Articles Posted in Data Breach

The federal Computer Fraud and Abuse Act (CFAA) was intended to be an anti-hacking criminal statute to go after people who hack into databases and computer systems without authorization to misappropriate data. However, certain prosecutors have attempted to expand their powers under the Act and use the Computer Fraud and Abuse Act to prosecute people who were not intended to be covered by the law

In a federal criminal case out of California, prosecutors charged a defendant for violating the Computer Fraud and Abuse Act for violating certain computer-related policies of his employer. In this case, the defendant was an employee of an executive recruiting company named Korn/Ferry. He left the company to start a competing company. The defendant contacted some of his former co-workers who were still working at Korn/Ferry and asked them to download confidential information from the Korn/Ferry computer system to assist the defendant with his new company. The employees were allowed to access the Korn/Ferry computer database because they still worked there. However, Korn/Ferry’s policies did not allow them to use the information in the database to help a competing business.

The United States Attorney’s Office charged the defendant with violating the Computer Fraud and Abuse Act for aiding and abetting the Korn/Ferry employees in exceeding their access to the Korn/Ferry computer system to defraud the company. The criminal defense attorneys moved to dismiss the CFAA charges. They argued that the CFAA was intended to punish hackers who access computer databases without authorization, not people who have authorization to access a computer database but misuse the information in violation of company policy.

A crime that is not commonly charged but still exists in Florida deals with a person accessing a computer without authorization to take trade secrets or other confidential data. This came up in a recent criminal case after the defendant was charged with accessing her company’s client list, downloading it to her private computer and then using the client list for purposes not permitted by the company.

The defendant was actually charged with two crimes: 1) unlawfully accessing a computer database, and 2) obtaining trade secret or confidential data. Both charges are third degree felonies and are punishable by up to five years in prison. The first charge, unlawfully accessing a computer database, involves knowingly accessing, disrupting or destroying a computer or computer network without authorization. This obviously includes hacking into a computer system without authorization to view or take computer data. The second charge, obtaining trade secret or confidential data, involves knowingly taking or disclosing data that are considered trade secrets or confidential under Florida law that exists on a computer or computer network without authorization.

In this case, the defendant was not convicted of unlawfully accessing a computer database since she was an employee and had the right to access the information. However, she was convicted of obtaining trade secret or confidential data because she was not entitled to take the data and transfer it to her own computer for her own use.

With computer crimes becoming more prevalent as more people obtain computers and similar networking devices, state and federal governments are enacting new laws to respond to the increasing number of crimes. The Obama administration recently announced a new proposed law dealing with various cyber security issues. The new law would address several areas. It would establish a national, standardized data breach reporting system for businesses to notify customers when they have had a breach of their security systems where financial or identification information may have been lost. Currently, various states have different laws that may or may not require a company to notify a customer when there has been a breach in their security and potential loss of people’s financial and identification information.

The law would also set minimum sentences for people convicted of computer crimes related to hacking into networks and stealing information.

Finally, as we have seen in other contexts, the lines of communication among the various governmental departments that deal with cyber crimes are not exactly open, and it can be unclear which government agency is responsible for investigating the matter. When one government department will not share information with another, complicated cyber crimes often go unsolved. The new law will attempt to rectify that problem so the government can be more efficient in dealing with cyber crime. We’ll see how that goes.

A hacker gained access to the computer network at the University of Florida which contains the personal information of approximately 97,000 people, according to an article on The University of Florida initiated an investigation after the data breach was discovered, but it was not clear if the personal information was successfully accessed.

Due to the proliferation of computers, the Internet and computer networks, companies have increasingly stored the personal and financial information of clients and employees on their computer networks. As a result, hackers and thieves have increased their efforts to obtain this information that is often easily accessed and unencrypted on company networks. Florida law requires companies that have had their networks compromised to follow certain procedures or face severe financial penalties and bad publicity that could severely damage the company. At a minimum, if a company experiences a data breach of its network and personal information is materially compromised, the company should conduct a thorough investigation to determine if harm has, or likely will, come to those whose information may have been accessed. Records of this investigation and the results must be kept for five years.

Depending on the results of the investigation and the extent of the data breach, Florida law may require the company to do more, including notifying all of the individuals whose information was compromised. If you suspect your company’s network has been breached and personal information has been compromised, visit our website or contact us for more information about what Florida law requires your company to do.

Heartland Payment Systems is a credit card processing company that handles 100 million credit card transactions per month. They recently went public with the fact that their network was breached and unauthorized access was gained to those credit card transactions. The company did not know, or did not disclose, which and how many credit card records were compromised, but they did say that the records accessed were sufficient to allow hackers to make duplicate credit cards.

In Florida, if a company that maintains certain identification or financial information about others suffers a material breach of its network or files, an important legal duty is triggered. Failure to comply with that legal duty could subject the company to costly penalties and severe damage to its reputation. When a company has reason to believe its network has been materially compromised, Florida law requires the company to conduct a reasonable investigation to determine the extent of the breach and whether harm has, or likely will, come to any of the individuals whose data are maintained. This investigation must be thoroughly documented. Depending on the results of that investigation, the company may be required to notify individuals of the data breach.

If you work for a company in Florida and have had your network breached, or have reason to believe your network has been breached, you can learn more about your legal rights here or contact us to learn more about what Florida law requires when a data breach occurs.

Contact Information