In the Seventh Circuit, damages attributed to lost productivity can be counted against the $5,000 requirement which allows prosecution under the Computer Fraud and Abuse Act.

The Facts

The defendant appealed his sentence following a guilty plea to accessing a computer without authorization and recklessly causing damage of at least $5,000, contrary to 18 U.S.C. §1030(a)(5)(A)(ii). The record indicated that the defendant, who had been recently terminated from his job as a computer technician, made unauthorized access on several occasions to the victim’s wireless Internet access account–conduct that had the effect of preventing the victim, a small business, from accessing the Internet at the same time. The trial court determined that the victim had suffered $6,014 in losses for "lost productivity" due to conduct by the defendant that "adversely affected" their productivity.

The Court’s Holding

In an opinion by Judge Bauer, the Seventh Circuit upheld that a trial court’s consideration of lost productivity is proper, however, expenses incurred by the victim assisting the government should be excluded from this calculation. The court stressed that costs incurred by victims primarily to aid the government in the prosecution and criminal investigation of an offense should be excluded. United States v. Schuster, 7th Cir., No. 05-4244, 10/27/06

Commentary

Note that the trial court found $6,041 in losses. This is not much beyond the $5,000 statutory requirement. And, based on the court’s holding, most of it probably comes from lost productivity. It is not hard to reach the statutory minimum of damages when you include lost productivity. Imagine you send spam to a CEO’s computer. The CEO loses 2 hours trying to contact the IT helpdesk, have the spam cleaned, and the computer restored. This all counts as lost productivity and at the high billing rate of a high-level executive, the $5,000 damages cap can be reached very quickly.

My point, after all of this, is that the statutory requirement of $5,000 is too low. Or the prosecutors should exercise more discretion in prosecuting cases that really strike at what the Computer Fraud and Abuse Act was aimed - hacking and unauthorized access to computers, as opposed to acts that affect computers and cause some incidental damage.

Not from the Bible of Information Security, but vey useful nonetheless. Comments in italics added by yours truly.

1. Patch early and often
   (or are you running fossil OS?)
2. Enforce (sane) password policies
   (or have your employees tattoo their 64-character password on their forearms)
3. Mind your VPN
   (or your home PC’s critters will teleVPN themselves onto your corporate network)
4. Watch your wireless
   (when you go wireless, go VPN. See also point #3.)
5. Never make promises you can’t keep
   (this doesn’t apply only to information security, does it?)
   
6. Hack yourself
   (but even if you do, patch yourself quickly afterwards)
7. Sequester sensitive data
   (and employees who have access to it)
8. Encrypt it
   (if in doubt whether you should encrypt it - do, or do not store it at all)
9. Collect only what you need (and delete what you don’t)
   (but when you delete, delete securely)
10. Phear the phishers
    (if your emails or other communications do not look legitimate, then your customers and employees wouldn’t know when they receive a non-legitimate email)

Original ideas by Business 2.0.