UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of...

18
UPDATE: Computer Fraud and Abuse Act UPDATE: Computer Fraud and Abuse Act Nick Akerman Dorsey & Whitney LLP [email protected] http://www.computerfraud.us Nick Akerman Dorsey & Whitney LLP [email protected] http://www.computerfraud.us

Transcript of UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of...

Page 1: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

UPDATE: Computer Fraud and Abuse Act

UPDATE: Computer Fraud and Abuse Act

Nick AkermanDorsey & Whitney [email protected]://www.computerfraud.us

Nick AkermanDorsey & Whitney [email protected]://www.computerfraud.us

Page 2: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

Nick AkermanDorsey & Whitney LLP

[email protected]

For on-going updates on the CFAA go tohttp://computerfraud.us

Page 3: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

2

Pervasiveness of computer data

• Manufacturing processes

• Product plans

• Acquisition strategies

• Employee HR records

• Customer information

• Financial information

• Marketing plans and strategies

• Email

3

Computer Fraud and Abuse Act Provides Proactive Tool to Protect Data

Title 18 U.S.C. § 1030 – Enacted in 1984Criminal statuteCivil remedy in 1994 amendmentComputers used in interstate commerceAmended in 2001 and 2008Computers in foreign countriesProvides for damages and injunction

4

Various Causes of Action

Stealing valuable computer dataSchemes to defraudTrafficking in a computerpassword or similar informationwith intent to defraudDamaging computer dataHackingExtortionSending computer viruses

Page 4: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

5

Legal Requirements

Protected computerLack of authorization or exceeding authorization to access computer Theft of information or anything of valueDamage to data permanent$5,000 loss Limited to economic damagesCompensatory damagesTwo-year statute of limitations

66

The $5,000 Jurisdictional Limit

Loss during any 1 year period aggregating at least $5,000“Loss” is defined in the statute as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 1030(e)(11).

7

Initial Burden

Costs associated with loss were reasonableCost directly causally linked to the CFAA violationTort principle of natural and foreseeable results of Defendant’s conductDoyle v. Taylor, 2010 WL 2163521 (E.D. Wash. May 24, 2010)

Investigation of stolen files on thumb drive moved to another computer do not qualify

Page 5: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

8

Responding to an Offense

Conducting a damage assessmentRestoring computer system to its condition prior to the offenseU.S. Middleton, 231 F.3d 1207 (9th Cir. 2000)

Investigating and repairing damageLost Revenue to the business caused by employee responding to offenseUse of outside investigator to determine whether computer compromised

9

Lost Revenue, Costs or Damages Incurred Because of Loss of Service

Must be interruption of serviceNexans Wires S.A. v. Sark-USA Inc., 166 Fed. Appx, 559 (2d Cir. 2006)

Plaintiff claimed theft of confidential information caused it to lose at least $10 million in profitsDoes not apply to loss of profits from theft of data

1010

Key Issue: Unauthorized Access

Section 1030(a)(4) -Whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value…

Page 6: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

11

EF Cultural Travel v. Explorica

Ex-employees set up competing student travel companyInformation was accessed through public websiteRobot created with confidential informationUsed robot to download pricing dataFirst Circuit upheld injunction basedon confidentiality agreementAuthorization establishedby contractPricing data was valuable

12

Authorization Established by Company

First Circuit: the CFAA “is primarily a statute imposing limits on access and enhancing control by information providers.”Companies can set predicate for CFAA violationRules on authorized accessAgreements can set limitsSimilar to criminal trespass

13

International Airport Centers LLC v. Citrin

Employee destroyed data on company computerAuthorization based on law of agencyAuthorization terminates with disloyal actJudge Posner found thatauthorization terminatedwhen employee “resolvedto destroy files thatincriminated himself andother files that were alsothe property of his employer.”

Page 7: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

14

LVRC Holdings LLC v. Brekka (9th Cir.)

Employee emailed to himself competitively sensitive dataRefused to adopt CitrinEmployee cannot access company computers without authorization because employer gave him permissionDoes not address rules or agreements limiting access

15

Two Conflicting California District Court DecisionsU.S. v. Nosal (N.D. Ca. 2010)

Authorization cannot be based on corporate policiesThrust of Brekka not to look at motive in accessing

Kal-Tencor Corp. v. Murphy (N.D. Ca. 2010)Employee used Evidence Eliminator to delete all emails, files and internet historyAuthorized access predicated on employee agreement requiring return of records at terminationNo reference to Brekka

16

Ways to Establish Lack of Authorization

Hacking by outsider who breaks into computerExceeds expected norms of intended useTerminates Agency relationship with employer by disloyal conductViolates company policies and rulesBreaches contractual obligation

Page 8: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

17

Identifying the Hacker

GWA, LLC v. Cox Communications, Inc. and John Doe, 2010 WL 1957864 (D. Conn. May 17, 2010)Pre-action Discovery to identify ISP account associated with IP addressFed. R.Civ.P. 27 (a)(3): permits discovery before the filing of a federal action to perpetuate testimony “to prevent a failure or delay of justice.”

18

Tort of Conversion

Tangible v. Intangible propertyThyroff v. Nationwide Mutual Insurance Company, 8 N.Y.3d 283 (2007) Computer data included in conversion based on changing societal valuesSimilar remedies to the CFAAMay have advantages over the CFAA

19

Companies can mitigate their “risk” by re-evaluating 7 areas of their business

Hiring PracticesCompany RulesAppropriate AgreementsUse of TechnologyTermination PracticesProtocols for ResponseCompany Compliance Program

Page 9: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

20

The Hiring Process

Honor Prior Employment AgreementsExplain Company Obligations

Company PolicyEmploymentAgreements

Criminal Exposurefor the Company

21

Company Rules

Employee HandbookCompliance Code of Conduct Terms of Use oncompany Web siteTrainingInternational rules

22

Terms of Use

Require users to provide accurate registration informationLimit use of account to registered user at one computer at a timeProhibit use of web crawlers, robots and similar devicesPost acceptable use guidelines that prohibit abuse, harassment and similar conductSpecify limitations on use of materials obtained (e.g., no commercial use)

Page 10: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

23

Agreements

Officers/Employees/Third PartiesAmong related companiesConfidentiality/Non-Disclosure Post employment restrictive covenantsAnti-Raiding CovenantsAgreement to search personalcomputersPermissions re use of the computersCustomer agreementsData vendor agreements

24

Snap-On Business Solutions, Inc. v. O’Neil & Associates

Snap-On and Mitsubishi entered into a license agreement whereby both contributed to electronic auto databaseMitsubishi approached O’Neil two years into contract to replace Snap-OnO’Neil used robot to copy databaseIssue: was O’Neil authorized to access the database?

25

Use of Technology

Password protection is simplestAccess based on need to knowRisks re transportable mediaEncryptionAudit trailCoordinating with documentretention and e-discovery

Page 11: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

26

The Termination Process

Employees must return all company property Standard Exit Interview FormExplain post employment obligationsRetain evidence

27

Compliance

New York Stock Exchange listed company compliance program must protect confidential information that “might be of use to competitors, or harmful to the company or its customers, if disclosed.”Effective as of October 31, 2004Part of Compliance standards and proceduresAnnual CEO certificationMassachusettsFTC’s Red Flags RuleCover competitively sensitive data and personal data

28

Protocols for Response

Speed is of the essenceDesignate a coordinatorBe investigative readyPrepare standard court papers with company policies and agreementsSelect an affiant

Page 12: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

NLJ.COMDaily Updates at

sue for “compensatory damages and injunctive relief.” However, for there to be subject matter jurisdiction over most CFAA civil suits, the plaintiff must prove that the violation caused “loss to 1 or more persons during any 1-year period...aggregating at least $5,000 in value.” § 1030(c)(4)(A)(i)(I).

The $5,000 in loss is not general damages but specific categories of costs to the CFAA victim. Failure to allege and prove these specific categories is fatal to the court’s juris-diction, resulting in dismissal. This article will survey the current state of the law on what “loss” means and will highlight the pitfalls to avoid in drafting and prosecuting a CFAA action.

“Loss” is defined in the statute as “any reasonable cost to any victim, including the cost of responding to an offense, conduct-ing a damage assessment, and restoring the data, program, system, or information

to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 1030(e)(11). The $5,000 loss requirement reflects “Congress’ general intent to limit federal jurisdiction to cases of substantial computer crimes.” In re Doubleclick, Inc. Privacy Litigation, 154 F. Supp. 2d 497, 522 (S.D.N.Y. 2001).

As an initial matter, “to establish a viable CFAA claim,” the plaintiff must show the costs associated with the “loss” “were reasonable” and “directly causally linked to...the alleged CFAA violation.” A.V. v. iParadigms LLC, 562 F.3d 630, 646 (4th Cir. 2009). The causation requirement has been interpreted “to incor-porate traditional principles of tort causation.” Global Policy Partners LLC v. Yessin, 686 F. Supp. 2d 642, 647 (E.D. Va. 2010). Thus, in deter-mining whether a plaintiff has proven “loss,” a jury can “consider only those costs that were a ‘natural and foreseeable result’ of Defendants’ conduct.” U.S. v. Middleton, 231 F.3d 1207, 1213 (9th Cir. 2000).

The first category of “loss” set out in the statute is “responding to an offense” by “conducting a damage assessment” and “restoring” the computer system “to its

condition prior to the offense.” The classic example of this type of loss was upheld in Middleton, in which Nicholas Middleton, a disgruntled former computer administrator for an Internet service provider, entered the company’s computer network and “changed all the administrative passwords, altered the computer’s registry, deleted the entire bill-ing system (including programs that ran the billing software) and deleted two internal databases.” Id. at 1209.

At trial, the government offered proof of $10,092 in loss, required to support a five-year felony, based on the “hourly rates (calculated using their annual salaries)” of the victim company’s employees to respond to Middleton’s offense by investigating and repairing the damage caused to the com-pany computer network. That amount also included the cost of recreating the destroyed databases and the cost of a consultant and new software. Id. at 1214. In addition, lost revenue to the business caused by an

july 5, 2010

Dismissal of CFAA claims for lack of jurisdictionUnder Computer Fraud and Abuse Act, plaintiff must properly specify a $5,000 loss or case will be tossed.

BY NICK AKERMAN

T he Computer Fraud and Abuse Act (CFAA) is the omnibus fed-

eral computer crime statute outlawing theft and destruction of data,

hacking, use of viruses, theft of passwords and extortionate threats

to damage computers. 18 U.S.C. 1030. Any business or individual “who

suffers damage or loss by reason of a violation of the” CFAA is entitled to

The PracticeCommentary and advice on developments in the law

istockphoto/Zonecreative

nick akerman is a partner in the New York office of Dorsey & Whitney who specializes in the protection of trade secrets and computer data.

Page 13: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

employee having to respond to an offense instead of conducting the operations of the business “may qualify as losses under the CFAA.” iParadigms, 562 F.3d at 651.

foRENsIC CoMputER ExAMINAtIoNs

The cost of an outside forensic examiner to determine whether a Web site had been “com-promised” as a result of a CFAA violation may also constitute “loss.” EF Cultural Travel B.V. v. Explorica Inc, 274 F.3d 577, 584, n.17 (1st Cir. 2001). The court in EF Cultural Travel rejected the defendants’ argument that “such diagnos-tic measures” do not constitute “loss” when there is no “physical damage” to the plaintiff’s Web site. Id. at 585. While EF Cultural Travel represents the prevailing law adopted by most federal courts, there are several district courts that have recently refused to find loss based on a forensic computer investigation when the plaintiff presented no evidence of “damage to its computers or that it suffered any service interruptions.” von Holdt v. A-1 Tool Corp., 2010 WL 1980101, at *12 (N.D. Ill. May 17, 2010). These cases ignore the plain language of the CFAA’s definition of “loss,” which clearly dif-ferentiates between costs of responding to an offense and costs related to interruption of service.

Nonetheless, simply paying for a foren-sic investigator to conduct an investigation without a focus on the CFAA’s require-ments of “loss” is insufficient. In Chas. S. Winner Inc, v. Polistina, 2007 WL 1652292, at *4 (D.N.J. June 4, 2007) the court dismissed the CFAA claim because the plaintiff alleged no facts showing that the amount paid to the investigator “was related to investigat-ing or remedying damage to the computer, or due to interruption of the computer’s service.” Absent such evidence, the court was left to assume that the investigation simply related to the “recovery” of evidence to prove the CFAA violation rather than responding to or remediating the offense.

Nor can “loss” be proved by “costs incurred investigating business losses, unrelated to actual computers or computer services.” Nexans Wires S.A. v. Sark-USA Inc.,166 Fed. Appx. 559, 563 (2d Cir. 2006). In Nexans Wires, the plaintiff argued that it satisfied the CFAA’s “$5,000 loss requirement because it spent approximately $8,000 to send its

executives from Germany to New York to investigate the misappropriations of its stored data.” The court found that the plaintiff failed to prove “loss” because there was no con-nection between the travel costs incurred by its executives in visiting New York City and “ ‘any type of computer investigation or repair,’ or any preventative security measures or inspections.” Id.

Also, the investigation must relate to the computer that was the subject of the CFAA violation. In Doyle v. Taylor, 2010 WL 2163521 (E.D. Wash. May 24, 2010), Aaron Doyle, claimed that the defendant stole his thumb drive and disseminated copies of the documents on the thumb drive via the Internet. To prove the requisite $5,000 in “loss,” Doyle submitted affidavits from a computer forensic examiner “detailing the work he anticipates would be required to determine what files were copied from the thumb drive and stored on other comput-ers.” Id. at *2. The court found that “exam-ining others’ computer systems and delet-ing misappropriated files” from those other computers is “outside the intended scope of the” CFAA. Id. at *3.

The second independent category of “loss” is lost revenue, costs “or other con-sequential damages incurred because of interruption of service.” In Nexans Wires, the plaintiff, in addition to its executives’ travel expenses, claimed that the “defen-dants’ misappropriation of its confidential data caused it to lose ‘profits of at least $10 million.’ ” 166 Fed. Appx. at 562. The court held that “the plain language of the statute treats lost revenue as a different concept from incurred costs, and permits recovery of the former only where connected to an ‘interruption of service.’” Because there was no interruption of service, the plaintiff’s “asserted loss of $10 million is not a cogni-zable loss under the CFAA.” Id. at 563.

A motion to dismiss based on a failure to plead proper “loss” is a challenge to the court’s jurisdiction, and therefore the plain-tiff must respond “with rebuttal evidence.” Polistina, 2007 WL 1652292, at *4. Given that procedural posture, it is critical that, before filing a CFAA action, a plaintiff care-fully formulate its theory of “loss” in con-formance with the holdings of the above-

described judicial opinions detailing the types of factual circumstances that properly constitute “loss.” In doing so, the complaint must allege:

• “[S]pecific  details  from which  a  fact-finder could calculate an amount of loss,” Taylor, 2010 WL 2163521, at *3, which can neither be speculative nor conclusory and are reasonable and not overreaching.

• Losses  that  are  linked  directly  to  the CFAA violation and the computer that was the object of the violation.

In Yessin, the court refused to consid-er plaintiffs’ proper categories of loss—“expenses incurred in...establishing, con-figuring, and designing a new web site and e-mail addresses” because the plaintiff failed “to provide evidence that may prop-erly be considered on summary judgment” and failed to prove “that certain of these expenditures were a reasonably necessary response to the alleged CFAA violations, as required to prove a causal link.” 686 F. Supp. 2d at 648. Yessin underscores the need for carefully developing the factual basis for loss before filing the CFAA action.

the national law journal july 5, 2010

Reprinted with permission from the July 5, 2010 edition of THE NATIONAL LAW JOURNAL © 2010 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382, [email protected] or visit www.almreprints.com. #005-07-10-12

Page 14: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

Nick Akerman Partner Dorsey & Whitney LLP 250 Park Avenue New York, NY 10177-1500 (212) 415-9217 : phone (646) 417-7119 : fax [email protected]

Experience

Partner in the Trial group and co-Chair of the Computer Fraud and Abuse practice. Represents clients in trial and appellate courts and arbitrations throughout the United States. Specialties include: protection of trade secrets and computer data, other commercial litigation, internal investigations and white collar criminal representations.

Representative Litigation

Complex Commercial Litigation

Represented Lockheed Martin Corp. in a trade secrets and computer fraud case in Lockheed Martin v, L-3 Communications, Inc., 6:05 CV 1580 ORL 31KRS

Represented Lockheed Martin Corp. on RICO claims in Lockheed Martin v. The Boeing Company, 6:03CV 796 ORL 28 KRS

$1 million jury verdict in a RICO, libel and slander case affirmed by the Second Circuit Court of Appeals. Securitron Magnalock v. Schnabolk, 65 F.3d 256 (2d Cir. 1995)

Libel defense for media publications. Stover v. Journal Pub. Co., 105 N.M. 291, 731 P.2d 1335 (N.M. App. 1985)

Whistleblower cases. Rodgers v. Lenox Hill Hosp., 251 A.D.2d 244, 674 N.Y.S.2d 670 (N.Y.A.D. 1st Dep't 1998)

Contract disputes. Carte Blanche (Singapore PTE., Ltd.) v. Diners Club Intern., Inc., 758 F. Supp. 908 (S.D.N.Y. 1991)

Insurance coverage disputes. See e.g. Journal Pub. Co. v. American Home Assur. Co., 771 F. Supp. 632 (S.D.N.Y. 1991)

Defamation. See e.g. Criales v. American Airlines, Inc., 1999 WL 1487601 (E.D.N.Y. Dec. 28, 1999)

Protection of Trade Secrets and Computer Data

First preliminary injunction under the Computer Fraud and Abuse Act relating to the entry of a company database through a public Web site using the company's confidential and proprietary information. EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577(1st Cir. 2001)

Over 15 injunctions for clients under the Federal Computer Fraud and Abuse Act

Page 15: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

Over 40 injunctions enforcing post-employment restrictive covenants for The Prudential Insurance Company of America. Prudential Ins. Co. of America v. Barone, 1998 WL 269065 (W.D.N.Y. May 9, 1998)

Injunctions enforcing covenants not to compete. Garber Bros., Inc. v. Evlek, 122 F.Supp.2d 375 (E.D.N.Y. 2000)

Assist companies in designing and reviewing corporate compliance programs. As part of this program, advise corporations on designing programs to protect intellectual property, trade secrets and computer data. Have conducted a trade secrets audit of a major national health insurance company to assist the company in establishing systems, agreements and procedures to protect its confidential and proprietary and trade secret protected information.

Internal Investigations

Conduct and direct internal investigations for corporate clients into allegations of internal fraud and theft including a well-publicized investigation in Chicago into allegations of abuse of corporate assets by the President of Florsheim. In many instances these investigations have resulted in RICO actions being filed against the wrongdoers. CNBC, Inc. v. Alvarado, 1994 WL 445717, RICO Bus. Disp. Guide 8629 (S.D.N.Y. Aug. 17, 1994)

White Collar Representations

Have represented numerous corporations and individuals under criminal investigation by the United State Department of Justice for complex commercial and tax crimes. Defended numerous criminal cases in federal court including the acquittal of all defendants by a jury in United States v. Stella, 1990 WL 128918 (S.D.N.Y. Aug. 27, 1990).

Federal Prosecution Experience

Assistant United States Attorney in the Southern District of New York (SDNY) from 1975 until 1983. Prosecuted a wide array of white collar criminal matters including bank frauds, bankruptcy frauds, stock frauds, complex financial frauds, environmental crimes and tax crimes. First prosecutor in the SDNY to use the RICO statute to prosecute traditional white collar criminal offenses. Tried over 25 cases before juries including successful prosecutions of Mafia bosses Russell Bufalino and Frank Tieri, and the RICO prosecution of ten individuals predicated on securities fraud and bankruptcy fraud violations for the formation and operations of The Westchester Premier Theater. United States v. Weisman, 624 F.2d 1118 (2d Cir. 1980)

Assistant Special Watergate Prosecutor with the Watergate Special Prosecution Force from 1973 to 1975. Conducted grand jury investigations into misuse of federal agencies and other allegations of criminal conduct related to the break-in at Democratic National Headquarters. Examined all of the principals in the Watergate scandal before the various Watergate grand juries.

Admissions

Massachusetts

New York

Page 16: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

Honors

Named "New York Super Lawyer," 2009 & 2010

Special Commendations by the Department of Justice in 1979 and 1981 for Outstanding Achievements

Education

Harvard Law School J.D., 1972 cum laude

University of Massachusetts B.A., 1969 magna cum laude Phi Beta Kappa

Professional Activities

Testified Before the Senate Judiciary Committee on Organized Crime

Faculty Member of the Practicing Law Institute on Personal Liability for Environmental Violations (1991)

Presentations

February 2009 Dorsey Symposium for Corporate Leaders - Securing Electronic Business Information: Do You Know What You May Be Missing?

March 2008 Directors Round Table - Corporate Digital Assets: Protecting the Secrets of Success

February 2008 - Current Issues in White Collar Litigation

Association of Corporate Counsel

June 2007 - Annual Meeting and Ethics Marathon

October 2007 - Protecting Your Corporate Data: Using Self-Help and Taking Protective Measures

December 2005 - Ethics Marathon

November 2005 - Corporate Counsel Community Forum

Referenced in Popular Books

Master of the Game, Connie Bruck

The Right and the Power, Leon Jaworski

Secrets, A memoir of Vietnam and the Pentagon Papers, Daniel Ellsberg

Sinatra, Anthony Summers and Robbyn Swan

Vengeance Is Mine, Muchael Zuckerman

Page 17: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

Recent Legal Commentary

"Hotel Feud Prompts Grand Jury Into Probe," Wall Street Journal, October 7, 2009

Media Presentations

"The Law Fits the Crime," appearance on Brian Leher Show, December 10, 2008

Attorney Articles

Dismissal of CFAA Claims for Lack of Jurisdiction, The National Law Journal, July 5, 2010

Corruption Digest, June 2010, June, 2010

Employee E-Mails To Personal Counsel Held To Be Protected By Attorney-Client Privilege, May 14, 2010

Dorsey’s Akerman and Perkovich Update Chapters in Leading ESI Discovery Treatise for Corporate Counsel, April 5, 2010

"Time to Review Corporate Computer Policies," The National Law Journal, February 1, 2010

"Will the Justices Rule on the Computer Fraud and Abuse Act," The National Law Journal, September 23, 2009

"You Have the Right to Remain Silent ... and Tweetless" Star Tribune, August 19, 2009

"When Workers Steal Data to Use at New Jobs," National Law Journal, July 15, 2009

"Unsecured Economies - Protecting Vital Information," McAfee, Inc., March 18, 2009

"State Compliance Laws," The National Law Journal, March 1, 2009

"Opinion: Criticism of woman's prosecution in cyberbullying case is off base," San Jose Mercury News, December 31, 2008

"The PRO-IP Act," Co-author, The National Law Journal, December 22, 2008

"Opposing view: The law fits the crime," USA Today, December 3, 2008

Web Site Terms of Use, October 3, 2008

"RICO and Data Thieves," National Law Journal, June 17, 2008

"The Law Fits the Crime," National Law Journal, May 26, 2008

Sarbanes Oxley: Protecting Company Data, May 12, 2008

Federal and State Regulation of Personal Data, May 12, 2008

"Protecting Personal Data in Franchise Systems: New Notification Laws," (co-author) LJN’s Franchising and Business Law Alert, March 2008

"Protecting Personal Data," National Law Journal, December 3, 2007

"Conversion of E-Data," National Law Journal, October 1, 2007

"Recent CFAA cases," National Law Journal, June 4, 2007

"E-Discovery Under CFAA," National Law Journal, March 5, 2007

Page 18: UPDATE: Computer Fraud and Abuse Act · 5 Legal Requirements Protected computer Lack of authorization or exceeding authorization to access computer Theft of information or anything

"Unauthorized Access," National Law Journal, November 27, 2006

"Evidence Under the CFAA," National Law Journal, July 17, 2006

"CFAA and Data Destruction," National Law Journal, April 10, 2006

"Unauthorized Access," National Law Journal, December 12, 2005

"Computer Data: CFAA Resembles RICO," National Law Journal, August 29, 2005

"Confidential Data: Mandatory Protection," National Law Journal, May 23, 2005

"CFAA as a Civil Remedy," National Law Journal, February 14, 2005

"CFAA's $5,000 Threshold," National Law Journal, October 18, 2004

"New Guidelines' Impact," National Law Journal, July 05, 2004

"Civil RICO Actions," National Law Journal, April 14, 2004

"Protecting Yourself While Protecting Your Computer Data: Two Laws Make it More Important Than Ever," EDP Audit, Control, and Security Newsletter, December 2003

"Economic Espionage Act," National Law Journal, December 1, 2003

"New Identity Theft Law," National Law Journal, June 16, 2003

Total Rewards on Guard, Workspan, December 2002

"Computer Security," The National Law Journal, September 16, 2002

"Trade Secrets: How To Protect Them," National Law Journal, March 18, 2002

"Computer Law: Civil Relief Under CFAA," National Law Journal, December 24, 2001

"Trade Secrets Law: Use of Written Agreements," National Law Journal, December 11, 2000

"Trade Secrets: Preventing a Leak," National Law Journal, September 4, 2000