Security, Privacy and The Law

A Few Thoughts from Deputy Undersecretary for Cybersecurity, Mark Weatherford, Department of Homeland Security

blogs@foleyhoag.com (Colin J. Zick) — Fri, 25 May 2012 15:55:06 -0500

On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS's cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat.

On Information Sharing: This is a continuing challenge, in part because of the way the federal government shares information. At present, the federal government provides cyber threat information to private sector organizations, but prohibits discussion between those very organizations. His Office at DHS is working to address this unintended siloing of information, so as to allow for greater cooperation and collaboration.

On Research and Development: He views cyber security education and training as essential, particularly because there is a rapidly shrinking pipeline of qualified professionals. As the Baby Boomers retire, they need to be replaced. Another speaker noted that hiring in cyber security is growing at 14% per year. While Undersecretary Weatherford did not propose any government solutions to increase degree programs and students in cyber security, you have to believe that they will be forthcoming.

On the Advanced Persistent Threat: The Undersecretary encouraged executive leadership to make cyber security as a priority, to raise awareness and create appropriate incentives. With regard to prevention, he did not offer any sweeping solutions, but instead suggested focusing on “basic hygiene” steps that all businesses can undertake, to eliminate the low-hanging fruit and get the greatest return on their data security investment.

* * *

If you want to sign up for DHS cyber security updates, just click here.

Data Breaches Keep Privacy and Security Lawyers Increasingly Busy and Looking for Recruits, But Recruits Are Hard to Find

blogs@foleyhoag.com (Colin J. Zick) — Fri, 25 May 2012 10:23:28 -0500

Interesting article from Of Counsel regarding both the substance and the business of data privacy and security law. Lawyers from several firms (including me) talk about current and pending legislation, the mechanisms of compliance and breach response, and the pipeline for new lawyers in the field of data security and privacy.

One of the other attorneys discussed the shortage of trained attorneys in this area as follows:

You’d think, "Well heck, privacy has been around forever." But this is different. At law schools they need to find someone to teach this, and that’s not easy. So we don’t have enough generations yet. Mostly you have practicing attorneys who learned the area on the job, so you try to lateral in somebody, but it’s hard to get somebody just out of law school. We have to train young associates.

Data Breaches Continue To Be A Problem For Health Care Providers: South Shore Hospital (Massachusetts) Pays $750,000 To Settle Data Breach Charges

blogs@foleyhoag.com (Colin J. Zick) — Thu, 24 May 2012 15:12:21 -0500

An aptly-timed article from Mass High Tech Business News noted earlier today that: "Data Breaches [Are] a Growing Problem in Health Care." This article focused on a recent breach at Boston Children’s Hospital involving the records of 2,000 patients.

The article was prescient, as this afternoon, the Massachusetts Attorney General announced a $750,000 settlement with suburban Boston's South Shore Hospital, relating to a 2010 data breach.

According to the Attorney General's press release:

South Shore Hospital has agreed to pay $750,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers, Attorney General Martha Coakley announced today. The investigation and settlement resulted from a data breach reported to the AG’s Office in July 2010 that included individual’s names, Social Security numbers, financial account numbers, and medical diagnoses....

The consent judgment approved today in Suffolk Superior Court includes a $250,000 civil penalty and a payment of $225,000 for an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal information and protected health information. In addition to these payments, the consent judgment credits South Shore Hospital for $275,000 to reflect security measures it has taken subsequent to the breach.

The suit and settlement also reflect one of the first uses of the delegated HIPAA enforcement powers of state attorneys general under the Affordable Care Act.

The details are fairly typical of a hospital breach:

In February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes with 800,000 individuals’ personal information and protected health information off-site to be erased. The hospital contracted with Archive Data Solutions to erase the back-up tapes and resell them.

The hospital did not inform Archive Data, however, that personal information and protected health information was on the back-up computer tapes nor did South Shore Hospital determine whether Archive Data had sufficient safeguards in place to protect this sensitive information. Multiple companies handled the shipping of the boxes containing the tapes.

In June 2010 South Shore Hospital learned that only one of the boxes arrived at its destination in Texas. The missing boxes have not been recovered although there have been no reports of unauthorized use of the personal information or protected health information of affected individuals to date.

The allegations against South Shore Hospital in the lawsuit are based on both federal and state law violations, including failing to implement appropriate safeguards, policies, and procedures to protect consumers’ information, failing to have a Business Associate Agreement in place with Archive Data, and failing to properly train its workforce with respect to health data privacy.

According to the consent judgment, South Shore Hospital has also agreed to take a variety of steps in order to ensure compliance with state and federal data security laws and regulations, including requirements regarding its contracts with business associates and third-party service providers engaged for data destruction purposes. The hospital also agreed to undergo a review and audit of certain security measures and to report the results and any corrective actions to the Attorney General.

FTC Counters Constitutional Challenge to Fair Credit Reporting Act

blogs@foleyhoag.com (Colin J. Zick) — Fri, 11 May 2012 10:17:25 -0500

The Federal Trade Commission has joined the Department of Justice and the Consumer Financial Protection Bureau in filing a memorandum in support of the constitutionality of the Fair Credit Reporting Act.

This issue arose in Shamara King v. General Information Services, Inc., a "consumer class action based upon Defendant’s willful violation of the Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x. (“FCRA”)." In her complaint, Ms. King brought suit "on behalf of thousands of employment applicants throughout the country who have been the subject of prejudicial, misleading and illegal background reports performed by the Defendant and sold to employers. Defendant has adopted and maintained a policy and practice of knowingly, intentionally, recklessly and willfully reporting outdated adverse information that is required to be excluded from the consumer reports that it sells."

The defendant GIS then moved to dismiss the case, claiming that FCRA was unconstitutional:

In sum, [the Supreme Court's decision in] Sorrell [v. IMS Health] marks a dramatic shift in the protection afforded to content- and speaker-based restrictions on truthful commercial information. As the dissent in Sorrell noted, its holding has sweeping effects on many other laws restricting disclosure of commercial information, including FCRA. Because a prohibition on disclosure of truthful information regarding an individual’s criminal record falls squarely within Sorrell’s holding, [the FCRA] is unconstitutional. Accordingly, the Court should enter judgment on the pleadings in favor of GIS on Plaintiff’s [FCRA] claim.

This is certainly a creative defense, although it may be asking more than a federal district court is willing to do. It could be very interesting to see this argument get to an appellate court.

ONC ("Office of the National Coordinator for Health Information Technology") Issues Guide to Privacy and Security of Health Information

blogs@foleyhoag.com (Colin J. Zick) — Thu, 10 May 2012 11:24:40 -0500

The Office of the National Coordinator for Health Information Technology ("ONC") has issued a Guide to Privacy and Security of Health Information Guide to Privacy and Security of Health Information. The guide is targeted at smaller health care providers and their administrative staff members. The 47 pages contain five chapters:

Chapter 1: What Is Privacy & Security and Why Does It Matter?
Chapter 2: Privacy & Security and Meaningful Use
Chapter 3: Privacy & Security 10-Step Plan for Meaningful Use
Chapter 4: Integrating Privacy and Security into Your Practice
Chapter 5: Privacy and Security Resources

At first glance, there's nothing earth-shattering, but it could prove to be a useful introduction for those moving toward meaningful use in the coming months.

Governments Hire Hackers to Work for Them

blogs@foleyhoag.com (Colin J. Zick) — Mon, 07 May 2012 17:52:54 -0500

Interesting article in Forbes, "The Zero-Day Salesmen," about "government agencies who purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the explicit intention of invading or disrupting the computers and phones of crime suspects and intelligence targets."

Ninth Circuit En Banc Decision Creates Circuit Split with First Circuit that Affects Employer Claims Against Employees under the Computer Fraud and Abuse Act

blogs@foleyhoag.com (Colin J. Zick) — Wed, 02 May 2012 12:57:55 -0500

Posted on April 27, 2012 by Brian P. Bialas (This post also appears in www.massachusettsnoncompetelaw.com)

Below is an article that I wrote for the June edition of Massachusetts Lawyers Journal, the monthly publication of the Massachusetts Bar Association. It discusses an important case that interprets the Computer Fraud and Abuse Act and the split in the law that case has created with the First Circuit, which includes Massachusetts.

The U.S. District Court for the District of Massachusetts has noted that employers are increasingly using the federal Computer Fraud and Abuse Act (CFAA) “to sue former employees and their new companies who seek a competitive edge through wrongful use of information from the former employer’s computer system.” But in April, the U.S. Court of Appeals for the Ninth Circuit made such employer lawsuits more difficult in that circuit by issuing its en banc decision in United States v. Nosal. In Nosal, the Ninth Circuit determined that an employee does not “exceed[] authorized access” to information in a computer under the CFAA when he or she violates an employer’s computer use restrictions. In contrast, the First Circuit concluded more than a decade ago in EF Cultural Travel BV v. Explorica, Inc. that contractual restrictions can serve as the basis for a CFAA violation. This circuit split affects the ability of employers to maintain lawsuits under the CFAA against former employees who were authorized to access their employer’s confidential information but took that information to competitors. It also tees up the CFAA for review by the Supreme Court.

I. The CFAA

The CFAA provides for both criminal and civil liability (if certain conditions are met) when a person commits various acts involving a computer and “exceeds authorized access” or acts “without authorization” in the process. The provision under review in both Nosal and Explorica was 18 U.S.C. § 1030(a)(4), which imposes liability on someone who “knowingly and with the intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” “Without authorization” is not defined. Both the Ninth Circuit and the First Circuit focused their respective analyses on whether employees “exceed[ed] authorized access” when they were permitted by their employers to access certain information on a computer, but then used that information for the benefit of competitors. But because “without authorization” is not defined, judicial interpretations of “exceeds authorized access” necessarily affect the meaning of “without authorization” as well.

II. The Ninth Circuit: Limiting the CFAA to “Hacking”

In Nosal, the defendant Nosal worked for an executive search firm and convinced several employees shortly before he left to start a competing business with him. He asked the employees to use their log-in credentials to download confidential information from the firm’s computers and to send the information to him. The employees were permitted to access the information by their employer, but were forbidden from disclosing it. Nosal was indicted for aiding and abetting the employees in “exceed[ing] their authorized access” in violation of 18 U.S.C. § 1030(a)(4). The charge was dismissed by the district court, and the government appealed.

The Nosal court, sitting en banc, affirmed, reasoning that “exceeds authorized access” should only be applied to a person “who’s authorized to access only certain data or files but accesses unauthorized data or files—what is colloquially known as ‘hacking.’” The statutory definition of the phrase supported this interpretation because “entitled” should be read as a synonym for “authorized” in the text and a broader interpretation “would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute,” which the court would not presume Congress intended absent clearer language. A broader construction “would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer.” What is more, because § 1030(a)(2)(C) punishes a person who merely “exceeds authorized access” and “obtains information from any protected computer” without intent to defraud, a broader interpretation “makes every violation of a private computer use policy a federal crime.” The court construed the statute narrowly “so that Congress will not unintentionally turn ordinary citizens into criminals” and concluded that “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” Because Nosal’s coworkers had permission to access the information, Nosal was off the hook.

The dissent, citing the Explorica decision among others, noted that none of the other circuits to consider the meaning of “exceeds authorized access” read the statute the same way.

III. The First Circuit: Breach of Confidentiality Agreement Proves Excessive Access

The First Circuit in Explorica reviewed the district court’s issuance of a preliminary injunction against defendant Explorica and several of its employees pursuant to § 1030(a)(4) of the CFAA. In Explorica, an employee of Explorica and a former employee of the plaintiff, EF Cultural Travel BV (EF), revealed EF proprietary information to Zefer, a company employed by defendant Explorica, an EF competitor, in violation of his confidentiality agreement with EF. Zefer then used that information to create a computer program that “scraped” EF’s public website of pricing information, thus allowing Explorica to undercut EF’s prices.

The court ruled that the district court’s decision was not clearly erroneous because “whatever authorization Explorica had to navigate around EF’s site (even in a competitive vein),” if EF’s allegations were proven, EF likely would prove that Explorica “exceeded that authorization by providing proprietary information and know-how to Zefer to create the scraper.” In fact, “[p]ractically speaking, . . . if proven, Explorica’s wholesale use of EF’s travel codes to facilitate gathering EF’s prices from its website reeks of use—and, indeed, abuse—of proprietary information that goes beyond any authorized use of EF’s website.” Although decided in a different factual and procedural context than Nosal, as one judge in the District of Massachusetts noted, the First Circuit in Explorica “advocated a broader reading” of the CFAA than the Ninth Circuit.

IV. Conclusion: On to the Supreme Court?

The Nosal decision’s statement that a CFAA violation is limited to violations of restrictions on access to information, not use, when read with Explorica’s competing conclusion that a CFAA violation may be based on the abuse of proprietary information, crystallizes the CFAA circuit split for Supreme Court review. Violations of an employer’s contractual and computer use policies cannot be used to show a CFAA violation in the Ninth Circuit, but they can in the First Circuit. Assuming the government seeks certiorari, a decision by the Supreme Court not to review the Nosal case will have an immediate impact on employer decisions on where to file CFAA claims against former employees who may have taken confidential information. In fact, the Nosal decision adds yet another hurdle for employers filing lawsuits in California (part of the Ninth Circuit) in addition to the unenforceability of non-competition agreements as a matter of policy in that state. The circuit split is even more important because of the location of important industries: Silicon Valley and Massachusetts (part of the First Circuit) are high-tech hubs where many companies rely on highly sensitive information to stay ahead of the competition. If the Supreme Court chooses not to review Nosal, more employers will file CFAA cases outside of the Ninth Circuit.

Random Cyberattackers Versus the Advanced Persistent Threat

blogs@foleyhoag.com (Colin J. Zick) — Tue, 01 May 2012 21:46:54 -0500

What do cyberattackers want? According to a recent article in the Wall Street Journal, it depends. And the most dangerous ones are the ones that really know what they want: the Advanced Persistent Threat (APT). They APT isn't easily defined, but think of APTs as professional thieves, going after high-value targets and using sophisticated techniques. They are Thomas Crown to the every Eddie Coynes of the world. There's more discussion of APTs on the Advanced Cyber Security Center's website.

Massachusetts Reports on Data Breaches for 2007-2011

blogs@foleyhoag.com (Colin J. Zick) — Tue, 24 Apr 2012 08:03:57 -0500

The Massachusetts Office of Consumer Affairs and Business Regulation has issued its first annual report on data breaches. Since Massachusetts has one of the more strict state laws on data security and breach reporting, this report bears close attention for trends across the nation. Some of the highlights in this summary, which covers 2007-2011:

Through September 30, 2011, the largest share of breaches was not in the financial sector, but in the retail and healthcare industries, along with government.
Since the Data Security law, c. 93H, went into effect, the Office of Consumer Affairs and Business Regulation has tracked the data breach notifications it has received. As of Sept. 30, 2011, there had been 1,833 notifications of security breaches. The number of Massachusetts residents affected by the reported incidents since November 1, 2007 now totals 3,166,031.
As of September 30, 2011, criminal or malicious breaches totaled 241 of 454 notifications received, 52.5 percent of total breaches reported.
Encryption is lagging: If all portable devices were encrypted from 2007 to 2011, the number of residents whose personal information was compromised would be remarkably lower by 47 percent or 1,490,308 people. If all portable devices were encrypted from March 1, 2010 the number of compromised residents would have decreased by 29 percent or 909,992 people.

Stanford Law Review's Privacy Symposium

blogs@foleyhoag.com (Colin J. Zick) — Sun, 22 Apr 2012 06:12:08 -0500

The Stanford Law Review has an interesting series of articles on privacy in its most recent edition:

A Reasonableness Approach to Searches After the Jones GPS Tracking Case by Peter Swire
In the oral argument this fall in United States v. Jones, several Supreme Court Justices struggled with the government’s view that it can place Global Positioning System (GPS) tracking devices on cars without a warrant or other Fourth Amendment limit.
Privacy in the Age of Big Data by Omer Tene & Jules Polonetsky
We live in an age of “big data.” Data has become the raw material of production, a new source of immense economic and social value
Yes We Can (Profile You) by Daniel Kreiss
Online advertising and field campaigning rely on voter modeling based on hundreds of data points culled from surveys, public records, and commercial information sources such as credit histories. This data details the location, demographics, political affiliations, social networks, behavior, and interests of citizens.
Paving the Regulatory Road to the "Learning Health Care System" by Deven McGraw
The poor quality and high cost of health care in the U.S. is well documented. The widespread adoption of electronic medical records—for purposes of improving quality and reducing costs—is key to reversing these trends. But federal privacy regulations do not set clear and consistent rules for access to health information to improve health care quality. Consequently, the regulations serve as a disincentive to robust analysis of information in medical records and may interfere with efforts to accelerate quality improvements.
Famous for Fifteen People by Simon J. Frankel, Laura Brookover & Stephen Satterfield
A recent case in the Northern District of California, Fraley v. Facebook, recalls singer-songwriter Momus’s prescient parody of Andy Warhol: “In the future, everyone will be famous for fifteen people.” Although Momus was discussing the revolution in the recording and distribution of music made possible by digital technologies that allowed performers outside the mainstream to become “stars” within certain listening circles, his statement applies at least as forcefully to the recent revolution in digital communications technologies, particularly the emergence of social media. The Fraley decision suggests that Momus’s prediction was dead on—and that the future has arrived.
The Right to Be Forgotten by Jeffrey Rosen
At the end of January, the European Commissioner for Justice, Fundamental Rights, and Citizenship, Viviane Reding, announced the European Commission’s proposal to create a sweeping new privacy right—the “right to be forgotten.” The right, which has been hotly debated in Europe for the past few years, has finally been codified as part of a broad new proposed data protection regulation.
The Dead Past by Alex Kozinski
I must start out with a confession: When it comes to technology, I’m what you might call a troglodyte. I don’t own a Kindle or an iPad or an iPhone or a Blackberry. I don’t have an avatar or even voicemail. I don’t text. I don’t reject technology altogether: I do have a typewriter—an electric one, with a ball. But I do think that technology can be a dangerous thing because it changes the way we do things and the way we think about things; and sometimes it changes our own perception of who we are and what we’re about. And by the time we realize it, we find we’re living in a different world with different assumptions about such fundamental things as property and privacy and dignity. And by then, it’s too late to turn back the clock.

Second Circuit Reverses Convictions in Data-Theft Prosecution and Narrowly Interprets Federal Criminal Statutes with Important Intellectual Property Implications

blogs@foleyhoag.com (Colin J. Zick) — Sat, 21 Apr 2012 14:42:06 -0500

by Daniel Marx

In February 2012, following oral argument, the U.S. Court of Appeals for the Second Circuit issued a brief order reversing Sergey Aleynikov’s convictions for violating the National Stolen Property Act, 18 U.S.C. § 2314 (“NSPA”), and the Economic Espionage Act, 18 U.S.C. § 1832(b) (“EEA”), and stating a longer opinion would follow. In that promised opinion, which was issued earlier this month, see United States v. Aleynikov, No. 11-1126 (2d Cir. Apr. 11, 2012), the appeals court explained why Aleynikov did not commit the charged federal crimes, and more importantly, it established significant limits on future federal prosecutions concerning the theft of intangible intellectual property.

Background

Before his troubles began, Aleynikov worked for two years as a computer programmer at Goldman Sachs & Co. There, he helped to write the source code for Goldman’s proprietary high-frequency trading (“HFT”) system, which makes large volume trades based on algorithms that incorporate rapid market developments and past trading data. Kept highly confidential and never licensed to any other parties, the HFT system was akin to the Wall Street bank’s own secret formula for Coke. As an employee, Aleynikov was subject to strict confidentiality provisions that prohibited him from divulging this valuable trade secret.

Aleynikov had other plans, however. He decided to leave Goldman and join Teza Technologies, LLC, a financial firm in Chicago with plans to develop its own HFT system. (The government did not accuse Teza of any wrongdoing.) On his last day at Goldman, Aleynikov encrypted and uploaded source code from the HFT system to a server in Germany. After returning home that night, Aleynikov downloaded the data to his personal computer. He later made additional copies of the computer program on other devices, including a thumb drive and laptop, and also took steps to cover his electronic tracks. Aleynikov then traveled to Chicago to meet with representatives of Teza, and he brought the purloined source code with him. When he returned to New Jersey, he was arrested by the FBI at Newark airport.

At trial, Aleynikov argued that he only copied open source materials and never intended to harm Goldman. The jury was unconvinced and found him guilty. The trial court sentenced him to 97 months in prison. In its recent opinion reversing Aleynikov’s convictions, the Second Circuit certainly did not condone his behavior -- repeatedly calling him a corporate thief and noting that his dishonest conduct breached his confidentiality obligations to his employer. But the court concluded, after closely analyzing the text of the criminal statutes and the relevant case law, that Aleynikov had not violated the NSPA or EEA. (The appeal related only to the criminal prosecution, and it did not address whether or how Goldman might sue Aleynikov for money damages.)

Computer Fraud and Abuse Act

Although not part of the appeal, Aleynikov was also charged with violating the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, which prohibits accessing computers without authorization in certain specified situations that the statute describes (for example, protected computers containing national security information). Aleynikov moved to dismiss that charge, and the trial court granted his motion. As the Second Circuit recounted, the trial court concluded that, as an employee, Aleynikov was authorized to access Goldman’s network; that as a programmer who worked on the HFT system in particular, his access to that source code did not exceed his authorization; and perhaps most critically, that his “authorized use of a computer in a manner that misappropriates information is not an offense under the CFAA.”

Because this count was dismissed, and the government did not appeal from that decision, the Second Circuit had no reason to address the issue. As it stands, therefore, it may be a crime under the CFAA for an outsider – say, an ill-intentioned hacker – to access a computer network and misappropriate source code or other intellectual property, but it is not illegal for an insider – such as an authorized employee – to do the very same thing. When considering the parameters of the CFAA, it is important to distinguish (a) whether a person is authorized to access a computer from (b) how the person uses information from the computer (e.g., in violation of application confidentiality or non-compete agreements). The CFAA addresses unauthorized access to certain computers, not the improper use of information stored within.

National Stolen Property Act

Aleynikov was charged with, and convicted of, violating the NSPA which prohibits as a federal crime “transporting, transmitting or transferring in interstate or foreign commerce any goods, wares, merchandise, securities or money, of the value of $5,000 or more, knowing the same to have been stolen, converted or taken by fraud.” As the Second Circuit explained, the “decisive question” was whether the source code that Aleynikov stole from Goldman constituted “goods, wares [or] merchandise” within the meaning of the NPSA.

To answer that question, the appeals court looked back almost 50-years – long before the computer, much less complex HFT systems – to its decision in United States v. Bottone, 365 F.2d 389 (2d Cir. 1966). In that case, the Second Circuit affirmed the conviction of Caesar Bottone who had photocopied documents outlining proprietary manufacturing procedures for certain pharmaceuticals and transported those documents across state lines. But the law would not have ensnared Bottone, the court explained, if he had memorized the same manufacturing information and taken it, in his mind, across the Hudson River. Based on this prior precedent, the Second Circuit concluded, in Aleynikov, that the NSPA is not “endlessly elastic,” rather “some tangible property must be taken from the owner for there to be deemed a ‘good’ that is ‘stolen’ for the purposes of the NSPA.” Stated another way, the Second Circuit joined other federal appeals courts including the First Circuit in holding that stealing “purely intangible properly” is not a crime under the NSPA.

Wary of declaring open season on intellectual property, federal courts have been careful to emphasize a critical qualification: although the NSPA does not apply to “purely intangible information,” “it does apply when there has been ‘some tangible item taken, however insignificant or valueless it may be, absent the intangible component.’” United States v. Martin, 228 F.2d 1, 14-15 (1st Cir. 2000) (quoting United States v. Brown, 925 F.2d at 1037, 1308 n.14 (10th Cir. 1991)). But what does that mean exactly? The Second Circuit did not have to answer that question, because there was no allegation that Aleynikov took anything tangible from Goldman, such as a compact disc or thumb drive containing source code. If Aleynikov had copied data onto a Goldman disc, he would have violated the NSPA, but instead he uploaded it to a server, so he did not. That distinction makes the critical question of criminal liability turn on whether a defendant steals a five-cent CD, not a five-million-dollar computer program. That seems somewhat silly, as the Second Circuit acknowledged, noting “there is no doubt that in virtually every case involving proprietary computer code worth stealing, the value of the intangible code will vastly exceed the value of any physical item on which it might be stored.” Read this way, the NSPA does a better job protecting thumb drives than the trade secrets stored on them.

To its credit, the Second Circuit did not ignore these oddities. Rather, following the well-settled principle that federal crimes are “solely creatures of statute,” Dowling v. United States, 473 U.S. 207, 213 (1985), which must be narrowly construed to avoid due process concerns, the appeals court appropriately refused “to stretch or update statutory words of plain and ordinary meaning” – such as “goods” – “to better accommodate the digital age.” Amending and expanding federal criminal statutes is a job reserved for Congress. And the legislature, like the courts, must keep up with rapid technological change. Indeed, re-reading the First Circuit’s 2000 decision in Martin, one gets the sense that it, too, may already be out of date. The First Circuit appeared to equate stolen “software,” which the defendant had mailed to her co-conspirator, with other “physical goods,” such as “test kits” for animal vaccines. Today, however, software is more often downloaded from the internet, or accessed in a cloud, than delivered on a disc or any other physical media. That evolution may have significant consequences for how the NSPA applies to the misappropriation of software, like the source code at issue in Aleynikov. If the NSPA retains its focus on the theft of physical items, then at least with regard to purely intellectual property, it may fade into obscurity like the floppy disk.

Economic Espionage Act

Aleynikov was also charged with, and convicted of, violating the domestic provision of the EEA which exposes to a 10-year prison sentence any person who, “with the intent to convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly . . . without authorization . . . downloads, uploads, . . . transmits, . . . or conveys such information.” This federal criminal statute presented the Second Circuit with an entirely different problem, one that resonates more with the current debate over the Affordable Care Act and the Commerce Clause than the legal challenges of the digital age.

The domestic provision of the EEA applies, by its terms, only to those trade secrets that are “related to or included in a product that is produced for or placed in interstate or foreign commerce.” To use an example mentioned earlier, the secret formula for Coca-Cola has qualified for almost 100 years (since 1920) as such a trade secret because it is used in manufacturing soda which is itself a product placed in interstate and foreign commerce. But Goldman did not sell or license its HFT system like cans of Coke. Quite the opposite. Goldman aggressively protected the confidentiality of its computer program, and in large part, the system’s substantial value flowed from the fact that others did not know how it worked and, thus, could not design a competing system to affect even more rapid trades. For that reason, the Second Circuit concluded: “Because the HFT system was not designed to enter or pass into commerce, or to make something that does, Aleynikov’s theft of source code relating to that system was not an offense under the EEA.”

Further, in reaching that conclusion, the Second Circuit rejected the broader reading that the trial court had endorsed – a product is “produced for” interstate or foreign commerce if its purpose is to “facilitate or engage” in such commerce. That interpretation covered Goldman’s HFT system, which clearly existed to facilitate and engage in securities transactions on domestic and foreign exchanges. But the Second Circuit ruled that understanding was too broad and inconsistent with the statutory text.

Thus, as with the NSPA, the decision in Aleynikov established an important, new limit for federal criminal liability under the EEA. A person who steals proprietary intellectual property from an owner who uses that information solely for internal, commercial purposes does not violate the domestic provisions of the EEA. (The foreign provisions of the EEA, which are more expansive, were not at issue in Aleynikov.) Yet if the same person takes intellectual property that the owner uses in a product that it produces for or makes available on domestic or foreign markets, then the thief runs afoul of the federal criminal law. While logical, this internal/external or private/public distinction would seem to leave unprotected, at least under the domestic provisions of the EEA, some extremely valuable intellectual property that is critical to how owners operate their businesses and obtain competitive advantages. Stealing the source code for Goldman’s HFT system to aid a competitor company seems like a quintessential act of economic espionage, but according to the Second Circuit, it did not violate the EEA. Ironically, it was precisely because Goldman closely guarded its computer program that the source code fell beyond the EEA’s scope.

Wire and mail fraud

Finally, it merits mention that Aleynikov was not charged with wire or mail fraud in violation of 18 U.S.C. §§ 1341 and 1343. The mail and wire fraud statutes prohibit using the mail or “wires,” meaning telephones, e-mail, or other electronic communications, to conduct a “scheme to defraud” or “to obtain money or property by means of false or fraudulent pretenses.” Both federal criminal statutes require the government to prove beyond a reasonable doubt that the defendant engaged in some intentional deception. On its face, Aleynikov’s conduct did not necessarily involve any deceit or trickery. He did not tell anyone at Goldman what he had done, but he also did not lie about it. He did not masquerade as someone else to gain access to the HFT system, nor did he dupe Goldman into sharing its source code with him.

That is not to say Aleynikov may not have been convicted of wire or mail fraud, if he had been charged with those offenses. In contrast to the NSPA which limits “goods, wares [and] merchandise” to physical items, the mail and wire fraud statutes broadly define “property” to include purely intellectual property, such as computer programs or other confidential business information. See Carpenter v. United States, 484 U.S. 19, 25-26 (1987); United States v. Czubinski, 106 F.3d 1069, 1074 (1st Cir. 1997). Thus, in United States v. Martin, a somewhat similar case involving an employee who shared trade secrets with a competitor company, the First Circuit ruled that, by relaying confidential information in violation of her fiduciary duty to her employer and her signed non-disclosure and non-compete agreements, the defendant engaged in “false pretenses.” On that basis, the appeals court affirmed the defendant’s convictions for mail and wire fraud. See also United States v. Wang, 898 F. Supp. 758 (D. Colo. 2005) (denying the defendant’s motion to dismiss the indictment in a wire fraud prosecution where the defendant had transmitted by wires, without proper authorization, confidential source code that belonged to his employer). Now that the Second Circuit has closed certain doors to federal criminal prosecutions in intellectual property cases, the Justice Department may opt to proceed through a door that other courts have left open, charging defendants like Aleynikov with mail and wire fraud and arguing that, by violating agreements with their employers, they engaged in prohibited deceit.

Conclusion

If asked, most people would probably think that, if an employee brazenly steals valuable intellectual property from his or her employer to give to a competitor company (where the employee has accepted a new job), then that employee has committed a federal crime. Not necessarily. As the Second Circuit decision in Aleynikov makes clear, federal criminal liability under the NSPA, EEA and CFAA will turn on specific, and somewhat surprising, factual questions. For example, did the employee take the intangible intellectual property on a tangible device, like a disc, that belonged to his or her employer? Was the intellectual property used internally or as part of a product that the company produced for sale? Did the company authorize the employee to access the computer system in the first place? Depending on the answers to these types of factual questions, conduct that is dishonest, unethical and inappropriate may, nevertheless, not be criminal.

As much as things change, some things will remain the same: the government will continue to prosecute the theft of intellectual property; defendants will continue to raise creative challenges to the criminal laws, and the courts will continue to wrestle with these issues, all as technology continues to evolve. For Aleynikov, that legal process unfolded over the past three years since his arrest in July 2009, and it took a heavy personal toll. Because he is a dual Russian and U.S. citizen, Aleynikov was deemed a “flight risk” and denied bail pending his appeal. As a result, Aleynikov -- the father of three young children -- served more than two years in federal prison before the Second Circuit decided that he had not, in fact, broken the law.

Will Massachusetts Adopt the Uniform Trade Secrets Act?

blogs@foleyhoag.com (Colin J. Zick) — Fri, 06 Apr 2012 08:35:04 -0500

by Brian P. Bialas, Esq.

A bill to adopt the Uniform Trade Secrets Act (“UTSA”) has been pending in the Massachusetts Legislature since late January. Forms of the UTSA have been adopted in 46 states, as well as the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. Only New York, Texas, North Carolina, and Massachusetts have not adopted the UTSA.

The bill would supersede the definitions, procedures, and remedies applied in Massachusetts chapter 93A actions (regulating unfair and deceptive trade practices) for trade secret misappropriation. The UTSA expands the definition of “trade secret” to include information that has not been “continuously used in one’s business.” It leaves in place contractual remedies (i.e., non-disclosure agreements) so long as, to the extent contracts rely on confidentiality of information, such confidentiality be determined according to the definition of “trade secret” in the UTSA. This addresses an anomaly in Massachusetts created by an overly restrictive definition of trade secrets which requires “continuous use” of the trade secret and employers’ need to protect by contract “confidential information” that does not meet the restrictive definition.

The last action on the bill was a hearing before the Massachusetts Joint Committee on the Judiciary on February 28, 2012. Testimony before the Committee and a copy of the bill with both official comments on the UTSA and comments specific to the version proposed in Massachusetts, which is slightly different, are available here.

A more detailed discussion of the USTA, and its impact on non-competes, is available on our Non-Compete blog.

Good Advice that Bears Repeating: Toughen Up Your Passwords!

blogs@foleyhoag.com (Colin J. Zick) — Mon, 26 Mar 2012 14:48:35 -0500

In an article that repeats a common theme in this space, this week's Economist talks about how researchers are trying to help ordinary people toughen up their passwords. But despite the efforts of these researchers, the article's conclusion is a gloomy one:

The upshot is that there is probably no right answer. All security is irritating (ask anyone who flies regularly), and there is a constant tension between people’s desire to be safe and their desire for things to be simple. While that tension persists, the hacker will always get through.

FTC Releases Final Report: "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers"

blogs@foleyhoag.com (Colin J. Zick) — Mon, 26 Mar 2012 11:14:01 -0500

FTC has today, at last, released the final version of its original 2010 Report — "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers." As we have discussed previously, comments on the draft report were taken through January 31, 2011 and the final report had been expected in 2011.

The FTC received over 450 comments from businesses, privacy advocates, and consumers and claims that the final Report retains the basic principles outlined previously, but claiming it makes several important refinements. There's also a brief new video explaining the FTC's positions. Here are the key take-aways from the final report:

Privacy by Design. Companies should build privacy protections into their everyday business practices. That includes limiting data collection and retention, securing the information they hold on to, safely disposing of what they no longer need, and implementing reasonable measures to ensure information is accurate.
Simplified Choice. Companies should give consumers a choice at a time and in a context that matters to people. The preliminary report noted that choice shouldn’t be necessary for certain “commonly accepted practices.” The final Report concludes that choice needn’t be provided for data practices that people would expect, given the context of the transaction, the company’s relationship with the consumer, or as required or specifically authorized by law.
Do Not Track: The Report also reaffirms the Commission’s strong support for Do Not Track.
Improved transparency. Companies should increase the transparency of their data practices by developing clearer, more standardized privacy disclosures and could give people reasonable access to their information.
Exemption of small businesses: To minimize the effect on smaller companies, the final framework doesn’t apply to them if they collect only non-sensitive data from fewer than 5,000 consumers a year, provided they don’t share the data with third parties.

Most interesting to me is the Dissenting Statement of Commissioner J. Thomas Rosch, in which he makes several interesting points:

"First, the Report is rooted in its insistence that the “unfair” prong, rather than the “deceptive” prong, of the Commission’s Section 5 consumer protection statute, should govern information gathering practices (including “tracking”). “Unfairness” is an elastic and elusive concept. What is “unfair” is in the eye of the beholder."
"Second, the current self-regulation and browser mechanisms for implementing Do Not Track solutions may have advanced since the issuance of the preliminary staff Report" and the Report does not adequately take account of this change.
"I am concerned that "opt-in” will necessarily be selected as the de facto method of consumer choice for a wide swath of entities that have a first-party relationship with consumers but who can potentially track consumers’ activities across unrelated websites, under circumstances where it is unlikely, because of the “context” (which is undefined) for such tracking to be “consistent” (which is undefined) with that first-party relationship: 1) companies with multiple lines of business that allow data collection in different contexts (such as Google); 2) “social networks,” (such as Facebook and Twitter), which could potentially use “cookies,” “plug-ins,” applications, or other mechanisms to track a consumer’s activities across the Internet; and 3) “retargeters,” (such as Amazon or Pacers), which include a retailer who delivers an ad on a third-party website based on the consumer’s previous activity on the retailer’s website.
"I question the Report’s apparent mandate that ISPs, with respect to uses of deep packet inspection, be required to use opt-in choice."

Ponemon Institute's 2011 Cost of Data Breach Study Released

blogs@foleyhoag.com (Colin J. Zick) — Sun, 25 Mar 2012 11:52:06 -0500

The annual Ponemon Institute report on data breaches has been released. Among the notable conclusions are the following:

• The average cost of data breach declined.

• Customers remained with companies following the data breach.

• Negligent insiders and malicious attacks were the main causes of data breach.

• Lost business costs from breaches declined.

• Detection and escalation costs declined but notification costs increased.

Taken together, these factors suggest that the process of dealing with data breach is maturing and becoming routinized. Companies know better how to deal with breaches, hence the decreased costs, and improved customer retention. This improved loyalty also is reflected in increased notification costs: companies are spending more but have more to show for it. It would appear we are heading to a state of affairs in which breaches are routine, expected and dealt with.

New Case Highlights Split of Authority Interpreting the Computer Fraud and Abuse Act

blogs@foleyhoag.com (Colin J. Zick) — Sun, 18 Mar 2012 18:43:18 -0500

by Brian P. Bialas

Employers increasingly are suing former employees who have left to join or form competing companies using the civil remedies available under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. They use the CFAA to prevent their former employees from using sensitive information obtained from the former employer’s computer system. The scope of the CFAA, however, is subject to hot debate among the federal courts, as highlighted by a recent case from the District of Minnesota.

In Walsh Bishop Associates, Inc. v. O’Brien, Civil Action No. 11-2673 (DSD/AJB), 2012 WL 669069 (D. Minn. Feb. 28, 2012), the court interpreted a provision of the CFAA, 18 U.S.C. § 1030(a)(2)(C), which subjects an individual who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” to civil liability should the plaintiff meet certain conditions. In particular, the court had to determine the scope of the phrase “exceeds authorized access,” which the CFAA defines as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). The plaintiff argued that a person exceeds authorized access by accessing information in order to use it in a manner contrary to an employer’s interests and use policies. The O’Brien court, however, concluded, among other things, that subsection (a)(2) is not based on use of information, but rather access to information. Plaintiff’s interpretation therefore could not be correct and the court had to focus on whether the defendants accessed information that they were forbidden to access instead of how defendants intended to use the information they had obtained.

Other courts, including the District of Massachusetts, have come to a different conclusion regarding this language in the CFAA. In Guest-Tek Interactive Entertainment Inc. v. Pullen, 665 F. Supp. 2d 42 (D. Mass. 2009), Judge Gorton analyzed a different provision of the CFAA that also included both the “without authorization” and “exceeds authorized access” language. See 18 U.S.C. § 1030(a)(4). The defendants argued that the CFAA applies only to those lacking initial authorization and not those who subsequently misuse or misappropriate information. The plaintiff in response argued that the employee defendant’s alleged breach of his fiduciary duty of loyalty to the plaintiff (by copying files and secretly planning a competitive venture while still employed) effectively extinguished his authorization to access plaintiff’s computers. The employee defendant’s initial authorization to access the plaintiff’s confidential information was premised on the agency relationship between the parties, the plaintiff argued, and therefore when the employee breached his duty of loyalty he ended that relationship and constructively terminated his authorization to access the plaintiff’s files. Judge Gorton agreed with the plaintiff. He determined that the First Circuit advocated a broader reading of the CFAA in EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). In that case, the court “upheld a CFAA claim against employees who had collected pricing information from their former employer’s website in order to develop a competing entity with lower prices.” Guest-Tek, 665 F. Supp. 2d at 45. The First Circuit found “that the former employees’ reliance on [plaintiff]’s pricing information reeked of use—and indeed, abuse—of proprietary information that goes beyond any authorized use of [plaintiff]’s website.” Id. (quotation and brackets omitted). The First Circuit’s analysis of the employees’ “authorized use” and “abuse” of the plaintiff’s proprietary information in Explorica, Judge Gorton ruled, undercut the Guest-Tek defendants’ plain language argument—the type of argument the court accepted in O’Brien.

These two cases show that employers can use the CFAA when employees depart to join or form competing companies, but the CFAA’s usefulness may be limited by the case law in the jurisdiction in which the employer sues. Employers therefore should consider where they can sue and the state of the law in those jurisdictions before filing suit. These cases also call attention to a split in case law that eventually may require resolution by the Supreme Court.

Phyisican Medical Identify Theft -- A Growing Problem?

blogs@foleyhoag.com (Colin J. Zick) — Sun, 18 Mar 2012 18:35:29 -0500

A recent issue of the Journal of the American Medical Association takes on the issue of physician medical identify theft; here's the abstract:

It took several months for one physician to learn that she was a victim of medical identity theft. This realization occurred after patients reported that her name was on their Medicare Summary Notices although they had never seen her. A fraudulent clinical practice had enrolled in Medicare using her name without her knowledge. Another physician had retired from clinical practice but decided to work part-time. Nearly 2 years after sending out job applications, he was asked by Medicare to return more than $350 000 in overpayments made to a practice he had interviewed with but never joined. The Department of Treasury began to garnish his Social Security payments for unpaid debts.

There's also an interesting interview with one of the authors, who holds an M.D. and J.D., discussing the consequences for physicians and their patients.

$1.5 Million Settlement of First HIPAA Enforcement Action Resulting from HITECH Breach Notification Rule

blogs@foleyhoag.com (Colin J. Zick) — Wed, 14 Mar 2012 07:50:00 -0500

The trend toward increasingly large health information breach settlements has continued with yesterday's announcement thatBlue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of HIPAA's Privacy and Security Rules, HHS's Office of Civil Rights. BCBST also agreed to a corrective action plan to address gaps in its HIPAA compliance program. The enforcement action is the first resulting from a breach report required by the HITECH Act's Breach Notification Rule.

The investigation started with a notice submitted by BCBST to HHS reporting that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The drives contained the PHI of over 1 million individuals, including member names, Social Security numbers, diagnosis codes, dates of birth, and health plan identification numbers. OCR’s investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, OCR found a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.

In addition to the $1,500,000 settlement, the agreement requires BCBST to review, revise, and maintain its privacy and security policies and procedures, to conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure BCBST compliance with the corrective action plan.

Join Us on April 4 for a Discussion on FATCA Compliance, and the Latest SEC and Massachusetts Guidance on Social Media Use by Investment Advisers

blogs@foleyhoag.com (Colin J. Zick) — Mon, 12 Mar 2012 07:28:33 -0500

On April 4, Foley Hoag will be hosting a discussion on FATCA compliance, and the latest SEC and Massachusetts guidance on social media use by investment advisers.

FOLEY HOAG LLP | APRIL 4, 2012

Part of the Operational Risk Breakfast Club's Quarterly Series

The Operational Risk Breakfast Club provides the opportunity for senior investment management professionals to mix informally and gain advantages by gathering insights and information regarding key developments in the industry. The meetings are sponsored by Kinetic Partners and Foley Hoag on a quarterly basis.

Speakers:
Donald Babbitt, Kinetic Partners
Kip Cawley, Foley Hoag LLP
Terence Coppinger, Deloitte Tax LLP

Wednesday, April 4, 2012
Registration: 8:30 a.m.
Program: 9:00 a.m. - 10:00 a.m.

LOCATION
Foley Hoag LLP
Seaport West
155 Seaport Boulevard
16th Floor
boston, MA 02210

Breaking Down the White House Privacy Framework--a Video Blog

blogs@foleyhoag.com (Colin J. Zick) — Mon, 05 Mar 2012 05:31:38 -0500

Here is a video discussion I had with LexBlog on the new White House Data Privacy report, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” In this conversation, we discussed the report's four primary elements:

a Consumer Privacy Bill of Rights,
a multistakeholder process to specify how the principles in the Consumer Privacy Bill of Rights apply in particular business contexts,
effective enforcement, and
a commitment to increase interoperability with the privacy frameworks of our international partners.

Specifically, in the Consumer Privacy Bill of Rights, it provides for:

Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
Security: Consumers have a right to secure and responsible handling of personal data.
Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.