Jump to Navigation | Jump to Content
American Bar Association - Defending Liberty, Pursuing Justice ABA Logo

ABA Section of Business Law


That firm approach

Two client advisories — from Web danger to revised rules on takeovers

Editor's note: Business Law Today feels that it's a useful service to readers to give occasional updates on recent trends in the field. From time to time the magazine will publish edited versions of client advisories originally produced by law firms. We start with the two on these pages; firms are welcome to submit their own for our possible future use. Please note our guidelines at www.abanet.org/buslaw/bltnew..

By DAVID BENDER

Could hackers bring e-commerce to its knees?

The proliferation of the "I love you" virus, which last spring infected more than a million computers worldwide, raised some interesting legal issues. Just for starters, is there jurisdiction over perpetrators whose conduct took place outside the nation (or state) where the injury was felt? May a victim recover damages? And, may liability be imposed on employers or others who have actively or passively assisted or permitted the conduct? It has become apparent that, just as the Web offers exciting opportunities for new and existing legitimate businesses, it also provides a plethora of novel opportunities for illegitimate activity. And the law is being called on to rise to the challenge.

Although computer abuse is quite a common phenomenon today, it catches the public eye only when it results in some cause celebre. The publicized episodes comprise but the tip of the proverbial iceberg. The reason is that, notwithstanding last spring's virus, computer abuse is generally directed against a single company, rather than across the Net. And usually the targeted victim is reluctant to publicize the incident for fear of informing other would-be malfeasors, as well as shareholders, competitors and customers, of its vulnerability. In addition, victims have often been unable to interest a prosecutor or obtain a private remedy.

In the United States, various types of proscription have been tried through a combination of federal and state statutes directed primarily to abuse involving stand-alone (that is, nonnetworked) computers — the environment contemplated when most of these statutes were enacted. The increasing number of cases decided under these statutes suggest that this approach serves reasonably well to guard against computer abuse in that environment.

But it is not yet clear whether this federal and state statutory scheme will adequately protect against abuses involving the Internet. Further, in some other nations, which lack laws specifically directed to computer abuse (let alone network abuse), it is unclear whether the general criminal laws will reach this type of conduct.

Because computer abuse often results in major injury, an effective civil remedy would be salutary. But the reality is that most computer abusers are effectively judgment-proof. Accordingly, efforts to dissuade them through the enactment of statutes have focused largely on criminal statutes (some of which also provide a private cause of action).

Two primary federal statutes aimed at computer crime are the Computer Fraud and Abuse Act of 1984 (CFAA) and the federal wire fraud statutes.

The CFAA, 18 U.S.C. § 1030, was enacted in 1984. Reflecting the march of computer and Internet technology, as well as the ingenuity of perpetrators, this statute has been amended several times. In its present incarnation, it proscribes some seven types of activities.

First, it criminalizes unauthorized access to a computer and obtaining information relating to the national defense of the United States. It also prohibits intentional unauthorized access and obtaining financial information from a financial institution, the federal government, or a "protected" computer (that is, a computer used by the federal government, by a financial institution, or in interstate or foreign commerce or communication), if the conduct involved interstate or foreign commerce or communication. And it proscribes intentional unauthorized access to a nonpublic federal computer.

In addition, it prohibits the unauthorized access to a protected computer with intent to defraud, and obtaining through that access a thing of value (except where the thing of value is use of the computer itself, or an aggregated value of not more than $5,000 in one year). Next, it prohibits an intentional transmission that damages a protected computer, or intentional unauthorized access to a protected computer that causes damage.

Further, it criminalizes intentional trafficking in passwords with intent to defraud, where there is an effect on interstate or foreign commerce or the computer is used by or for the federal government. And finally, it proscribes the intentional transmission in interstate or foreign commerce of any threat to damage a protected computer, with intent to extort. Several of these sections relate to activities that pertain to the Internet. The statute also states expressly that it does not prohibit the lawful exercise of law enforcement activity, and it provides a civil right of action.

The federal wire fraud statute, 18 U.S.C. § 1343, is also available to prosecute those engaging in fraudulent schemes via the Internet. Wire fraud by way of the Internet occurs when an individual devises a scheme to defraud, and then sends over the Internet, in interstate or foreign commerce, a transmission for the purpose of perpetrating the fraud. The interstate aspects of Internet transmission are especially interesting because, unlike the case of telephone transmission, there is at any given time no prescribed transmission path between two Net users, and no way of predicting the path that such a transmission will take. A message from Chicago to Chicago may travel via Japan.

Although these two statutes are the most general federal statutes covering Internet-related crime, they are by no means the only ones. Another pertinent one, directed to increasing the degree of security attendant to electronic transmissions, is the Electronic Communications Privacy Act of 1986, which proscribes the intentional interception of wire, oral or electronic communications.

There are also a number of other federal criminal statutes, not directed specifically at computer crime, that may also prove useful in combating certain forms of it. These include:

• the Economic Espionage Act of 1996, which prohibits trade secret theft;

• the Anticounterfeiting Consumer Protection Act of 1996, which increased pre-existing penalties for pirating copyrighted or trademarked intellectual property; and

• the Criminal Copyright Infringement Statute, which proscribes willful infringement of copyright (whether or not the perpetrator profits from it). Also, the National Stolen Property Act of 1988 deals with the interstate transport of stolen property.

The various states have also concluded that computer-related abuse poses a major problem, and all or almost all of them have enacted criminal statutes specifically directed at it.

Maintaining the integrity of the Internet is a prerequisite to a vigorous commercial environment. Net-related abuses will likely not slow the growth of commercial Internet use very much, because most users perceive the benefits of using the Web as generally outweighing the risks of doing so. Nevertheless, the nascent Internet industry is attracting crimes with new modi operandi, and deterring some from making full use of the Internet.

Existing computer crime statutes in the United States function reasonably well in the traditional stand-alone computer environment. But because many of them do not deal expressly with network situations, we do not yet know whether these laws, which generally did not contemplate the Internet, will serve to prevent mischief on the Net.

If not, additional "cyber laws" expressly directed to the Net, will be necessary. And in many nations outside the United States, the paucity of applicable law, or the ambiguity of existing law, poses a problem. For example, in the "love bug" case itself, one reason for the delay in making an arrest was the difficulty of finding a judge in the Philippines to issue a warrant, in the absence of an expressly applicable statute.

At least in the United States, one major impediment to victims of computer crime — lack of appreciation of its gravity — is ameliorating. The public has become aware of the destructive potential of this type of conduct, with a concomitant reduction in the level of public tolerance toward it. Most people in the United States today regard this conduct as destructive mischief that should not be permitted, rather than (as was once the case) relatively harmless childish antics designed to exhibit skill. That shift in public opinion suggests that if new laws are necessary, they will be enacted and enforced.

And along with this greater public recognition of the dangers arising from computer abuse, the law enforcement environment has become generally more conducive to investigating and prosecuting instances where computer crime statutes may have been violated. Prosecutors who previously have paid little heed to this complex and technical type of violation, are today much more likely to pay attention when a complaint is made. Just a few years ago, even a victim with a strong case under a well-drafted computer crime statute would generally have difficulty interesting a prosecutor in taking up the cudgel.

In many jurisdictions, things have changed substantially. No longer the forgotten child of law enforcement, computer abuse has in some jurisdictions even become the darling of federal and state prosecutors. Indeed, in several locales (at both the federal and state levels) there are now computer crime "task forces," comprising technically skilled prosecutors and investigative police officers, who specialize in dealing with these abuses.

In planning how to survive (if not thrive) in this environment, you must, in a practical way, first appreciate two important characteristics of computer abuse. First, computer abuse is a very real problem, on the rise in the United States and worldwide. And aside from the not insignificant security problems associated with a stand-alone computer, any company that relies on a computer that is part of a network — especially one connected to the World Wide Web — opens itself up to a greater degree of compromise by virtue of that connection.

In the network environment, you must take appropriate security precautions. For example, passwords and user IDs must be required for access to the system, with a mandatory change of IDs periodically, and with immediate deletion from the system of passwords and IDs of departing employees. Aside from system access, you should encourage employees to use passwords and encryption for especially sensitive files.

Vigorous anti-virus software must be used frequently, and users must be warned against introducing programs or data that has not been scanned for viruses. Effective "firewalls" must be installed at the interface between your computer and the Internet to protect the computer against intruders to the extent feasible. For while computer-abuse laws in the United States are in effect and have some bite, nevertheless, the prudent company should not assume these laws will deter abuse but, rather, should protect itself through whatever reasonable means are at its disposal.

In addition, you must recognize the internal threat. Employees are responsible for the majority of computer abuse. Experience suggests that a small percentage of employees will have a predilection to become perpetrators of, or accomplices in, computer abuse. Accordingly, you must inform employees, preferably in a written policy statement or manual, that any form of computer abuse is against company policy, may be illegal, and may be the basis for dismissal.

It may be appropriate to make employees aware that the company will be monitoring certain computer-related activities, and to actually monitor them, so as to ascertain that employees are not engaging in activities that could subject the employees — and the company — to criminal and civil liability. Employees involved in the security of the computer system should be required to take a vacation for a minimum prescribed duration each year.

The problem goes beyond an employee's obvious ability to wreak substantial damage on the company's computer activities. Because employees may be largely judgment proof, a third party injured by an employee's abuse may seek damages against the employer, claiming that the employer has breached some duty of care, or that the employee acted on behalf of the employer.

In its concentration on security techniques directed to computers and the Internet, the company should not ignore the techniques that have enhanced security in the brick-and-mortar world. Implementing traditional security practices can dampen the proliferation of information necessary to perpetrate computer abuse, and can also have a salutary effect by helping to instill an atmosphere that is more hostile to computer fraud. Thus, for example, sensitive information should be distributed only to those with a need to know. Restrictive legends should be placed on documents (in both hard-copy and electronic embodiments) where appropriate.

Where feasible, facilities may be fenced in, guards may be posted at entrances, visitors may be required to sign in, and all employees and visitors may be required to wear badges (differentiated by color). Visitors should be required to have escorts, and should be prohibited from certain areas. Property passes can be required for all materials leaving the facility. And briefcase checks at time of exit (clearly and conspicuously announced prior to entrance) can be implemented.

Now that the Internet genie is out of the bottle, a strong and reasonably secure Net is a sine qua non for an optimally vigorous and trustworthy commercial environment. According-ly, computer and Internet security have become important for both federal and state governments. Earlier this year, U.S. Attorney General Janet Reno undertook to see that the Net remains "a secure place to do business" so that it may continue "to bring the world together rather than split it apart." However, it will be difficult to achieve this goal if Web sites are vulnerable to an attack that may be launched from anywhere in the world.

Although computer abuse has caused significant damage to a large number of companies, it has thus far not seriously impeded the progress of commercial Internet use. For most enterprises, the benefits derived from doing business on the Web simply outweigh the risks. Moreover, advanced technology continues to make available better technical security techniques. But progress by the "good guys" often induces developments by the "bad guys," and Net users are falling victim to crimes directed at circumventing or mooting the new technology.

The promulgators of the present computer crime statutes were shooting at a moving target. It may turn out that many existing computer crime laws in the United States, enacted prior to commercialization of the Web, are inadequate to safeguard the Internet, and that laws specifically aimed at protecting against cyber crime are necessary. However, the jury is still out.

At any rate, private efforts at security, coupled with the enactment of new statutes if they prove necessary, will likely hold computer abuses to a level low enough so as not to interfere significantly with e-commerce. There is a reason for this: E-commerce is now regarded as so important that society will have to find a way to retard these abuses. And if new criminal statutes are deemed necessary, they will be enacted and enforced.

 

Bender is of counsel at White & Case, LLP, in New York City. His e-mail is: dbender@whitecase.com

Levin is a partner at Katten Muchin Zavis in Chicago. His e-mail is: lawrence.levin@kmz.com

Back to Top

Copyright American Bar Association. http://www.abanet.org