Crossroads Blog | Institute National Security and Counterterrorism

CFAA

Cyber Round Up: Justice Say Hacking Conviction Survives Bad Jury Instructions, 2016 Marks 30th Anniversary of CFAA — Time for a Change, Casino Sues Cybersecurity Firm for ‘Woefully Inadequate’ Investigation

  • Justice Say Hacking Conviction Survives Bad Jury Instructions (Law360): Today, the U.S. Supreme Court held that bad jury instructions which seemingly required jurors to find that the defendant not only made an unauthorized access of data but that this access also exceeded the defendant’s authorization was deemed a clerical error and did not require jurors to convict based on satisfying both of these prongs, according to an article by Joe Van Acker which appeared in Law360.

This case, The United States v. Musacchio originated in Texas and was originally appealed in the Fifth Circuit, according to the article.  According to Van Acker’s article, Musacchio was the CEO of Exel and he left in 2004 to start a shipping company.  However, upon doing so, Musacchio apparently accessed confidential Exel information after he departed and while that was pursued via civil claims (and settled for $10M), the Fed’s indicted Musacchio in 2010, according to the article; the full text of which appears here.

  • 2016 Marks 30th Anniversary of CFAA — Time for A Change (Law360): Peter J. Toren’s article highlights some of the key issues with the CFAA, specifically that there is a split between the narrow or broad interpretation of exactly what “without authorization” actually means.  According to the article, the Second, Fourth and Ninth Circuits have adopted a narrow interpetation that basically posits that “exceeding authorized access” applies to insiders who access data that they are not entitled to obtain and the motive behind the access is irrelevant; whereas “without authorized access” applies only to outside hackers.  However, the article points out that the First, Fifth, Seventh, and Eleventh Circuits take a broader approach and view that exceeding authorized access occurs when a person who is authorized to access data does so with a purpose or intent that is outside or beyond the scope of their duties.  The issue that then arises is that if a person is authorized to access a computer and then the stated policy is that persons are not allowed to use social media while at work and on corporate devices, were they to do so they could be prosecuted under the CFAA’s exceeding authorized access prong, according to the article.  This raises a number of issues since the article points out that Congress seems loathe to revisit the CFAA and the Supreme Court has not spoken thus the split amongst the circuits raises a rule of lenity issue.  The full text of the article can be found here.
  • Casino Sues Cybersecurity Firm for ‘Woefully Inadequate’ Investigation (LegalTech): This article may be a wake up call for the cybersecurity start ups looking to cash in on the latest craze — cybersecurity.  The article states that Affinity Gaming suffered a data breach in 2013 and hired a Chicago based firm — Trustwave which performed an investigation and advised Affinity that the breach was contained. Much to Affinity’s chagrin however it was determined that while Trustwave was auditing their security they were experiencing an ongoing cyberbreach which continued before, during, and after the assessment, according to the article.  Trustwave consequently retained Mandiant, the breach was uncovered and thereafter Affinity initiated a lawsuit against Trustwave alleging that they were ‘grossly negligent’ during their investigation, according to the article.  The full text of the article is here.

Leave a Reply

Bitnami