In a recent ruling, a California district court held that Apple, as operator of that App Store, was protected from liability for losses resulting from that type of fraudulent activity. (Diep v. Apple Inc., No. 21-10063 (N.D. Cal. Sept. 2, 2022)). This case is important in that, in
Data Security
DOJ Revises Policy for CFAA Prosecution to Reflect Developments in Web Scraping and Other Matters
On May 19, 2022, the Department of Justice (DOJ) announced that it had revised its policy regarding prosecution under the federal anti-hacking statute, the Computer Fraud and Abuse Act (CFAA). Since the DOJ last made changes to its CFAA policy in 2014, there have been a number of relevant developments in technology and business practices, most notably related to web scraping. Among other things, the revised policy reflects aspects of the evolving views of this sometimes-controversial statute and the outcome of two major CFAA court decisions in the last year (the Ninth Circuit hiQ decision and the Supreme Court’s Van Buren decision), both of which adopted a narrow interpretation of the CFAA in situations beyond a traditional outside computer hacker scenario.
While the DOJ’s revised CFAA policy is only binding on federal CFAA criminal prosecution decisions (and could be amended by subsequent Administrations) and does not directly affect state prosecutions (including under the many state versions of the CFAA) or civil litigation in the area, it is likely to be relevant and influential in those situations as well, and in particular, with respect to web scraping. It seems that even the DOJ has conceded that the big hiQ and Van Buren court decisions have mostly (but not entirely) eliminated the threat of criminal prosecution under the CFAA when it comes to the scraping of “public” data. Still, as described below, the DOJ’s revisions to its policy, as written, are not entirely consistent with the hiQ decision.
English High Court Clarifies Appropriate Causes of Action in Data Claim Where Defendant Was a Victim of Third-Party Cyber-Attack
In the recent and significant Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) decision the High Court in England clarified the limited circumstances in which claims for breach of confidence, misuse of private information and the tort of negligence might be advanced by individuals for compensation for distress relating…
Supreme Court Ends Long-Running Circuit Split over CFAA “Exceeds Authorized Access” Issue, Adopting a Narrow Interpretation That Will Reverberate in Scraping Disputes and Litigation over Departing Employees
In a closely-watched appeal, the Supreme Court, in a 6-3 decision, reversed an Eleventh Circuit decision and adopted a narrow interpretation of “exceeds unauthorized access” under the Computer Fraud and Abuse Act (CFAA), ruling that an individual “exceeds authorized access” when he or she accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders, or databases – that are off limits to him or her. (Van Buren v. United States, No. 19-783, 593 U.S. ___ (June 3, 2021)). The majority equated “exceed[ing] authorized access” with the act of “entering a part of a system to which a computer user lacks access privileges,” rejecting the Government’s contention that a person who is authorized to access information from a protected computer for certain purposes violates CFAA Section 1030(a)(2) by accessing the computer with an improper purpose or motive. Put simply, the court’s view suggests a “gates-up-or-down” approach where the CFAA prohibits accessing data one is not authorized to access.
Although the case involved a criminal conviction under the CFAA, Van Buren gave the Supreme Court the opportunity to resolve a long-standing circuit split and heavily-litigated issue that arose in both criminal and civil cases under the CFAA’s “unauthorized access” provision. This provision of the CFAA is routinely pled in cases against former employees that have accessed proprietary data in their final days of employment for an improper purpose (e.g., for use in their new job or competing venture). It is also a common claim in disputes involving unwanted web scraping. On the latter point, the Court’s narrow interpretation of the “exceeds authorized access” provision would appear to be right in line with the narrow interpretations of the CFAA enunciated by the Ninth Circuit in its blockbuster hiQ opinion, which held that that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access “without authorization” under the CFAA and in its Power Ventures precedent, which held that, in the context of unwanted data scraping, a violation of the terms of use of a website, without more, cannot be the basis for civil liability under the CFAA.
Trove of Online LinkedIn User Data Fuels LinkedIn’s Anti-Scraping Position
Last week, the Italian data protection authority (the “GPDP”) opened an investigation after reports that a dataset allegedly containing data compiled from 500 million LinkedIn profiles and other websites was available for sale on a hacker forum. Apparently, this data represents more than two-thirds of LinkedIn’s estimated 740 million users. The hacker reportedly posted approximately two million records visibly online as evidence of the dataset, and offered to sell the rest for an undisclosed bitcoin payment.
According to a statement by LinkedIn, the company investigated the posting and determined that it is “an aggregation of data from a number of websites and companies,” including publicly viewable LinkedIn member profile data that apparently was scraped from LinkedIn’s site. LinkedIn stated that it was not a data breach because no private member profile data was included in the dataset it was able to review. LinkedIn stated that such scraping of data violated its terms.
The posting of this scraped data immediately reminds us of the ongoing scraping dispute between LinkedIn and data analytics start-up hiQ, Inc. (“hiQ”). The principal issue in the case concerns the scope of Computer Fraud and Abuse Act (CFAA) liability associated with web scraping of publicly available social media profile data. In a prior ruling, the Ninth Circuit affirmed the lower court’s order granting a preliminary injunction barring LinkedIn from blocking hiQ from accessing and scraping publicly available LinkedIn member profiles.
Noteworthy Trends in Privacy and Data Security
Our Practical Law article, “Trends in Privacy and Data Security: 2020,” has recently been published. The article provides an overview of the past year’s privacy and data security legal developments and predictions to look out for in 2021.
How to Respond to the SolarWinds “Orion” Supply Chain Attack
As reported last week, it appears that a state-sponsored security hack has resulted in a major security compromise in widely-used software offered by a company called SolarWinds. The compromised software, known as Orion, is enterprise network management software that helps organizations manage their networks, servers and networked devices. The software is widely-used by both public and private sector companies.
The exposure, in the form of “spyware” inserted into one or more updates to Orion, is significant. According to an alert issued by the Cybersecurity and Infrastructure Security Agency (“CISA”), it is common for network administrators to configure Orion with pervasive privileges, which would allow it to bypass firewalls and other security measures, thus making it an enviable target for hackers. CISA categorized the SolarWinds attack as presenting a “grave risk” to government agencies and private entities.
The attack had been ongoing and undetected since perhaps March 2020 (or earlier, and certainly planned out for years). SolarWinds’s SEC filings last week estimated that about 18,000 of its customers may have downloaded the malware-laden software update for Orion. However, the number of organizations impacted may be even higher. Orion may be part of a larger infrastructure implementation or managed service provided by third party service providers. And as a result, even entities that do not have a direct relationship with SolarWinds may need to investigate potential impacts.
It is important to note, however, that even though a business may have the malicious code integrated into their network, they may not yet have suffered an actual breach or intrusion. “Luckily,” this actor seems to have taken great pains to remain concealed, and as a result, it appears that the perpetrators had not yet had an opportunity to invoke their ability to invade every impacted network in all potentially impacted cases.
While we are far from learning all of the various ways in which this backdoor was exploited, early anecdotal evidence suggests that these attackers were very interested in pivoting into other systems, including cloud-based systems, such as Office 365, that may not have any direct connection to a SolarWinds installation. While the disabling of the so-called Orion “Sunburst backdoor” and the confiscation of the original domain name that was receiving communications from the attacker should stop further data loss from the initial entry point, it will not stop further incidents if the attacker has already established persistent access within the network. Thus, it is important to note merely because an affected organization may have closed the initial vulnerability, it should not declare itself as contained too quickly as the hackers may have surreptitiously achieved persistent access beyond the Orion entry point.
There are two sobering consequences from this recognition. First, if an organization determines that it installed the corrupted version of Orion, an organization’s investigation may need to be very broad in nature. Second, organizations may need to consider whether previous breaches that were resolved this year might, in fact, have had something to do with this issue that was undiscovered at the time of detection. Accordingly, it may be necessary to revisit prior incidents thought long resolved.
Supreme Court Hears Oral Argument in Its First CFAA Case
On November 30, 2020, the Supreme Court held oral argument in its first case interpreting the “unauthorized access” provision of the Computer Fraud and Abuse Act (CFAA). The CFAA in part prohibits knowingly accessing a computer “without authorization” or “exceeding authorized access” to a computer and thereby obtaining information and causing a “loss” under the statute. The case concerns an appeal of an Eleventh Circuit decision affirming the conviction of a police officer for violating the CFAA for accessing a police license plate database he was authorized to use but used instead for non-law enforcement purposes. (See U.S. v. Van Buren, 940 F. 3d 1192 (11th Cir. 2019), pet. for cert. granted Van Buren v. U.S., No. 19-783 (Apr. 20, 2020)). The issue presented is: “Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.”
The defendant Van Buren argued that he is innocent because he accessed only databases that he was authorized to use, even though he did so for an inappropriate reason. He contended that the CFAA was being interpreted too broadly and that such a precedent could subject individuals to criminal liability merely for violating corporate computer use policies. During oral argument, Van Buren’s counsel suggested that such a wide interpretation of the CFAA was turning the statute into a “sweeping Internet police mandate” and that the Court shouldn’t construe a statute “simply on the assumption the government will use it responsibly.” In rebuttal, the Government countered that Van Buren’s misuse of access for personal gain was the type of “serious breaches of trust by insiders” that statutory language is designed to cover.
Protecting Business Information Assets in the “Work From Home” Environment
This past March, many organizations were forced to suddenly pivot to a “work from home” environment (“WFH”) as COVID-19 spread across our country. However, many companies did not have the necessary technical infrastructure in place to support their full workforce on a WFH basis. Often, remote access systems were configured assuming only a portion of a company’s employees – not 100% of a company’s employees – would be remotely accessing the corporate networks simultaneously. In addition, many employees have limited home Wi-Fi capacity that is insufficient to sustain extended, robust connections with the office systems. Networks can then become overloaded, connections dropped, and employees can experience extended latency issues, frozen transmissions and the like.
As a result, many employees are using a work-around — often with their employer’s knowledge and approval. They connect their personal devices to their employer’s network to download what they need from the network, but disconnect to perform the bulk of their work offline. On a periodic basis and upon the completion of the task at hand, those employees then typically upload or distribute the work product to the organization’s network.
Protecting against Cybersecurity Threats when Working from Home
With the spread of the novel coronavirus (COVID-19), many organizations are requiring or permitting employees to work remotely. This post is intended to remind employers and employees that in the haste to implement widespread work-from-home strategies, data security concerns cannot be forgotten.
Employers and employees alike should remain vigilant of increased cybersecurity threats, some of which specifically target remote access strategies. Unfortunately, as noted in a prior blog post, cybercriminals will not be curtailing their efforts to access valuable data during the outbreak, and in fact, will likely take advantage of some of the confusion and communication issues that might arise under the circumstances to perpetrate their schemes.
Employees working from home may be accessing or transmitting company trade secrets as well as personal information of individuals. Inappropriate exposure of either type of data can lead to significant adverse consequences for a company. Exposure of trade secrets or confidential business information can potentially cause significant business damage or loss. Exposure of personal information can potentially trigger state or federal data breach notification laws, and result in significant liabilities for a company as well as expanded identity theft issues for individuals. The threat is not only an online concern – physical security is at issue as well. Unauthorized access to printed copies of sensitive documents could lead to additional exposures.