Download - 2013.05.16 cfaa powerpoint for ima.v1
FRAUD 2.0Helping Businesses Prepare for
Computer Fraud and Data Breaches
Shawn E. Tumawww.brittontuma.com
The Association of Accountants and Financial Professionals in Business
May 16, 2013
2
#fraud20
www.brittontuma.com
3
have you ever
heard of …
www.brittontuma.com #fraud20
4
Aaron Swartz?
www.brittontuma.com #fraud20
5
Sandra Teague?
www.brittontuma.com #fraud20
6
Bradley Manning?
www.brittontuma.com #fraud20
7
Hacking?
www.brittontuma.com #fraud20
8
Data Breach?
www.brittontuma.com #fraud20
9
Identity Theft?
www.brittontuma.com #fraud20
10
Stuxnet?
www.brittontuma.com #fraud20
11
Active Defense?
www.brittontuma.com #fraud20
12
NON COMPUTER
RELATED FRAUD?
www.brittontuma.com #fraud20
13
As of September 2012, cybercrime
• costs $110 billion annually
• 18 adults every second are victims
• 556,000,000 adults every year are victims
• 46% of online adults are victims
• mobile devices are trending
2012 Norton Cybercrime Reportwww.brittontuma.com
The Statistics
14
What is fraud?• Fraud is, in its simplest form, deception
• Black’s Law Dictionary
• all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by false suggestions or suppression of the truthwww.brittontuma.com
Fraud?
#fraud20
15
Traditional vehicles for fraud?• verbal communication
• written communication
• in person
• through mail
• via wirewww.brittontuma.com
Fraud?
#fraud20
16
What do computers do?
EFFICIENCY!www.brittontuma.com #fraud20
17
FRAUD 2.0
www.brittontuma.com #fraud20
18
Computer Fraud = Fraud 2.0• Deception, through the use of a computer
• “old crimes committed in new ways … using computers and the Internet to make the task[s] easier”
• computer hacking, data theft, theft of money, breaches of data security, corporate espionage, privacy breaches, computer worms, Trojan horses, viruses, malware, denial of service attacks
• mouse and keyboard = modern fraudster tools of choice
www.brittontuma.com
Fraud 2.0
#fraud20
19
Who knows the percentage of businesses that suffered at least one act of computer fraud in last
year?
90%(Ponemon Institute Study)
www.brittontuma.com
Fraud 2.0
#fraud20
20
BRIEF HISTORY OF THE COMPUTER FRAUD
AND ABUSE ACT (CFAA)
#fraud20
21
Computer Fraud and Abuse Act
Federal Law – 18 U.S.C § 1030
www.brittontuma.com
The Law!
#fraud20
22
History of CFAA
www.brittontuma.com #fraud20
23
History of CFAA
www.brittontuma.com #fraud20
24
Why?
Primary Law for Misuse of Computers
Computers …
Why is the Computer Fraud and Abuse Act important?
www.brittontuma.com #fraud20
25www.brittontuma.com
“Everything has a computer in it nowadays.”
-Steve Jobs
Why Computers?
#fraud20
26
WHAT IS A COMPUTER?
#fraud20
27www.brittontuma.com
has a processor or stores data
“the term ‘computer’ means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but …”
IMPORTANT! “such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;”
The CFAA says
What is a computer?
#fraud20
28www.brittontuma.com
What about . . .
What is a computer?
#fraud20
29www.brittontuma.com
“’That category can include coffeemakers, microwave ovens, watches, telephones, children’s toys, MP3 players, refrigerators, heating and air-conditioning units, radios, alarm clocks, televisions, and DVD players, . . . .”
-United States v. Kramer
The Fourth Circuit says
Anything with a microchip
#fraud20
30www.brittontuma.com
This may limit the problem of applying it to alarm clocks, toasters, and coffee makers – for now?
The CFAA applies only to “protected” computers
Protected = connected to the Internet
Any situations where these devices are connected?
What is a “protected” computer?
#fraud20
31www.brittontuma.com
seriously . . .
What is a computer?
#fraud20
32www.brittontuma.com
•TI-99 •3.3 MHz Processor•16 KB of RAM
•Leap Frog Leapster•96 MHz Processor•128 MB of RAM
•iPhone 5•1.02 GHz Processer•1 GB of RAM
Perspective
#fraud20
33www.brittontuma.com
66 MHz = fastest desktop in 80s
96 MHz = child’s toy today
250 MHz = fastest super computer in 80s
1.02 GHz = telephone today
Perspective
#fraud20
34
WHAT DOES THE CFAA PROHIBIT?
#fraud20
35
Statutory Language
CFAA prohibits the access of a protected computer that is
Without authorization, or Exceeds authorized access
www.brittontuma.com #fraud20
36
Statutory Language
Where the person accessing Obtains information
Commits a fraud
Obtains something of value
Transmits damaging information
Causes damage
Traffics in passwords
Commits extortion
www.brittontuma.com #fraud20
37
Very Complex Statute
Overly simplistic list
Very complex statute
Appears deceptively straightforward
Many pitfalls
www.brittontuma.com
“I am the wisest man alive, for I know one thing, and that is that I know nothing.”
-Socrates
#fraud20
38
Very Complex Statute
Two Most Problematic Issues
“Loss” Requirement
• Confuses lawyers and judges alike
Unauthorized / Exceeding Authorized Access
• Evolving jurisprudence
• Interpreted by many Circuits
• New conflict on April 10, 2012www.brittontuma.com #fraud20
39
Civil Remedy
Limited civil remedy Procedurally complex with many
cross-references
“damage” ≠ “damages”
Must have $5,000 “loss” (i.e., cost)
Loss requirement is jurisdictional threshold
www.brittontuma.com #fraud20
40
Civil Remedy
What is a “loss”?“any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”
Loss = cost (unless interruption of service)
www.brittontuma.com #fraud20
41
Civil Remedy
Remedies Available
• Economic damages
• Loss damage
• Injunctive relief
Not Available• Exemplary damages
• Attorneys’ fees
www.brittontuma.com #fraud20
42
Basic Elements
Elements of broadest CFAA Claim1. Intentionally access computer;
2. Without authorization or exceeding authorized access;
3. Obtained information from any protected computer; and
4. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.
www.brittontuma.com #fraud20
43
Basic Elements
Elements of CFAA Fraud Claim1. Knowingly and with intent to defraud;
2. Accesses a protected computer;
3. Without authorization or exceeding authorized access;
4. By doing so, furthers the intended fraud and obtains anything of value; and
5. Victim incurred a loss to one or more persons during any 1-year period of at least $5,000.
www.brittontuma.com #fraud20
44
WRONGFUL ACCESS
#fraud20
45
Wrongful Access
General Access Principles Access by informational / data use
≠ technician
Must be knowing or intentional access
≠ accidental access
www.brittontuma.com #fraud20
46
Wrongful Access
“without authorization” Outsiders No rights Not defined Only requires intent to
access, not harm Hacker!
“exceeds authorized” Insiders Some rights CFAA defines: access
in a way not entitled Necessarily requires
limits of authorization Employees, web
users, etc.
www.brittontuma.com
Two Types of Wrongful Access
#fraud20
47
Wrongful Access
When does authorization terminate?
Trilogy of Access Theories
• Agency Theory
• Intended-Use Theory
• Strict Access Theory
www.brittontuma.com #fraud20
48
Wrongful Access
Ways to establish limits for Intended-Use
Contractual• Policies: computer use, employment & manuals
• Website Terms of Service
Technological• Login and access restrictions
• System warnings
Training and other evidence of notification
Notices of intent to use CFAA
www.brittontuma.com #fraud20
49
Wrongful AccessExamples
Employment SituationsMost common scenario is employment• Employee access and take customer account
information
• Employee accesses and takes or emails confidential information to competitor
• Employee improperly deletes data and email
• Employee deletes browser history
• Employee accessing their Facebook, Gmail, Chase accounts at work
www.brittontuma.com #fraud20
50
Wrongful AccessExamples
Family Law SituationsHave you ever logged into your significant other’s email or Facebook to see what they’re saying to others?
DON’T ANSWER THAT!
• Estranged spouse in Arkansas did after separation
• NTTA account?
• Bank account?
• Cancelling services via online accounts?
www.brittontuma.com #fraud20
51
Wrongful AccessExamples
Sharing Website LoginsHave you ever borrowed or shared website login credentials and passwords for limited access sites (i.e., online accounts)?
DON’T ANSWER THAT!
• Recent case held that permitting others to use login credentials for paid website was viable CFAA claim
• The key factor here was the conduct was prohibited by the website’s agreed to Terms of Service
www.brittontuma.com #fraud20
52
Wrongful AccessExamples
Misuse of WebsitesEver created a fake profile or used a website for something other than its intended purpose?
DON’T ANSWER THAT!
• Myspace Mom case – United States v. Drew
• Fake login to disrupt legitimate website sales
• Accessing website to gain competitive information when prohibited by TOS
• Creating fake Facebook to research opposing parties
www.brittontuma.com #fraud20
53www.brittontuma.com
Earlier Questions?
Have you ever heard of?
• Aaron Swartz – information liberator!
• Sandra Teague – Obama’s academic records
• Bradley Manning –released classified info
• Stuxnet – variations for corporate espionage
• Active Defense – fun stuff – call me! #fraud20
54
DATA BREACHWHAT DO YOU DO?
#fraud20
55
Data Breach
Data Breach
• product of computer fraud• on the rise• major risk to virtually all businesses
• PII, PHI, financial data, cardholder data• disruption and data loss• claims from data subjects• fines and penalties from govts, agencies, indust.
groups
• impossible to prevent• plan ahead to reduce harm
www.brittontuma.com #fraud20
56
Data Breach
4 Phases of Data Breach
• Preparation
• Prevention
• Understanding • Laws, Rules & Regulations
• Responding
www.brittontuma.com #fraud20
57
Data Breach
Preparation
• Breach Response Plan• Goal Execute!• Who, What, When, How
• Attorney – privilege
• Adopted Notification Form
• Educate Team• IT Security Audit / Penetration
Testing• Compliance Audit
• HIPAA, ERISA, OSHA, PCI, FINRA
• Cyber Insurancewww.brittontuma.com #fraud20
58
Data Breach
Prevention
• Software and Systems Updates
• Remediate Vulnerabilities
• Encrypt, Encrypt, Encrypt
• Data Surveillence & IT Alerts• Cyber CounterIntelligence / CounterEspionage
• IT Alerts
www.brittontuma.com #fraud20
59
Data Breach
Understanding Laws, Rules & Regulations• No Federal Breach Notification Law
(yet)• 46 States’ Have Laws
• ≠ Alabama, Kentucky, New Mexico, South Dakota
• Massachusetts is an oddball• 45 days (FL, OH, VT, WI) otherwise expeditious
without unreasonable delay• Consumers + State Attorney General
• Agencies (FTC, HHS, OCR, DOL, SEC)• Industries (FINRA, PCI)• International
www.brittontuma.com #fraud20
60
Data Breach
Responding to a Breach – Just Execute the Plan!• Contact Attorney• Assemble Response Team• Contact Forensics• Contact Vendor for Notification• Investigate Breach• Remediate Responsible Vulnerabilities• Reporting & Notification
• Law Enforcement First• AGs, Admin. Agencies, Industries, Cred. Rpt,
Consumerswww.brittontuma.com #fraud20
61
OTHER LAWS FOR COMBATING FRAUD
2.0
#fraud20
62
Federal Laws
Federal Laws for Combating Fraud 2.0• Electronic Communications Privacy Act - 18
U.S.C. § 2510
• Wiretap Act ≠ intercept communications
• Stored Communications Act ≠ comm. at rest
• Fraud with Access Devices - 18 U.S.C. § 1029
• devices to obtain passwords, phishing, counterfeit devices, scanning receivers, drive through swipe cards
• Identity Theft – 18 U.S.C. § 1028
www.brittontuma.com #fraud20
63
Texas Laws
Texas Laws for Combating Fraud 2.0• Breach of Computer Security Act (Tx. Penal Code §
33.02)
• knowingly access a computer without effective consent of owner
• Fraudulent Use or Possession of Identifying Info (TPC § 32.51
• Unlawful Interception, Use, or Disclosure of Wire, Oral or Electronic Communications (TPC § 16.02)
• Unlawful Access to Stored Communications (TPC § 16.04)
• Identity Theft Enforcement and Protection Act (BCC § 48.001)
• Consumer Protection Against Computer Spyware Act (BCC § 48.051)
• Anti-Phishing Act (BCC § 48.003)
www.brittontuma.com #fraud20
64
• Welcome to the world of Fraud 2.0!
• Why? Remember what Jobs said
• CFAA is very broad and covers all kinds of computer fraud (sometimes) – evolving!
• Data Breaches – be prepared – it will happen!
• Many other Federal and Texas laws also available for combating computer fraud
• Cyber Insurancewww.brittontuma.com
Conclusion
#fraud20
65www.brittontuma.com
Do You Want to Know More?
www.brittontuma.com
www.shawnetuma.com
Shawn E. Tumad. 469.635.1335m. 214.726.2808
e. [email protected]@shawnetuma
Copyright © 2012