Information security professionals work within an enterprise to protect it from all non-physical threats to the integrity and availability of its data and systems. Performing this function draws security professionals into simultaneous, ongoing relationships between the enterprise on the one hand and, successively on the other, the enterprise's employees and other agents, its customers, suppliers, competitors, government officials and regulators, to say nothing of unidentified and sometimes unidentifiable actors. In short, the working environment for security professionals is a maelstrom. In determining which aspect of this multi-faceted environment needs your immediate attention, the law can help. Whether in the courts or in legislatures or agencies, the law addresses individual claims or interests more or less one at a time. As such, the way the law treats a particular topic provides one point of focus that may help you allocate effort and resources to best effect. This is the first article in a four-part series exploring the law of information security in the United States. The series is designed to be a resource for information security professionals in two respects. First, a legal perspective on security is valuable in itself, as an aid to defining the assets and interests to be protected and as the source of the prerequisites for and types of recovery available when breaches of security occur. Second, information about the intersection of law and information security will help information security professionals and their counsel work together more effectively. Each article in the series deals with information security in a particular context. The first article (below) addresses the legal framework for protection of information systems and the role of information security professionals in the creation of trade secret interests, one type of intellectual property. The articles that follow will discuss the law of achieving and maintaining a secure working environment, the criminal law aspects of information security, and the impact of national defense law and regulations on information security. Throughout the series, the focus will be on providing information that security professionals can bring to bear to improve the security of the people and businesses who depend on them. Part One: Protecting Private Sector Systems; Information Security Professionals and Trade Secrets Information security professionals work to protect both an enterprise's information technology systems and the enterprise's information itself. These functions are obviously related, and in practice, the division between them may be a bit artificial, but the division is helpful for organizing an introduction to the relevant body of law. Our discussion focuses primarily on the legal framework for the protection of information systems because the two functions most closely associated with information security professionals - protection from hackers and infection by viruses - occur at a systems level. The article ends with a comment on the role that security professionals play in the acquisition and maintenance of legal rights in trade secrets. In 2003, it is traditional, and may even be cliché, to describe the Internet as a "network of networks," but the definition remains true and it is helpful for understanding a fundamental legal point. The Internet neither perceives nor respects jurisdictional boundaries between states or between the United States and other countries. The networks that collectively form the Internet allow us to exchange information with people across any border or borders we wish. That capability is, after all, one of the fundamental advantages of being online. In legal terms, that means that network security is an issue that bears on the interstate and foreign commerce of the United States. The Constitution of the United States gives the Congress the right to regulate interstate and foreign commerce, and so it is no surprise to find that the primary sources of United States law for the protection of networks are federal statutes. CFAA - Computer Fraud and Abuse Act The starting point for a discussion of the current United States law of information security is the Computer Fraud and Abuse Act, 18 U.S.C.§ 1030 (the "CFAA"). The CFAA was originally enacted solely as a computer crime statute, but in its present form, it imposes both civil and criminal liability for a wide variety of acts that compromise the security of public and private sector computer systems. By the time this series concludes, we will have given the CFAA a fairly comprehensive review. For now, let's focus on the provisions that form the legal backbone for the protection of private sector systems. The core provisions of the CFAA apply to "protected computer[s]," a term that the act defines in sweeping terms. Under the CFAA, the term "protected computer" means "a computer - - "exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government;" or
- "which is used in interstate or foreign commerce or communication [.]"
18 U.S.C.§ 1030 (e)(2). The first part of the definition reflects the CFAA's origins as a 1984 law enacted to criminalize intrusions to obtain classified information or financial data that were beyond the scope of state computer crime laws then in effect. The second part of the definition, the language that extends the CFAA's protections to any computer "used in interstate of foreign communication," is responsible for the great breadth of the CFAA's present applicability, because that language brings essentially every computer with Internet access within the scope of the statute. The CFAA imposes liability on anyone who: - Intentionally accesses a protected computer without authorization or in excess of authority, and by doing so, steals anything of value, other than the use of the computer itself, where that computer use is worth less than $5,000 in any one year period [1];
- Knowingly transmits a program, code or instruction, and as a result, intentionally causes damage, without authorization, to a protected computer [2];
- Intentionally accesses a protected computer without authorization, and as a result, causes damage, recklessly or otherwise [3];
- Knowingly traffics illegally in passwords or other access credentials that allow unauthorized access to a computer, if that traffic effects interstate or foreign commerce or the computer is used by or for the United States government [4];
- Threatening to damage a protected computer with intent to extort anything of value [5]; or
- Attempts to do any of the above [6].
Private parties "who suffer loss or damage" as the result of a CFAA violation have the right to sue. 18 U.S.C.§ 1030(g). The CFAA defines "damage" to include "any impairment to the integrity or availability of data, a program, a system, or information, that causes loss aggregating at least $5,000 in value during any 1-year period." 18 U.S.C.§ 1030(e)(8)(A) [7]. This language has been held to mean that where a CFAA claim seeks relief for economic damage, the claim must meet the $5,000 threshold. See, for example, in re: DoubleClick Inc. Privacy Litigation, 154 F.Supp.2d 497, 520-23(S.D.N.Y. 2001). The CFAA has been amended repeatedly since its initial passage in 1984. The provisions prohibiting the transmission of destructive code was inserted into the CFAA in a 1994 amendment that was intended, in part, to respond to the then emerging threat of viruses. The private right of action was added at the same time. The concept of the "protected computer" discussed above was introduced two years later. These amendments have been made primarily to reflect evolving threats to information security, but they also reflect the useful idea that the current computer crime laws of the United States would be easier to find if the central (but not necessarily all the applicable) provisions were contained in a single statute. As such the CFAA is, and is likely to remain, the best, first place to begin formulating responses to information security issues arising under United States law. That does not mean, however, that the CFAA is the only place to look. Security professionals in enterprises that are particularly concerned with the protection or exploitation of copyrighted works (Web publications and media distribution services to name only the most obvious examples) should also be familiar with the Digital Millennium Copyright Act. DMCA - The Digital Millennium Copyright Act The Digital Millennium Copyright Act, 17 U.S.C. §1201- 05 (the "DMCA"), provides that "[n]o person shall circumvent a technological measure that effectively controls access to a work protected under this title [the Copyright Law]," and goes on to prohibit the "manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that - (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to [a copyrighted work]; (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to [a copyrighted work]; or (C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to [a copyrighted work]." The DMCA defines the term "circumvent a technological measure" [to] mean[] to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner. 17 U.S.C. §1201 (a). This provision of the DMCA assists licensors of digitized copyrighted works in restricting access to those who obtain access to it lawfully and are therefore entitled to decrypt the work. The DMCA contains analogous provisions prohibiting technology that circumvents "the protection afforded by a technological measure that effectively protects a right of a copyright owner." The DMCA also: (a) defines the term "circumvent protection afforded by a technological measure'' [to] mean [] avoiding, bypassing, removing, deactivating, or otherwise impairing a technological measure; and (b) states that a technological measure ''effectively protects a right of a copyright owner under this title'' if the measure, in the ordinary course of its operation, prevents, restricts, or otherwise limits the exercise of a right of a copyright owner. 17 U.S.C. §1201 (b). This provision gives copyright owners legal recourse against anyone who removes technology that limits the use of copyrighted works to the uses authorized by the owner. It is important to note that the DMCA imposes liability for the removal of technological devices, regardless of whether or how those responsible then treat the formerly protected copyrighted works. Unauthorized uses of those works might or might not constitute infringement. Liability for infringement, if any, would arise separately, under the pertinent provisions of the Copyright Law. The DMCA focuses on the circumvention of technological measures specified, regardless of whether infringement occurs. Like the CFAA, the DMCA imposes both criminal and civil liability. With regard to civil remedies, the DMCA provides for the recovery of actual damages, the violator's profits, and statutory damages ranging up to $2,500 per act of circumvention, or per device, product, component, offer, or performance of service. Damages may be trebled (tripled) where the injured party proves that the current violation occurred within three (3) years after the entry of judgment against the defendant for a previous violation. Injunctive relief and the recovery of attorney's fees are also available. 17 U.S.C. § 1203. State Laws - Filling the Gaps Left by CFAA and DMCA As important as they are, the CFAA and the DMCA do not provide a comprehensive legal response to the entire range of possible system security violations. In certain cases, evidence satisfying the $5,000 damage threshold for an action for economic relief under the CFAA may be difficult or impossible to come by, and the applicability of the DMCA is expressly restricted to the protection of copyrighted works. In such circumstances, state laws, both those specifically aimed at information security and common law concepts developed long before the information age, may fill the gaps. A survey of state computer crime laws is far beyond the scope of this series, but it is worthwhile to address one example of how state law supplements the federal statutory provisions discussed above. Let's begin with the idea that at a basic level, a secure system enables its proprietors to control when and how the system's resources are used. To assert control, system proprietors set terms and conditions for access, and users obtain access to users only when, and for as long as, they agree to abide by those terms. When access restrictions or limitations are exceeded, the system operator loses control of some portion of the resources it would otherwise have to respond to user needs. In theory, this loss of control results in an injury, even if the proportion of the resources involved is small and difficult to quantify. The CFAA may not be terribly helpful in this situation. No data has been lost, nothing has been corrupted, and the prospect of meeting the $5,000 damage threshold seems remote. On similar facts, a state law theory, generally known as trespass to chattels [8], has been important in two well-known cases. A basic statement of the trespass to chattels theory states that: "One who uses a chattel with the consent of another is subject to liability in trespass for any harm to the chattel which is caused by or occurs in the course of any use exceeding the consent, even though such use is not a conversion." Register.com, Inc. v. Verio, Inc., 126 F.Supp.2d 238, 249 (S.D.N.Y. 2000) (citations omitted). Let's look at how this legal theory has been applied to information security issues. In eBay Inc. v. Bidder's Edge, Inc., 100 F. Supp. 2d 1058 (ND Cal., May 24, 2000), eBay, the well known Internet auction service, was confronted by routine, multiple, recursive searches of its database conducted by Bidder's Edge, a now defunct aggregator of auction sites, using software robots that exceeded eBay's limitations on robotic access. Negotiations between the parties aimed at providing Bidder's Edge with additional authorized robotic access to eBay's database were unsuccessful, and Bidder's Edge continued to conduct searches without eBay's authorization, depriving eBay of control of its own system. Ebay sued, seeking an injunction to stop Bidder's Edge from conducting such searches, on a trespass to chattels theory. In ruling for eBay, the court wrote: "Although there is some dispute as to the percentage of queries on eBay's site for which BE [Bidder's Edge] is responsible, BE admits that it sends some 80,000 to 100,000 requests to plaintiff's computer systems per day. Although eBay does not claim that this consumption has led to any physical damage to eBay's computer system, nor does eBay provide any evidence to support the claim that it may have lost revenues or customers based on this use, eBay's claim is that BE's use is appropriating eBay's personal property by using valuable bandwidth and capacity, and necessarily compromising eBay's ability to use that capacity for its own purposes. ...The law recognizes no such right to use another's personal property. ...If preliminary injunctive relief were denied, and other aggregators began to crawl the eBay site, there appears to be little doubt that the load on eBay's computer system would qualify as a substantial impairment of condition or value. California law does not require eBay to wait for such a disaster before applying to this court for relief." [9] The same rationale was applied in Register.com, Inc. v. Verio, Inc., 126 F.Supp.2d 238, 249 (S.D.N.Y. 2000) to enjoin an unauthorized use of Register.com's database by software robots employed by Verio, Inc. ("Verio"). In the Register.com case, the court's discussion made clear that relief under a trespass to chattels theory was available where economic relief under the CFAA was not. In sum, federal statutes and state laws collectively provide a framework for legal responses to information security threats in the private sector. You should be aware that the application of the theories of liability discussed above requires individual analysis by counsel, particularly given the considerable variation between the laws of various states. Proprietary Information - Information Security Professionals and Trade Secrets The law provides a variety of theories through which legal rights in certain kinds of information may arise. Many, but not all, information based resources fall within the four categories of intellectual property: (1) trade secret, (2) trademark and service mark, (3) copyright; and (4) patent. Information security professionals do important work in protecting information based resources of all types, but they have a particular relationship with trade secrets that merits attention. State law is the primary source of rights in trade secrets. At this writing, forty-three (43) states and the District of Columbia have adopted the Uniform Trade Secrets Act ("UTSA"), which means that they have decided to adopt a common legal approach to the law of trade secrets and that variations between them, if any, will be minor [10]. The UTSA defines a "trade secret" to mean "information, including a formula, pattern, compilation, program, device, method, technique, or process, that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. UTSA, § 1. Even in states that have not adopted the UTSA, trade secret protection generally requires some element of secure and restricted access to the information in question [11]". As the UTSA definition of "trade secret" makes clear, and as the term itself implies, the law will only permit a party to control information as its trade secret only if the information involved is, in fact, secret. This means that security professionals play a direct role to play in the actual creation and maintenance of trade secret interests. Put another way, security professionals are the people who make whatever "efforts are reasonable under the circumstances" to maintain secrecy of information that the enterprise seeks to have protected as a trade secret. An enterprise will look to its information security professionals to implement and maintain the security measures that lie at the heart of every claim for trade secret protection that the enterprise intends to make. That said, it does not fall to security professionals to determine what the UTSA's "reasonable under the circumstances" language means with respect to every such claim for trade secret protection. To function effectively, security professionals require guidance as to what is reasonable given the information involved, beginning with a businessperson's assessment of the actual or potential economic value of the information to be protected, as well as an estimate how long that value will persist. "Reasonable" security for the secret formula for a product that has sold well throughout the world for generations with every sign of continuing to do so (e.g., the formula for Coca-Cola) will look very different from reasonable security for next month's advertising campaign, which will be public knowledge as soon as it is launched. Defining "reasonable security under the circumstances" is a matter of balancing security concerns with business and legal considerations. If the balance is not struck correctly, the enterprise suffers. Too little security results in the loss of the enterprise's ability to obtain or maintain its trade secret interest. Excessive security controls may achieve the legal goal of securing the treatment of the information involved as a trade secret by sacrificing the ability to maximize the return on investment in the development of trade secret.. The point is that security professionals are vitally involved, by definition, in the creation and maintenance of trade secrets, and that this is one of the few areas in which information security leads to the actual creation of resources, with obvious benefits to the bottom line. Given that an extremely broad spectrum of information can be protected as trade secrets, and that trade secrets begin to emerge at, or very nearly at, the start of most information technology projects, dynamic cooperation between business, legal and security professionals can yield important benefits. References [1] 18 U.S.C.§ 1030 (a)(4) subjects anyone to liability who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period." [2] 18 U.S.C.§ 1030 (a)(5)(A) subjects anyone to liability who "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer." [3] 18 U.S.C.§ 1030 (a)(5)(B) subjects anyone to liability who intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; 18 U.S.C.§ 1030 (a)(5)(C) subjects anyone to liability who intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage." [4] 18 U.S.C.§ 1030 (a)(6) subjects anyone to liability who "knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if - (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States." [5] 18 U.S.C.§ 1030(a)(7) subjects anyone to liability who "with intent to extort from any person, firm, association, educational institution, financial institution, government entity, or other legal entity, any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer." [6] 18 U.S.C.§ 1030(b) subjects anyone to liability who "Whoever attempts to commit an offense under subsection (a) of this section [defining the offenses listed above]." [7] The definition of damage under the CFAA also includes "any impairment to the integrity or availability of data, a program, a system, or information, that (B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals; (C) causes physical injury to any person; or (D) threatens public health or safety." 18 U.S.C. § 1030(e)(8)(B)-(D). [8] A chattel means any personal property, including of course, computer systems. Because state laws vary, the same or similar concepts may be addressed by different states using different names. Trespass to chattels in one state may be interference with property in another. [9] eBay, 100 F.Supp. 2d at 1071-72 [10] For reasons far beyond the scope for this series "Uniform" in this context does not mean that states that enact so-called "uniform laws" have total legal uniformity in the areas those laws address. [11] See generally, Restatement (Third) of Unfair Competition, § 39 ("A trade secret is any information that can be used in the operation of a business or other enterprise and that is sufficiently valuable and secret to afford an actual or potential economic advantage over others.")(Restatements summarize the law of various states, although they do not necessarily state the law of any particular state). |
