State Bar of Wisconsin

Vol. 77, No. 10, October 2004

Intellectual Property Crimes in the Cyber World

by David W. Simon & Richard L. Jones

Cyber crime is on the rise. The Internet has expanded the reach of commerce and, consequently, of crime. Just as commerce now knows no boundaries, computer crime is now a global threat. If your clients think they are immune from these risks because of their locale or type of business, you ought to remind them of the threats and risks in operating computer systems in today's environment.

The business consequences of computer crime can be severe. Consider American Eagle Outfitters (a large clothing retailer). Recently, a former employee of American Eagle Outfitters was sentenced to prison for password trafficking and computer damage.¹ After his employment was terminated with American Eagle, the disgruntled former employee sought revenge. At a Yahoo hacker posting board, the former employee posted and maintained the username and password combinations of authorized American Eagle Outfitters users, together with detailed instructions on how to hack into American Eagle Outfitters' network using those passwords. The former employee then hacked into the American Eagle Outfitters computer network. These intrusions were attempts to deny computer services to American Eagle Outfitters during the beginning of the critical Christmas shopping season. The plot ultimately was foiled, but had it succeeded, it could have threatened the company's financial well-being.

Electronic or computer-based crime also presents a new challenge to lawyers, regardless of their practice area. Whether or not you focus on computer crime, it could affect your clients. Those who think that protection against cyber crime is more of a technical than a legal issue are missing the boat: clients will be ill-served unless equal parts of technical and legal expertise are brought to bear, both in preventive measures and in responsive actions. This article deals with computer crime from both a legal and a technical perspective. It provides a basic primer on an integrated approach to preventing and, when necessary, responding to computer crimes.

Preventing Computer Crime

Lawyers can help clients avoid intellectual property (IP) crime committed via computer by identifying risks and suggesting policies to address those risks. In the cyber world a threat is any activity that, if perpetrated, could negatively affect the company through unauthorized access to, or the actual theft or alteration of, information or information systems. The threats one hears the most about are from hackers, viruses, and worms. The threats one does not hear as much about are from the "new" white collar criminals. Potential attackers include disgruntled current and former employees (including information technology [IT] and other workers), unhappy customers, or replaced vendors.

What is most dangerous about these threats is that many clients do not want to believe that they exist. Managers believe that their respective companies are secure or that their employees are good people who would never do such a thing. Recent history proves such thinking is wrong.

A company also may be victimized in less obviously nefarious ways. A former employee who takes client or product information to a new company may not understand that he or she is committing a crime or even have a sense of what effect his or her actions will have on the company. In other cases, employees may think that confidential and proprietary information they helped to develop is their personal property or is an entitlement for years of service.

Your clients should begin their prevention efforts by assembling a new team, consisting of representatives from legal, risk management, executive management (representing the board of directors), IT, security, and human resources departments. This prevention team first should identify what the corporation has at risk. Remember that new sources of threats also will create new areas of risk, so the team should not rely on history alone to identify dangers. The prevention team also should attempt to quantify potential loss. With a loss matrix in place, the team then needs to estimate the costs of future litigation to defend claims resulting from customer losses. For example, customer losses may result from such cyber incidents as identity theft or financial fraud, perpetrated allegedly because the client supposedly "allowed" personal data to be stolen either during electronic transmission or directly from the systems in which it stored the data.

When the risk assessment is complete, the prevention team should ensure that the company's information security plan addresses those risks. This is primarily a technical issue, but lawyers should make sure the task is accomplished. IT directors historically have been charged with operating an efficient and stable system. Information security, however, is quickly climbing up the priority list as losses occur and privacy and electronic security laws are being enacted. Adequate information security requires a combination of technical and physical measures in order to develop a full-spectrum approach to protecting systems, applications, and proprietary corporate information.

Finally, the prevention team should develop a crisis management plan for responding to computer crimes. A basic response plan should be in place, so that company employees will know what to do and who to call if someone discovers a computer crime. The basic elements of a response plan are discussed below, but at a minimum, it is critical that technical and legal point persons are identified, and that employees are educated (ideally through the company's compliance program) on appropriate response steps.

An Integrated Response to Computer Crime

Simon

Jones

David W. Simon, U.C.-Berkeley, Boalt Hall School of Law 1994, is a partner in Foley & Lardner's Milwaukee office and a member of the firm's Litigation Department (White Collar Defense & Corporate Compliance and Antitrust Practice Groups). He advises corporate clients on compliance with and enforcement of criminal intellectual property laws, with special emphasis on the Economic Espionage Act, and serves on the CIRI TeamTM (Computer Incident Response and Investigation Team). He may be reached at dsimon@foley.com.

Richard L. Jones is the chair and CEO of M2000/IS, an information security firm emphasizing response and investigation of computer crimes and cyber terrorism. He is the founder of the CIRI Team, an integrated team of information security technologists, former federal law enforcement agents, and attorneys skilled in privacy and technology laws. He serves on the board of directors of the FBI-supported InfraGard Program and is a member of the Los Angeles U.S. Secret Service Electronic Crimes Task Force. He can be reached at RLJ@M2000Inc.com.

If preventive measures do not work (and there are no foolproof preventive measures), lawyers must play an important role in responding to computer crimes after they occur. A victimized company must respond promptly and effectively to mitigate any losses and to increase the chances of detecting and stopping the wrongdoer.

First Response. When a computer crime occurs, the immediate response steps are primarily technical. They are critical not only to minimize the damage, but also to preserve evidence that ultimately may be needed to make a case against the perpetrator. Involve an information security expert right away to ensure that the immediate response is appropriate. Some basic first response guidelines include:

• Disconnect the affected computer from the Internet and the company network.
• If the loss appears substantial, do not turn off the computer. This could result in important cyber evidence being lost. Guard the computer until computer forensic investigative professionals are contacted and can provide specific instructions as to how to proceed.
• If the computer's physical environment cannot be secured, pull the power plug and lock the computer in a secure room or closet. Do not power down or shut off the computer via normal shutdown procedures. Normal shutdown procedures may delete trails (evidence) left by the perpetrator.
• Finally, identify and stop the perpetrator. This is primarily a technical problem and thus will be the responsibility primarily of technical experts.

Building a Case. Once the initial, mainly technical, damage control measures are accomplished, a lawyer becomes vital to assist the client in building a case - civil or criminal - against the perpetrator. The goal of the company's response ought to be to develop a "prosecution package": a ready-made case that includes all the evidence necessary to file charges against the perpetrator. This is important because even though more intellectual property charges have been brought in recent years, law enforcement resources are stretched thin and this still is uncharted territory for many prosecutors and law enforcement officials. It is often difficult to persuade prosecutors to pursue intellectual property cases without providing assistance of this nature. Even if prosecution is declined, the prosecution package provides a civil case against the wrongdoer. It is critical for the lawyer to work hand-in-hand with a technical expert to create a viable case.

The first step in putting together a prosecution package is to gather evidence in an admissible form. Cyber evidence is especially vulnerable to tainting, so it is important to proceed with care. The victimized company should immediately conduct a computer forensic investigation to preserve evidence relating to the incident to assure its admissibility in court. Lawyers and technical experts should be involved in this process, because preserving electronic evidence is challenging. Involving lawyers and technical personnel also allows the investigation to proceed under the protections of the attorney-client privilege. It is nearly always preferable for a forensic computer consultant (as opposed to in-house IT personnel) to conduct the investigation. Evidence in these kinds of cases is often irreparably tainted as a result of the otherwise sound efforts of in-house IT personnel, who are unfamiliar with the rigorous legal standards for handling and admitting evidence.

Legal Toolbox. As you assist your clients in building a case, it is helpful to be aware of the various criminal laws that can be used to prosecute computer criminals. Understanding the law allows you to target your evidence-gathering efforts to the elements of the claims that may be asserted. Dozens of federal and state laws authorize criminal prosecutions for IP theft or misappropriation. The most important criminal laws, their elements, and recent examples of prosecutions brought under each law are discussed below.

• Computer Fraud and Abuse Act.² This federal law criminalizes certain forms of computer hacking. It prohibits the intentional accessing of a computer without authorization or by exceeding authorized access to a computer either 1) to obtain certain specified information, including certain financial records, government records, and information from any protected computer, if the conduct involves an interstate or foreign communication;³ or 2) to commit a fraud and thereby obtain anything of value.⁴ "Information" is defined broadly to include information stored in an intangible form, and "obtaining information" can include merely reading it.

  Recent prosecutions under this law include United States v. Jeansonne,⁵ in which the defendant was charged with transmitting to WebTV users a computer virus that reprogrammed their computers to dial 911 instead of the local access number; United States v. Williams,⁶ in which the defendant was charged with unlawfully accessing his company's computer system to obtain credit information on approximately 60 persons; United States v. Heckenkamp,⁷ in which the defendant pleaded guilty to gaining unauthorized access to the computer systems of high-technology companies, including eBay and Qualcomm, defacing certain Web pages, and installing "Trojan" programs that captured user names and passwords of authorized users; and United States v. Lamo,⁸ in which the defendant pleaded guilty to hacking into the New York Times' computer system and accessing a database containing personal information for more than 3,000 contributors to the paper's Op-Ed page.
  

• The Digital Millennium Copyright Act.⁹ The Digital Millennium Copyright Act's (DMCA's) anti-circumvention provisions make it a crime to: 1) circumvent technological measures that effectively control access to protected copyrighted works; 2) do so willfully; and 3) do so for the purpose of commercial advantage or private financial gain.¹⁰ Congress described the crime the anti-circumvention provision is designed to combat as "the electronic equivalent of breaking into a locked room in order to obtain a copy of a book."¹¹

  "Circumvention" is defined as to "descramble a scrambled work, ... decrypt an encrypted work, or otherwise ... avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner."¹² According to the legislative history, "if unauthorized access to a copyrighted work is effectively prevented through use of a password, it would be a violation of this section to defeat or bypass the password."¹³ A "technological measure" that "effectively controls access" to a copyrighted work means a measure that, "in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work."¹⁴ Thus, Congress explained, "measures that can be deemed to 'effectively control access to a work' would be those based on encryption, scrambling, authentication, or some other measure which requires the use of a 'key' provided by a copyright owner to gain access to a work."¹⁵
  
  Only a handful of criminal prosecutions have been brought under the DMCA. These include United States v. Sklyarov,¹⁶ in which the defendant was charged for writing a software program, the primary purpose of which was to remove limitations imposed by the publisher of an "ebook" on the purchaser's ability to copy, distribute, or print the book; United States v. Rocci,¹⁷ in which the defendant pleaded guilty to conspiring to import, market, and sell circumvention devices known as modification (or "mod") chips, which were designed to circumvent copyright protections built into game consoles such as Microsoft Xbox and Sony PlayStation 2, once installed, by allowing unlimited play of pirated games on the consoles; and United States v. Whitehead,¹⁸ in which the defendant was convicted of producing and distributing illegally modified DirecTV access cards.

• The Economic Espionage Act.¹⁹ The Economic Espionage Act (EEA) criminalizes the theft or misappropriation of trade secrets. Trade secrets are defined broadly to include "all forms and types of financial, business, scientific, technical, economic, or engineering information" if "(A) the owner thereof has taken reasonable measures to keep such information secret; and (B) the information derives independent economic value ... from not being generally known to, and not being readily ascertainable through proper means by, the public."²⁰ Virtually any misuse or misappropriation of a trade secret can give rise to liability. The EEA is a specific intent crime; to support criminal liability the defendant must have acted knowingly.
  Recent EEA prosecutions include United States v. Ye,²¹ in which the defendants were accused of stealing microchip blueprints and other trade secrets for the benefit of the government of China; United States v. Kissane,²² in which the defendant pleaded guilty to stealing the source code for software produced by his former employer and attempting to sell the code to two competitors of his former employer; United States v. Morris,²³ in which the defendant pleaded guilty to attempting to steal and transmit to a competitor proprietary bid pricing information belonging to his employer; and United States v. Keppel,²⁴ in which the defendant pleaded guilty to selling the answers to Microsoft's Certified Systems Engineer exams on the Internet.
• The Copyright Act.²⁵ Under some circumstances, the federal Copyright Act criminalizes the willful infringement of copyrighted works, including computer programs. "Willful" is generally defined as a voluntary, intentional violation of a known right.²⁶ Courts recognize that willfulness is a somewhat elusive concept that "is rarely provable by direct evidence, and most often can be proven only by inference from the evidence introduced."²⁷
  Recent criminal copyright prosecutions include United States v. Barbot,²⁸ in which the defendant was convicted of illegally copying and distributing more than $7 million worth of Microsoft software; United States v. Pnewski,²⁹ in which the defendant was convicted of the illegal sale of copyrighted motion pictures over the Internet; and United States v. Woo,³⁰ in which the defendant was convicted of distributing pirated software over the Internet.
• Other Federal Laws Used to Prosecute IP Computer Crime. Other federal laws have been used to prosecute intellectual property crime. For example, federal prosecutors can employ the federal mail and wire fraud statutes in intellectual property cases.³¹ The U.S. Supreme Court has held that a scheme to defraud a person of his or her intangible property falls within the scope of the mail and wire fraud statutes.³² Other potentially implicated federal laws include those that prohibit trafficking in counterfeit labels,³³ trafficking in counterfeit goods,³⁴ and money laundering,³⁵ and RICO.³⁶
• Wisconsin Laws. Although most of the prosecutorial activity has occurred at the federal level, Wisconsin has several statutes that criminalize the theft of intellectual property. These include various computer crimes, including computer hacking,³⁷ criminal trademark infringement,³⁸ trade secret theft,³⁹ and fraudulent data alteration.⁴⁰ One of the few published opinions arising out of a prosecution under Wisconsin's criminal intellectual property laws is State v. Corcoran,⁴¹ in which the court of appeals affirmed the defendant's Wisconsin Computer Crimes Act conviction. Corcoran was convicted of destroying the computer data of his former employer. Concerned that he would not get paid for his work, Corcoran inserted two "Trojan horses" or "booby traps" into the programs he wrote for the company, which, when he activated them, destroyed valuable information on the company computer system.

Conclusion

For most companies, intellectual property crime poses serious threats and similarly serious compliance challenges. Good lawyering requires informing clients of these threats and challenges. It also requires the preparation and knowledge to quickly and substantively respond if a cyber-criminal strikes.

Endnotes

¹See www.usdoj.gov/criminal/cybercrime/pattersonIndict.htm.

²18 U.S.C. § 1030.

³18 U.S.C. § 1030(a)(2).

⁴18 U.S.C. § 1030(a)(4).

⁵See www.usdoj.gov/criminal/cybercrime/ipcases.htm.

⁶See www.usdoj.gov/criminal/cybercrime/williamsIndict.htm.

⁷See www.usdoj.gov/criminal/cybercrime/heckenkampPlea.htm.

⁸See www.usdoj.gov/criminal/cybercrime/lamoPlea.htm.

⁹17 U.S.C. §§ 1201, 1204.

¹⁰17 U.S.C. §§ 1201(a)(1)(A), 1204(a).

¹¹Universal City Studios Inc. v. Reimerdes, 111 F. Supp. 2d 294, 316 (S.D.N.Y. 2000) (quoting House Report).

¹²17 U.S.C. § 1201(a)(3)(A).

¹³S. Rep. No. 105-190, 1998 WL 239623 (Leg. Hist.) at *11.

¹⁴17 U.S.C. § 1201(a)(3)(B).

¹⁵H.R. Rep. No. 105-551(II), 1998 WL 414916 (Leg. Hist.) at *39.

¹⁶See www.usdoj.gov/criminal/cybercrime/ipcases.htm.

¹⁷See www.usdoj.gov/criminal/cybercrime/rocciPlea.htm.

¹⁸See www.usdoj.gov/criminal/cybercrime/whiteheadConviction.htm.

¹⁹18 U.S.C. § 1332.

²⁰18 U.S.C. § 1839(3).

²¹See www.usdoj.gov/criminal/cybercrime/yeIndict.htm; see also Daniel Sordid, Economic-Spying Case May Signal Crackdown, Chi. Trib., Nov. 28, 2003, at C1.

²²See www.usdoj.gov/criminal/cybercrime/kissaneSent.htm.

²³See www.usdoj.gov/criminal/cybercrime/morrisPlea.htm.

²⁴See www.usdoj.gov/criminal/cybercrime/keppelPlea.htm.

²⁵17 U.S.C. § 506, 18 U.S.C. § 2319.

²⁶See, e.g., United States v. Cross, 816 F.2d 297, 300 (7th Cir. 1987).

²⁷United States v. Sherman, 576 F.2d 292, 297 (10th Cir. 1978).

²⁸See www.usdoj.gov/criminal/cybercrime/ipcases.htm.

²⁹See www.usdoj.gov/criminal/cybercrime/ipcases.htm.

³⁰See www.usdoj.gov/criminal/cybercrime/ipcases.htm.

³¹18 U.S.C. §§ 1341, 1343.

³²Carpenter v. United States, 484 U.S. 19 (1987); see United States v. Wang, 898 F. Supp. 758, 760-61 (D. Colo. 1995).

³³18 U.S.C. § 2318.

³⁴18 U.S.C. § 2320.

³⁵18 U.S.C. §§ 1956, 1957.

³⁶18 U.S.C. §§ 1961-1968.

³⁷Wis. Stat. § 943.70.

³⁸Wis. Stat. §§ 132.02, .03.

³⁹Wis. Stat. § 943.205.

⁴⁰Wis. Stat. § 943.392.

⁴¹186 Wis. 2d 616, 522 N.W.2d 226 (Ct. App. 1994).

Wisconsin Lawyer