Home
Executive Experts
Breaking News
Expert Services
Advisory Experts
Secure Thoughts
Expert Legal InSITE
White Papers
Contact Us

Expert Legal InSITE.

From the mind of Mark Rasch. 

A recent Ohio State appellate case www.supremecourt.ohio.gov/rod/docs/pdf/5/2009/2009-ohio-2018.pdf  demonstrates that computer, e-mail and Internet use policies that restrict the use of company computer systems can lead not only to termination of employees but to their prosecution and incarceration as well.

Richard Wolf was a naughty boy.  From his office job at the Shelby City (Ohio) Wastewater Treatment plant, he was browsing adult websites, including one called “Adult Friend Finder” to meet women.  When some of the women asked Wolf for nude pictures, being a big, bad Wolf, he bought a digital camera, took pictures, and e-mailed them using his work computer.  In a communication with a dominatrix that advertised online, the dominatrix named “Mistress Patrice” proposed a “no-sex” session for $150, to which Wolf replied that, while he would love to be with her, he could not because he had “a lot of financial issues on my plate” but that he might contact the woman at some time in the future.  He also indicates that he as “never been involved in any monetary transactions or arrangements  ... so this is all new to me.”  Apparently Wolf spent a lot of time browsing these websites – about 100 hours over the course of several years, for which he was paid by the city about 23.92 an hour (with benefits).  When caught, Wolf admitted that what he did was in violation of established work practices and “unethical and wrong.”  He fully expected to be fired for his activities.

What Wolf did not expect was to be indicted.  Wolf was charged with “theft” of his employer’s money (for the time he was supposed to be working but was surfing the web), for unauthorized use of property, and was charged with soliciting sex for money.    The court concluded that he conversations between Wolf and the dominatrix was enough to establish at least a “solicitation” of sex, if not an agreement to have sex for money.

More troubling for companies drafting computer use and computer security policies is the fact that Wolf was charged with computer hacking – yes, hacking.  The Ohio law on computer crime, http://codes.ohio.gov/orc/2913.04 , Ohio Revised Code 2913.04(b)  like similar laws in many jurisdictions, provides in relevant part that “No person, in any manner and by any means, including, but not limited to, computer hacking, shall knowingly gain access to . . . any computer, computer system, computer network, . . . beyond the scope of the express or implied consent of, the owner…”  Many jurisdictions prohibit not only computer “hacking” – that is, the unauthorized access into a computer, but also “exceeding the scope” of authorization to access or use a computer.  This distinction derives from a case in the early 1980s where an IRS employee from Boston was unsuccessfully charged with breaking into the IRS computers when he used his lawful access to the computer to read files of taxpayers he was not authorized to read.  The Boston federal court drew a distinction between a computer “break in” – unauthorized access, and someone who, having been granted lawful access, abuses it.  Even if one is granted lawful access to a part of a computer network, access to other parts of the network can be unauthorized.  But if you are granted access to people’s information for one purpose and access it for another purpose, you are not guilty of computer hacking, although you may be guilty of other offenses.

In light of the Boston case, both Congress and state legislatures amended or drafted computer crime legislation that punished not only access that is wholly unauthorized, but also that which merely is beyond the scope of either actual authorization or implied authorization.    Seems reasonable.  However, this minor change has significant consequences.

Computer Use Policies

Many companies and government agencies have policies on computer use, Internet use, or e-mail use.  Some extend these policies to things like social networking sites, Twitter, texting, instant messaging or other services.  Some policies are extremely restrictive – no personal use of these services on office equipment.  Some may be even more restrictive than that – no use of these services on office time, even if you use your own smart phone or internet connection.  Other policies are less restrictive, permitting “occasional” personal use of some of these services, providing that they are not used too frequently, don’t interfere with business, and aren’t “inappropriate.”  This prohibition can run the gamut from obviously prohibiting the distribution of child pornography or other pornography to more subtle prohibitions like forwarding off-color jokes or chain e-mails.              Typically, these policies also prohibit the use of corporate or government computers for illegal activities, and note that violation of the policy can lead to sanctions including termination or even criminal prosecution.

What the Ohio Court of Appeals for Richland County, Ohio did on April 27, 2009 was to establish the precedent that, by using a corporate computer in furtherance of a violation of an unwritten policy constituted a computer crime.  The Court noted that Wolf used his computer in a way that was “beyond the scope of the excess or implied consent” of the owner of the computer, and therefore a crime.  It is worth noting that the Wastewater treatment plant had no computer use policy.  The court simply found that it was apparently obvious that accessing pornographic websites, or soliciting sex, or uploading nude pictures was not “authorized” and therefore was a computer crime. Wolf was sentenced to serve 15 months in jail, pay a $5,500 fine and pay restitution in the amount of $2,392 – the amount of his salary for the time spent surfing.

The Court has thereby expanded the scope of the computer crime statute.  If anybody does anything on a computer that a court later concludes would not have been authorized by the owner of the computer, or violates the terms of any policy, then they run the risk of going to jail.  Visit a porn site at work (something that is perfectly legal, but can get you fired or sued for harassment) and it becomes a criminal offense.  Forward that unseemly joke or chain letter in violation of policy, and you become a criminal.  The test is no longer whether you “broke into” a computer, or “stole” information – any use of a computer in excess of what you have been told you are allowed to do becomes a crime.

Companies need to consider this fact when they establish and disseminate computer use policies.  Overly restrictive policies run the genuine risk of subjecting employees to criminal prosecution for activities which we know they engage in every day – like checking sports scores, emailing family members, or other similar “unauthorized” activities.  Of course, nobody would ever be prosecuted for such actions, right?  But if ANY use of a computer (or telephone) is beyond the scope of express or implied authorization, the Wolf precedent makes it punishable. 

Therefore, it is important for companies to review their computer and Internet use policies.  Make sure that they reflect the genuine risks of improper or inappropriate behavior without creating so restrictive a policy as to subject the CEO to incarceration.  That would be a bad thing.

Security Asessments and Investigations

"The Role of Lawyers and IT Professionals"

Let’s say you are worried about whether or not you’re in compliance with some law or regulation concerning privacy or security.  You have some reason to believe that you may not be in full compliance with, say the provisions of GLBA, or your contractual obligations under the PCI rules.  You might be concerned about the status of your HIPAA compliance.  Or you are considering rolling out a new product or service, and are worried that it might conflict with your obligations under the law.  In these situations, it is typical for a company to conduct an assessment or evaluation, either conducted internally or externally.  A company might hire an IT professional, an auditor, or some other third party to conduct the assessment, and generate a report on compliance together with a series of recommendations if it finds areas where compliance may be weak.  Sounds like a good idea, and something that happens every day, right? In the words of Julie Roberts in “Pretty Woman,” “big mistake... big.”  But why?

The problem lies not in the assessment itself, or even in the contents of the report.  The problem is WHO is conducting the assessment and why.  If the assessment is conducted for the CISO so he can understand the technological issues related to compliance, then, in the event of a later breach or lawsuit claiming negligence, the report not only becomes discoverable, but also becomes Plaintiff’s Exhibit #1.  If the report recommends that 20 things be done, and only 10 of them are actually implemented, then a jury could be persuaded that not doing the other 10 was negligent.  Indeed, the perfectly reasonable assessment becomes a roadmap for litigation.  On the other hand, if you DON’T conduct an appropriate assessment, you run the risk of also having liability for taking the “ostrich” approach to security.  So what can you do?

Increasingly, companies seeking to become secure in order to both be compliant with regulations and to limit their risk and liability are turning to lawyers trained in IT security and privacy.  These lawyers can not only advise the client about the requirements of the law, but can DIRECT and SUPERVISE the conduct of the evaluation.  In this way, the results of the evaluation may be protected from discovery and disclosure at attorney-client privileged communications or attorney work product.

If a client – even a corporate client – is seeking legal advice or representation – such as “how do I comply with this law?” then the communications made to counsel or the agents of counsel to effectively obtain an opinion are generally protected from disclosure, as are the lawyer’s response.  It is important to distinguish between general business advice (how do I get secure) and LEGAL advice (what is my potential liability), with the law only protecting the latter.  The law goes beyond protecting just the communications between counsel and his or her client.  It also protects the work that the attorney does – or has done on his or her behalf – in order to answer the question of the client.  Thus, if IT security professionals work under the direction of and on behalf of counsel in conducting the assessment, the purpose of which is to provide effective legal advice, the work of the assessors is likely to be considered to be privileged or protected, at least at the outset.  Courts would then have to consider whether the goal was truly legal advice, and whether there had ever been an effective “waiver” of the privileged.  However, having competent counsel involved in the process can help get unbiased and open communication about potential risks and liabilities.

The same is true when a client suffers a data breach.  Using counsel to conduct the investigation can help encourage more open communication by presumptively cloaking the entire investigation in attorney client privilege.  While data breach disclosure laws likely will require disclosure of the FACT of a breach (if certain types of information are involved) issues like the source and impact of the breach can be evaluated and potentially protected from disclosure.  If disclosure is ultimately made, this can be done on a reasoned and informed basis. 

At SecureITExperts we have incorporated counsel into the process.  Our lawyers have over 25 years experience in IT security, privacy and compliance law, and are trained and experienced investigators.  Let us work for you.

"HIPAA AND YOUR BUSINESS ASSOCIATES"

As part of the federal stimulus bill passed February 17, 2009, new information security and privacy laws were enacted that significantly expand the scope of the HIPAA.  The new Health Information Technology for Economic and Clinical Health Act (HITECH) law has two main effects.  FIRST, it requires HIPAA compliance not only for doctors, hospitals, medical insurers, health care providers and other “covered entities” but also for the “business associates” for these “covered entities.”  SECOND it creates a new duty for both covered entities and their business associates to promptly and effectively notify patients or other individuals about whom they may have collected Protected Health Information (PHI) in the event of a data “breach.” As a consequence, the HIPAA requirements of certification, training and awareness now apply not only to the healthcare provider, but also to their business associates.  Moreover, ignorance of the law is no excuse.  You may suffer new Civil and Monetary Penalties for not training your employees.


Who Is NEWLY Covered By HIPAA?

HIPAA required “covered entities” to have administrative, physical, and technical safeguards, and policy, procedure, and documentation demonstrating compliance with the security and privacy policies under the law.  The new law extends these requirements to virtually any entity that may receive PHI.  If you perform “any function or activity” involving Protected Health Information, you are likely a “business associate.” The definition of "function or activity" is all encompassing: legal, actuarial, accounting, consulting, data processing, management, administrative, accreditation, financial services and anything else for which a covered entity might contract out are included, if access to PHI is involved. 

Under previous law business associates were required (under their business associate agreements with covered entities) have security and privacy policies that were “reasonably and appropriately” protect protected health information (”PHI”). Now, all of HIPAA’s security administrative safeguards, physical safeguards, technical safeguards, and security policies, procedures, and documentation requirements will apply directly to all business associates. This means that the Department of Health and Human Services (”HHS”) (and now all state attorneys general) and the Federal Trade Commission (“FTC”) may impose fines against those business associates who do not comply with these HIPAA standards.  

Training and awareness programs are key components of the HIPAA security policies.

Under the new law, a business associate may use and disclose protected health information only if such use or disclosure is in compliance with all of its business associate agreement requirements. If a business associate uses or discloses protected health information in violation of its business associate agreement, it is not only liable to the covered entity, but also to HHS for the same incident.  Thus, breaching the agreement is not just a breach of contract, it is a direct HIPAA violation.

In addition, business associates will now also have to take action if they know of a pattern of activity or practice of the business associate that constitutes a material breach or violation of a business associate agreement. In essence, they must look internally to see if they are violating the terms of the contract, and not wait to be sued. If the business associate fails to take reasonable steps to cure a breach, terminate the agreement, or report the problem to HHS, then the business associate may be liable under HIPAA penalties, including the new Civil and Monetary Penalties.

New Penalties

The new law establishes civil and criminal penalties for failure to comply of up top $50,000 per violation.  It also allows individuals harmed by privacy and security violations to receive a percentage of the fine for the first time.  It also allows for enforcement by State Attorney’s General.  Finally, the law allows enhanced penalties if there has been “willful neglect” of an entities obligations.  The law also allows HHS to audit compliance not only of covered entities but also of their business partners. 

Data Breach Notification

The law creates new obligations to notify not only the business customer and the patient, but also the government when PHI “has been, or is reasonably believed…to have been, accessed, acquired, or disclosed as a result of such breach.” Notification must be made without “unreasonable delay” and in no event more than 60 days after discovery of the breach If the breach affects more than 500 individuals, the notification can be through media outlets and the Internet.

Top