The Ninth Circuit Holds that California’s Anti-Hacking Law, Penal Code Section 502, does not Proscribe Unauthorized “Access” to a Database; Rather, the Section Prohibits Unauthorized Use, Copying, or Manipulation of Information in the Database

California’s Computer Data Access And Fraud Act, Cal. Pen. Code, § 502 (“CDAFA”) is a state law analog to the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. (“CFAA”).  Both are aimed at fighting unauthorized intrusions into electronic data (for a primer on these statutes, see “Strategies For Businesses Protecting Electronic Data Within California” here).  (See Craigslist Inc. v. 3Taps Inc. (N.D. Cal. 2013) 942 F.Supp.2d 962, 968 [identifying the CDAFA as a state law corollary to the federal statute].)

However, at least according to one federal court, there is a significant difference between the California and federal statute.  (United States v. Christensen (9th Cir. 2016) 828 F.3d 763, 789.)  By way of background, the CFAA requires that a defendant access a protected computer “without authorization.”  (18 U.S.C. § 1030(a)(5)(A)-(C); see also LVRC Holdings LLC v. Brekka (9th Cir. 2009) 581 F.3d 1127, 1133.)  Thus, the focus of a purported violation of the CFAA is whether an alleged hacker has accessed a computer without authorization or has exceeded a specific authorized access.  The CFAA is not applicable to a person who is authorized to access a computer or parts of the computer but who, in so doing, misuses or misappropriates information.  (United States v. Nosal, (9th Cir. 2012) 676 F.3d 854, 863-864.)

Section 502(c) of the CDAFA lists a number of violations with the following language as a precondition:  “[k]nowingly accesses and without permission . . . .”  Thus, the section provides that a person who commits, inter alia, any of the following acts is guilty of a public offense:

(1)       [k]nowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data;

(2)       [k]nowingly accesses and without permission takes, copies, or makes use of any data from computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network;

………………………………………………………………………………………

(4)       [k]nowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network, computer system, or computer network;  . . .

(Emphasis added.)

In United States v. Christensen, supra, 828 F.3d 763, concerning particular identity theft jury instructions, the criminal defendant relied upon United States v. Nosal, supra, 676 F.3d at pp. 864, and claimed that a section 502(c)(2) violation requires that use of a computer or database be “unauthorized.”  The defendant asserted error because the trial court did not so instruct the jury.  However, the court of appeals rejected the argument.

The federal court ruled that “access,” as used throughout California’s section 502(c), in contrast to the federal CFAA, does not require “unauthorized” access to a computer, but merely requires knowing access.  (Id. at p. 789.)  According to the court, what makes access unlawful under section 502(c)(2), is that an alleged hacker “without permission takes, copies or makes use of” data on the computer.  (Ibid.)  “A plain reading of the statute demonstrates that its focus is on unauthorized taking or use of information.”  (Ibid.; emphasis added.)  It does not criminalize unauthorized access to a computer, database or data.  In sum, the court held:  “We conclude that the term ‘access’ as defined in the California statute includes logging into a database with a valid password and subsequently taking, copying or using the information in the database improperly.”  (Ibid.)

There is currently a split of authority in the California courts on the issue which Christensen addressed.  Christensen itself acknowledged this split.  (Ibid.)  On the one hand, there is Chrisman v. City of Los Angeles (2007) 155 Cal.App.4th 29, 34-35, in which the Court of Appeal held that unauthorized “access” meant “breaking into a computer.”  On the other hand, there is Gilbert v. City of Sunnyvale (2005) 130 Cal.App.4th 1264, 1281, in which the Court of Appeal emphasized that “[k]nowingly accessing and without permission making use of any data from a computer system” is a crime under section 502.  The Gilbert court did not discuss unauthorized access to a computer or database.

Christensen rejected Chrisman and ruled consistently with Gilbert.  It seems that the Christensen holding (as well as Gilbert) is the more textually grounded ruling.  The statutory phrase in section 502 “without permission” modifies the taking or use of information in a database and not the initial access of the computer or database itself.  How the California Supreme Court may resolve the issue, if and when presented, remains to be seen.

*This blog post was assisted by Gabriella S. Perez, a 3rd year student at Loyola Law School

SEC Urges Investment Firms to Better Prepare for Ransomware Attacks

On May 17, 2017, the SEC’s Office of Compliance Inspection and Examination (“OCIE”) issued a risk alert urging broker-dealers, investment advisors and investment companies to safeguard themselves against ransomware in light of the recent global “WannaCry” ransomware attack that impacted entities in over one hundred countries, including Britain’s health system and major companies such as FedEx and Telefonia.

The OCIE examined 75 SEC registered firms to assess “industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.”  The OCIE focused on these firms’ cyber-risk assessment, penetration testing, and system maintenance, and found that:

  • 5% of the broker-dealers and 26% of advisers and funds did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and potential business consequences;
  • 5% of broker-dealers and 57% of investment advisers and funds did not conduct penetration tests and vulnerability scans on critical information systems;
  • 10% of the broker-dealers and 4% of investment advisers and funds had not updated a number of critical and high-risk patches to maintain the integrity and security of their information systems even though these firms had a process in place for regular system maintenance.

Given that the WannyCry ransomware attack might have been conducted by a breach via Microsoft Desktop Protocol or Windows Server Message Block version 1, the alert encouraged firms to evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.  The OCIE alert also directed firms to review the alert published by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team, U.S. Cert Alert TA 17-132A, about actions firms might consider in reaction to the latest ransomware incident.

The OCIE’s risk alert and examination of 75 SEC registered firms underscores the fact that the SEC is making cybersecurity and cybersecurity practices (and thus cybersecurity disclosures) undertaken by public companies one of its primary focuses.  As Nossaman reported in its May 11, 2017 blog, “because cybersecurity issues remain relatively new and regulators are eager to catch up with emerging technologies, this area could be low hanging fruit” for the SEC.

Settlement in Home Depot Class Action Provides Data Security Corporate Governance Framework for Companies

The latest settlement in Home Depot’s data breach litigation provides a data security framework for corporate governance that may be used by other companies as a template.  Based on claims arising from a massive data breach in 2014 involving 56 million credit cards, Home Depot Inc. recently settled both a shareholder derivative action and a class action filed by financial institutions.  Both settlements were filed and approved by the U.S. District Court for the Northern District of Georgia.  As part of a third settlement of a direct consumer class action in 2016, Home Depot had already agreed to set up a $19.5 million fund to reimburse its affected consumers, and to hire a chief information security officer (CISO).

The recent settlement in In re: The Home Depot Inc. S’holder Derivative Litig., N.D. Ga., No. 15-cv-02999 provided nine corporate governance provisions that focus on corporate reform in data security, and were designed to improve Home Depot’s ability to prevent and respond to future attacks.  Home Depot and its board of directors agreed to:

(i) document the duties and responsibilities of the newly-hired CISO;

(ii) periodically conduct tabletop cyber exercises to validate the Home Depot’s processes and procedures, test the readiness of its response capabilities, raise organizational awareness and train its personnel, and create remediation plans for issues and problem areas;

(iii) monitor and periodically assess key indicators of compromise on computer network endpoints;

(iv) maintain and periodically assess the Company’s partnership with a dark web mining service to search for confidential Home Depot information;

(v) maintain an executive-level committee focused on the Company’s data security;

(vi) receive periodic reports from management regarding the amount of the Company’s IT budget and what percentage of the IT budget is spent on cybersecurity measures;

(vii) maintain an incident response team and an incident response plan;

(viii) maintain membership in at least one information sharing program; and

(ix) retain their own IT, data and security experts and consultants as they deem necessary.

The Home Depot shareholder derivative settlement agreement offers a valuable example of cybersecurity-focused corporate governance practices to all companies, including consumer-facing retailers, for implementing data breach protections and conducting post-breach remedial actions.  Additionally, companies should consider using tools such as Privacy Impact Assessments (PIA) and Data Protection Impact Assessments (DPIA), designed to assess privacy and security frameworks, are also important in identifying risks and implementing necessary processes to meet regulatory and business expectations.

SEC Hints that Enforcement Actions on Lax Cybersecurity Might Be Coming

With the confirmation of Jay Clayton as the Chair of the Securities and Exchange Commission, comments made last month by the Acting Enforcement Director, Stephanie Avakian, regarding the importance of accurate reporting in the area of cybersecurity, and consequences of inaccurate reporting, may get lost.  At a speech last month, Ms. Avakian, on behalf of the SEC, told an audience of corporate attorneys, “We’ve not brought an action in that space.  Could I see a circumstance where we do?  Absolutely.” Ms. Avakian softened these comments later in the speech, however, suggesting the SEC was not looking to second-guess good faith disclosure decisions.

Going forward, though, how should public companies react to Ms. Avakian’s statements?  With at least some degree of caution.  After all, the SEC has a history of honing in on an area of interest and filing lawsuits in waves.  Take the glut of lawsuits filed in the mid-2000s regarding backdated stock options, for example.  What started as a compensation system used by thousands of companies turned into a key target for the SEC’s Enforcement Division, with dozens of civil lawsuits filed, and a number of officers and directors going to prison in related criminal actions.  Cybersecurity reporting is obviously not the same stock option backdating.  However, like backdating it has been repeatedly described as an area of focus for the SEC.  And because cybersecurity issues remain relatively new and regulators are eager to catch up with emerging technologies, this area could be low hanging fruit.  Hackers are not going away, and it is likely that every company will be compromised at some point.  So what will happen if the Enforcement Division decides to look closely at the disclosures of public companies after hacking events?

No one knows for sure.  There is no reason to believe that companies that take good faith measures will be the target of an enforcement action.  But one can look to the FCC’s pursuit of companies that it believes failed to take proper steps to secure its data for a hint at what may come.  These companies, such as Wyndham Hotels, thought they had taken good faith cybersecurity measures, and still ended up in the crosshairs.  For now, the only recourse public companies can take is to review their reporting disclosures for accuracy and keep an eye on how the SEC handles matters going forward.

Broadband Internet Service Providers no Longer Subject to FCC Privacy Rules Preventing them from Selling Private Consumer Information

Both the House (215-205) and Senate (50-48) have voted to revoke the Federal Communication Commission’s (FCC) broadband privacy rules which would have forced broadband Internet Service Providers (ISPs), such as Verizon, Comcast and Charter, to obtain affirmative “opt-in” consent from consumers to use and share their personal sensitive information.  Sensitive information includes things such as precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage and the content of communications.  The regulations would have also required ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared.  The FCC proposed the new regulations in March, 2016, and formally adopted them in October, 2016, just days before the presidential election.  President Trump dealt the FCC regulations their final blow by repealing the online privacy rules on April 3rd.

Proponents of the regulations claim that reversing the regulations opens the door for ISPs to sell customer data to third parties and leaves a gaping hole in federal privacy protections.  The proposed regulations would have subjected broadband ISPs to the privacy requirements of Section 222 of the Communications  Act.  That, say opponents of the regulations, was an overstep of the FCC’s authority and such opponents claim further that the FCC does not have the right to regulate ISPs at all.  Prior to such regulations ISPs had never had special privacy rules specifically applicable to them.  The FCC defended its right to implement privacy rules specific to ISPs by claiming that ISPs were actually common carriers, similar to utility providers, of which the FCC does have the authority to regulate over.  Common carriers are subject to Title 2 of the Communications Act.   Opponents of the regulations argue that in addition to overstepping their jurisdiction, the FCC seemed to be picking winners and losers in the marketplace, because while ISPs and websites, such as Google or Facebook, both compete for online generated consumer data, only ISPs would be subject to the proposed regulations.

The vote in Congress to revoke the proposed regulations was primarily drawn on party lines with Democrats in the House and Senate unanimously voting to keep the privacy rules in place and all Senate Republicans and all but 15 House Republicans voting to eliminate the rules. The current FCC Chairman, Ajit Pai, was also in agreement with Republicans, arguing that ISPs should not face stricter rules than website operators. Pai was in the commission minority when the proposed regulations were passed last year.

Trump Budget Raises Questions about Approach to Cybersecurity

On Thursday, March 16, 2017, President Trump unveiled his “America First” budget blueprint.  One of the most important quandaries for those in the cybersecurity world is how the proposal to reorganize the executive branch to improve “the Federal Government’s effectiveness, efficiency, cybersecurity, and accountability” will impact our nation’s cyber defenses since overall spending in this area will decrease from the prior administration.

The President’s budget proposes to (i) support “the Office of Electricity Delivery and Energy Reliability’s capacity to carry out cybersecurity and grid resiliency activities”; (ii) safeguard cyberspace “with $1.5 billion for [Department of Homeland Security] activities that protect Federal networks and critical infrastructure from an attack”; (iii) strengthen cybersecurity in the Department of the Treasury “by investing in a Department-wide plan to strategically enhance existing security systems and preempt fragmentation of information technology management across the bureaus, positioning Treasury to anticipate and nimbly respond in the event of a cyberattack”; and (iv) strengthen “NASA’s cybersecurity capabilities, safeguarding critical systems and data.”  Those are excellent goals, all designed to increase cybersecurity.  But the President’s request for $1.5 billion for DHS’s “continued development of strong cybersecurity defenses” is also less than 8% of the $19 billion requested by the Obama administration last year to address the same cybersecurity concerns.

The goal of the budget in this area relies on increased efficiency – federal agencies doing more with less.  The focus on efficiency in addressing cybersecurity concerns was underscored by White House advisor Thomas Bossert’s statement the day before the blueprint’s release, that the administration would be scoring agencies on implementation of a cybersecurity framework.  The administration plans to require federal agencies to adhere to the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).  Bossert said the administration will require agencies to submit a report to DHS, the Office of Management and Budget, and the White House, which will serve as the basis for the administration’s evaluation and scoring of the agencies’ efforts.  Only time will tell if the goal of increased efficiency will be effective against the increasing prevalence of cyber attacks, but America will be watching closely.

Google Ruling may give Government an Opening to Broaden its Power Under Outdated Stored Communications Act

As technology progresses and the world becomes even more interconnected, the scope of the Stored Communications Act (“SCA” or “Act”) has become a topic of much interest in the federal courts. One question courts have grappled with lately is whether law enforcement may subpoena data stored on foreign servers under the Act. A recent ruling by Magistrate Judge Rueter of the Eastern District of Pennsylvania in In re Search Warrant No. 16-960-M-01 to Google (“Google ruling”) may give the government all the incentive it needs to continue taking a broad reading of its powers under the Act.

As background, when the SCA was passed in 1986, it empowered the government to compel service providers to disclose customer information via subpoena, court order or warrant.  Recently, search warrants for data issued pursuant to the Act have become a crucial tool in government investigations, whereas technology companies have been pushing back on such data requests, which they believe are overly broad.

Faced with this situation, Judge Rueter ordered Google to comply with search warrants to produce emails stored abroad.  This was particularly interesting because it contradicted a ruling issued by the Second Circuit just seven months ago, where the court held that the government could not enforce a search warrant for user data on Microsoft servers in Ireland because the focus of the Act is user privacy, which would be invaded when the user data is seized in a foreign country.

Judge Rueter saw things differently, stating that the “two warrants executed upon Google . . . do not constitute extraterritorial application of the SCA.”  He held that the court “must analyze where the seizures, if any, occur and where the searches of user data take place.”  He ruled that warrants issued to Google pursuant to the Act were legal because invasion of privacy would not take place outside of the United States, but would take place within the United States once the government began reviewing the data.  Focusing on the Supreme Court’s Fourth Amendment jurisprudence, Judge Rueter reasoned that transferring data to California from an overseas server “does not amount to a ‘seizure’ because there is no meaningful interference with an account holder’s possessory interest in the user data.”  He noted that, in fact, “Google regularly transfers user data from one data center to another without the customers’ knowledge.”  As for searches, the judge held that because the warrants required Google to turn over the data to FBI agents in the U.S., the search would occur in the United States.  Accordingly, he held:

“[T]he invasions of privacy will occur in the United States; the searches of the electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania.  These cases, therefore, involve a permissible application the SCA, even if other conduct (the electronic transfer of data) occurs abroad.”

The Google ruling gives the government an incentive to press on with broadening its power under the Act.  With contradictory rulings in this area, it will be interesting to see how other circuits will handle issues on this topic.

NARUC Release of Cybersecurity Guidelines should have Utility Companies on High Alert

On January 30, 2017, the National Association of Regulatory Utility Commissioners (“NARUC”) released Version 3.0 of “Cybersecurity A Primer for State Utility Regulators.”  This cybersecurity overview is an important reminder to public utilities to be prepared for cyber threats.

Then again, public utilities probably don’t need a reminder after a cybersecurity event that occurred at the end of last year.  In December 2016, the Burlington Electric Department reported the presence of malware on one of its employee’s computers.  The computer was not connected to the electric grid at the time, and the utility quickly isolated the laptop and coordinated with federal authorities to eradicate the problem.  But, it was still a nerve-wracking development – experts have long warned that public utilities could be targeted because of the wide-spread impact a well-executed hack could have.  And here, even though the electric grid was not compromised, it still became a public relations headache because several news outlets incorrectly reported that the malware-infected computer was, in fact, connected to the grid, endangering vital infrastructure.

In light of increasing threats, state and federal regulators are developing guidance documents, and several state public utility regulators have prepared cybersecurity action plans, such as Connecticut.  The American Water Works Association (“AWWA”) also recently released guidance for water utilities regarding the protection of systems infrastructure.  This momentum is likely to lead to increasingly stringent regulatory requirements regarding cybersecurity plans, policies, and practices for public utilities in the United States.

These guidance documents are also valuable tools for public utilities, particularly small and midsize utilities that are looking to strengthen their cybersecurity protections but may not have the resources to implement a plan from scratch.  The leading thinkers in this area advocate that public utilities develop cybersecurity plans to protect three different operational components:  information technologies systems, operations technology and controls systems (i.e., SCADA systems), and the smart grid.  While protecting IT systems falls within the gambit of traditional cybersecurity planning, the latter two areas are more unique to the public utilities industries.  A public utility’s data security breach plan should address all three functional areas with respect to how it will defend its systems as well as how it will respond in the event of a potential breach.

Resources from institutions like NARUC or AWWA provide invaluable insights on how public utilities can take steps to protect the unique features of their operations.  Unfortunately, cyber threats are not going away, so public utilities must be prepared.

New York Department of Financial Services Delays Compliance Deadline for Cybersecurity Regulations

On October 25, the Privacy Law Report featured a blog post on new cybersecurity regulations being implemented by the New York Department of Financial Services (“DFS”).  Those regulations impose a number of requirements on financial institutions, including banks and insurance companies, such as the implementation of cybersecurity programs, the manner in which those companies handle data breaches, and the necessity for those companies to appoint a chief information security officer.  While these rules certainly advance a good cause, there has been significant push back from the banks to buy more time before the rules go into effect.  In particular, smaller institutions have complained that the rules provide no differentiation between small and large institutions.  Because of these concerns, the DFS has now agreed to move the compliance date from January 1 to March 1.

It will be interesting to see how the coming months will play out.  It shouldn’t come as a major surprise that these companies have pushed back – the rules will require them to implement changes that will require additional manpower and cost.  And as noted, this is a particular concern for smaller companies for which the increased expense will have a larger impact.  It is no secret that the cost of defending against cyber attacks has long been discussed a major limiting factor in the world of cybersecurity.  Nonetheless, these DFS rules will be the first of their kind, and thus may have a broad impact on shaping the drafting of cybersecurity rules to be implemented by other state agencies.  When these rules go into effect, companies should pay close attention to how the DFS tests its new rules and regulations in addition to any changes to the draft rules.

LexBlog