter was then put on administrative leave, examined by Killian again, and found "psychiatrically unfit for duty as a result of paranoid thinking…and the disruptive behavior which results from her paranoia," according to court documents.
Painter then filed suit against IDOT for violating the Americans with Disabilities Act (ADA) and subjecting her to unnecessary medical examinations.
The case reached the U.S. Court of Appeals for the Seventh Circuit, which found that IDOT acted reasonably in handling Painter's case.
The appellate court found that "annoying or inefficient behavior does not justify an examination" but "preventing employees from endangering their coworkers is a business necessity."
The appellate court determined that the examinations were job related and consistent with business necessity because "inquiries—even multiple inquiries—concerning a worker's psychiatric health may be permissible if they reflect concern for the safety of other employees and the public at large."
Based on these findings, the court granted summary judgement to IDOT and dismissed Painter's case. (Painter v. Illinois Department of Transportation, U.S. Court of Appeals for the Seventh Circuit, No. 16-3187, 2017)
The U.S. Department of Transportation (DOT) published a final rule that changes drug testing requirements and adds new substances to its drug testing panel.
The DOT currently requires urine testing for safety-sensitive transportation industry employees who are subject to drug testing under Title 49 Code of Federal Regulations Part 40. Under the new rule, employers will no longer be required to submit blind specimens to the DOT for testing—a requirement that was originally instituted as a quality control measure.
The rule also adds hydrocodone, hydromorphone, oxycodone, and oxymorphone to the DOT's drug testing panel. The DOT also added methylenedioxyamphetamine as an initial test, and removed methylenedioxyethylamphetamine as a confirmatory test analyte.
"The opioid crisis is a threat to public safety when it involves safety-sensitive employees involved in the operation of any kind of vehicle or transport," said U.S. Transportation Secretary Elaine L. Chao in a statement.
U.S. Representative David Cicilline (D-RI) introduced a bill that would require some companies that store Americans' data to meet specific security and privacy requirements.
The Consumer Privacy Protection Act (H.R. 4081) would require companies that collect and store data on at least 10,000 Americans to implement a "comprehensive consumer privacy and data security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity, and the nature and scope, of the activities of the covered entity," according to the bill.
Covered data includes Social Security, drivers' license, and passport numbers; financial account and debit or credit card numbers in combination with PINs; usernames and passwords; and biometric data.
The U.S. attorney general, the U.S. state attorneys general, and the Federal Trade Commission would enforce the requirements in the law, and can fine companies not in compliance at least $16,500.
The bill has nine Democratic cosponsors and has been referred to the House Subcommittee on Crime, Terrorism, Homeland Security, and Investigations.
U.S. Senator Bill Nelson (D-FL) introduced a bill that would require companies to disclose data breaches within 30 days of becoming aware of the breach.
Under the legislation (S. 2179), companies would have to report the breach and any individual who concealed data about the breach could face up to five years in prison.
The bill was drafted in response to the revelation that Uber paid hackers $100,000 to destroy documents and hide evidence of a data breach of more than 57 million records—including customer and driver personally identifiable information.
"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Nelson said in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal."
Nelson introduced similar legislation in the Senate last year.
The bill has two Democratic cosponsors and has been referred to the Senate Committee on Commerce, Science, and Transportation.
The U.S. House of Representatives passed legislation that would allow people with concealed carry permits to carry firearms across state lines.
The bill (H.R. 38) allows people with concealed carry permits with a valid government-issued photo ID to carry their firearms into another state.
U.S. Representative Richard Hudson (R-NC) sponsored the legislation. He said in a statement that passing the bill was necessary to reflect the "Full Faith and Credit Clause" of the U.S. Constitution, which requires states to recognize the judicial proceedings and documents of other states.
"That's why a driver's license is recognized in every state," Hudson said in a statement. "That's why if I get married in North Carolina, but I move to Arizona, I'm not a single man again. They recognize that marriage. That's why divorce decrees are recognized in every state. The concealed carry permit should be recognized the same way."
H.R. 38 was combined with another provision that will require agencies to report criminal history records to the FBI's National Instant Criminal Background Check System (NICS).
The measure was created after the First Baptist Church shooting in Sutherland Springs, Texas, where the gunman was able to purchase a firearm because his criminal record was not entered into the NICS prior to the purchase.
Additionally, the bill requires the U.S. Department of Justice to report to Congress the number of times bump stocks are used in crimes. A gunman used bump stocks in a shooting in Las Vegas, which allowed him to make his semi-automatic weapons fire more rapidly and injure more people.
The bill now moves to the U.S. Senate for consideration.
Elsewhere in the Courts
Wages. A California judge dismissed a class action lawsuit filed by female Google employees accusing the tech giant of paying women less than men. Superior Court Judge Mary Wiss explained that the plaintiffs must refile to show that specific women were affected by Google's pay policies—not all women at the company. She also found that two of the plaintiffs had not demonstrated that they performed work comparable to men who allegedly were paid more. (Ellis v. Google, California Superior Court, San Francisco County, No. CGC-17-561299, 2017)
Religious Claims. A U.S. federal inmate may have stuffed animals in his prison cell because they are necessary to practice his religion, a U.S. appeals court said in a summary order. Inmate Christopher Grief claimed that he'd owned stuffed animals throughout his life and received spiritual guidance from them during meditation, according to court documents. However, Grief was denied the ability to have them while in custody. He filed suit alleging violation of the Religious Freedom Restoration Act, and an appellate court ruled in his favor after a lower court dismissed the suit. "…we conclude that the district court erred in deciding that Grief's belief regarding stuffed animals could not plausibly constitute a religious belief," the appellate court wrote in a summary order. (Grief v. Quay, U.S. Court of Appeals for the Second Circuit, No. 16-1651, 2017)
Fraud. Former Volkswagen executive Oliver Schmidt was sentenced to the maximum prison term of seven years and fined $400,000 for his role in the car manufacturer's emissions scandal. Schmidt, who oversaw U.S. emissions testing for Volkswagen, pleaded guilty, and asked for a reduced sentence, which the court did not grant. "You are a key conspirator responsible for the cover-up in the United States of a massive fraud perpetuated on the American consumer," U.S. Judge Sean Cox said when handing down the sentence, according to The New York Times. (U.S. v. Volkswagen, U.S. District Court for the Eastern District of Michigan, No. 2:16-cr-20398-SFC-APP, 2017)