A decision from the U.S. District Court for the Northern District of California held that the costs associated with the tracking and discovery of the identity of the person who stole proprietary information from a company does constitute "loss" for the purposes of calculation of damages under the Computer Fraud and Abuse Act (CFAA).

The dispute in the case was between a company and its competitor.  Plaintiff alleged that the defendant competitor company accessed privileged parts of plaintiff’s computer information system to, among other things, create a disparaging PowerPoint slide show.  Plaintiff based its claim under CFAA which prohibits unauthorized access to a protected computer and any person who suffers damage or loss in excess of $5,000 due to another’s misuse may maintain a civil action. 

Plaintiff relied on CFAA and its $5,000 threshold by arguing that the costs to identify that it was the competitor company who broke into its systems should be counted towards the $5,000 threshold. Defendant disagreed and moved for summary judgment, in reliance of Tyco Int’l v. Does, which holds that CFAA allows recovery for losses beyond mere physical damage to property but additional types of damages have generally been limited to accessing the damage caused to the system or to resecure the system following the attack.

The court distinguished the Tyco case on the facts and held that the costs of "responding to [the] offense" should include the costs, as in this case, of determining that defendant was one of the hackers who did access the computer system without authorization.

 

    A recent pair of federal district court decisions are split on whether making copyrighted songs available for download violates copyright laws even when there is no proof that the copyrighted works were ever downloaded under 17 U.S.C.A. Sec. 106.  An original article on this news is here:    http://news.lp.findlaw.com/ap/high_tech/1700//04-04-2008/20080404145001_26.html.  The two cases are:  Elektra Entertainment Group, Inc. v. Barker and London-Sire Records, Inc. v. Doe.
    These two cases are virtually identical in factual scenarios.  In each case a set of Defendant’s had copyrighted songs on their harddrives that were made available to anyone on the internet via Peer to Peer software - a common scenario among mp3 owners.  In the past decade, there have been an enormous amount of complaints filed in courts by record companies against individuals who distribute their copyrighted works.  In many of these cases the record companies are successful either through out-of-court settlements or decisions on the merits of the case.  However, what is interesting in these cases is that there was no proof available that the songs were ever downloaded. Therefore, the record companies were arguing that merely making the songs available through peer to peer software violates copyright law.
    The crux of this issue in both of the cases came down to statutory interpretation of what is the meaning of "distribution" within 17 U.S.C.A. Sec. 106(3).  Sec. 106 states:

"The owner of copyright under this title has the exclusive rights to do and to authorize any of the following: (sec 3) to distribute copies or phonorecords of the work to the    public by sale or other transfer of ownership, or by rental, lease, or lending;"

    In both cases, the record companies were arguing that publication and distribution were synonymous.  There is a lengthy discussion that I will avoid on how each judge arrived at different decisions based on Supreme Court cases interpreting the terms "publication" and "distribution". However, the bottom line is that the Elektra case said publication = distribution and the other did not, resulting in practically diametrically opposed decisions.  The Elektra case held that making available for download was distribution for purposes of Sec 106(3), and the London-sire case said merely making a song available wasn’t enough.
    This split is important because it essentially comes down to the question of how much proof the record companies need to gather before they have a prima facie case of copyright violation.  It is also important for the millions of people out there on peer to peer networks sharing songs.  As both cases acknowledged, many people out there have validly obtained copyrighted songs through purchase and unknowingly offer them on the internet through peer to peer software.  Is it really fair to go after these people if you can’t truly show an active participation in the distribution?  Furthermore, is it fair to go after someone even if there’s no proof that they know they are offering the copyrighted song and that there is absolutely no proof that the song was ever downloaded by a third party? Either way, it is an interesting battle of statutory interpretation among the federal courts that could have important implications in the ever-present wrangling over mp3s and copyright violations.

Data breaches happen every day and, unfortunately, we are getting so used to hearing news about the most recent breach that it no longer creates an interesting report.  Most businesses of any significance will, soon or later, become a victim of some sort of breach.  So the question becomes not whether you will suffer a data breach, but how are you going to respond to one when it happens.

The Wall Street Journal Business Technology Blog (WSJ) writes about the University of Miami’s (UM) response to their recent breach when thieves stole backup tapes containing two million medical records belonging to the University out of the back of a van last month.  WSJ notes that although the breach is nothing to be proud about, the response by University of Miami is pretty impressive.

What made UM’s response so good? The university provided a detailed, but clear, response to what exactly happened and why the breach poses low risk.  UM hired outside consultants to conduct testing and to determine the likelihood of successful access to the data.  After the consultants reported that such likelihood was low, UM released the notification with clear and common sense explanation.

Hopefully this practice should become the model to responding to security breaches.

We have written in the past about the freedom of border agents to search laptops at the border crossing points.

A new opinion (PDF) in United States v. Arnold by the Ninth Circuit Court of Appeals dated April 21, 2008, confirms this trend by holding that customs officers may examine electronic contents of a passenger’s laptop without reasonable suspicion. 

The Facts.  Arnold, a 43-year old arrived at Los Angeles International airport from the Philippines.  At Customs, he was asked for secondary inspection, where the officer asked him to turn on his laptop to determine whether it was functioning.  Once the computer booted up, the desktop showed folders named "Kodak Pictures" and "Kodak Memories."  The agents opened the folders and noticed pictures of nude women.  The agents then questioned Arnold about his computer, his trip, and upon review of the images, determined that there are several images which the agents believed were child pornography. 

The Opinion.  After a district court granted Arnold’s motion to suppress evidence, the Ninth Circuit reversed.  The Ninth Circuit based its opinion on Supreme Court precedent which held that the right of the United States to protect its border is paramount; however, such authority is not unlimited.  The two major exceptions for border searches without reasonable suspicion are searches  which cause "exceptional damage to property" or if the search was conducted in a "particularly offensive manner."  The Ninth Circuit held that the record did not support finding on either of the two exceptions and therefore the search was proper.