Vol. 77, No. 10, October
2004
Intellectual Property Crimes in the Cyber World
Intellectual property crimes committed via computer pose serious
threats and compliance challenges. Good lawyering requires informing
business clients of those threats and challenges. Do you have the
preparation and knowledge needed to quickly respond if a cyber-savvy IP
criminal strikes your client?
by David W. Simon & Richard L.
Jones
Cyber crime is on the rise. The Internet has expanded the reach of
commerce and, consequently, of crime. Just as commerce now knows no
boundaries, computer crime is now a global threat. If your clients think
they are immune from these risks because of their locale or type of
business, you ought to remind them of the threats and risks in operating
computer systems in today's environment.
The business consequences of computer crime can be severe. Consider
American Eagle Outfitters (a large clothing retailer). Recently, a
former employee of American Eagle Outfitters was sentenced to prison for
password trafficking and computer damage.1
After his employment was terminated with American Eagle, the disgruntled
former employee sought revenge. At a Yahoo hacker posting board, the
former employee posted and maintained the username and password
combinations of authorized American Eagle Outfitters users, together
with detailed instructions on how to hack into American Eagle
Outfitters' network using those passwords. The former employee then
hacked into the American Eagle Outfitters computer network. These
intrusions were attempts to deny computer services to American Eagle
Outfitters during the beginning of the critical Christmas shopping
season. The plot ultimately was foiled, but had it succeeded, it could
have threatened the company's financial well-being.
Electronic or computer-based crime also presents a new challenge to
lawyers, regardless of their practice area. Whether or not you focus on
computer crime, it could affect your clients. Those who think that
protection against cyber crime is more of a technical than a legal issue
are missing the boat: clients will be ill-served unless equal parts of
technical and legal expertise are brought to bear, both in preventive
measures and in responsive actions. This article deals with computer
crime from both a legal and a technical perspective. It provides a basic
primer on an integrated approach to preventing and, when necessary,
responding to computer crimes.
Preventing Computer Crime
Lawyers can help clients avoid intellectual property (IP) crime
committed via computer by identifying risks and suggesting policies to
address those risks. In the cyber world a threat is any activity that,
if perpetrated, could negatively affect the company through unauthorized
access to, or the actual theft or alteration of, information or
information systems. The threats one hears the most about are from
hackers, viruses, and worms. The threats one does not hear as much about
are from the "new" white collar criminals. Potential attackers include
disgruntled current and former employees (including information
technology [IT] and other workers), unhappy customers, or replaced
vendors.
What is most dangerous about these threats is that many clients do
not want to believe that they exist. Managers believe that their
respective companies are secure or that their employees are good people
who would never do such a thing. Recent history proves such thinking is
wrong.
A company also may be victimized in less obviously nefarious ways. A
former employee who takes client or product information to a new company
may not understand that he or she is committing a crime or even have a
sense of what effect his or her actions will have on the company. In
other cases, employees may think that confidential and proprietary
information they helped to develop is their personal property or is an
entitlement for years of service.
Your clients should begin their prevention efforts by assembling a
new team, consisting of representatives from legal, risk management,
executive management (representing the board of directors), IT,
security, and human resources departments. This prevention team first
should identify what the corporation has at risk. Remember that new
sources of threats also will create new areas of risk, so the team
should not rely on history alone to identify dangers. The prevention
team also should attempt to quantify potential loss. With a loss matrix
in place, the team then needs to estimate the costs of future litigation
to defend claims resulting from customer losses. For example, customer
losses may result from such cyber incidents as identity theft or
financial fraud, perpetrated allegedly because the client supposedly
"allowed" personal data to be stolen either during electronic
transmission or directly from the systems in which it stored the
data.
When the risk assessment is complete, the prevention team should
ensure that the company's information security plan addresses those
risks. This is primarily a technical issue, but lawyers should make sure
the task is accomplished. IT directors historically have been charged
with operating an efficient and stable system. Information security,
however, is quickly climbing up the priority list as losses occur and
privacy and electronic security laws are being enacted. Adequate
information security requires a combination of technical and physical
measures in order to develop a full-spectrum approach to protecting
systems, applications, and proprietary corporate information.
Finally, the prevention team should develop a crisis management plan
for responding to computer crimes. A basic response plan should be in
place, so that company employees will know what to do and who to call if
someone discovers a computer crime. The basic elements of a response
plan are discussed below, but at a minimum, it is critical that
technical and legal point persons are identified, and that employees are
educated (ideally through the company's compliance program) on
appropriate response steps.
An Integrated Response to Computer Crime
|
Simon
|
|
Jones
|
David W. Simon,
U.C.-Berkeley, Boalt Hall School of Law 1994, is a partner in Foley
& Lardner's Milwaukee office and a member of the firm's Litigation
Department (White Collar Defense & Corporate Compliance and
Antitrust Practice Groups). He advises corporate clients on compliance
with and enforcement of criminal intellectual property laws, with
special emphasis on the Economic Espionage Act, and serves on the CIRI
TeamTM (Computer Incident Response and Investigation Team). He may be
reached at dsimon@foley.com.
Richard L. Jones is the chair and CEO of M2000/IS,
an information security firm emphasizing response and investigation of
computer crimes and cyber terrorism. He is the founder of the CIRI Team,
an integrated team of information security technologists, former federal
law enforcement agents, and attorneys skilled in privacy and technology
laws. He serves on the board of directors of the FBI-supported InfraGard
Program and is a member of the Los Angeles U.S. Secret Service
Electronic Crimes Task Force. He can be reached at RLJ@M2000Inc.com.
If preventive measures do not work (and there are no foolproof
preventive measures), lawyers must play an important role in responding
to computer crimes after they occur. A victimized company must respond
promptly and effectively to mitigate any losses and to increase the
chances of detecting and stopping the wrongdoer.
First Response. When a computer crime occurs, the
immediate response steps are primarily technical. They are critical not
only to minimize the damage, but also to preserve evidence that
ultimately may be needed to make a case against the perpetrator. Involve
an information security expert right away to ensure that the immediate
response is appropriate. Some basic first response guidelines
include:
- Disconnect the affected computer from the Internet and the company
network.
- If the loss appears substantial, do not turn off the computer. This
could result in important cyber evidence being lost. Guard the computer
until computer forensic investigative professionals are contacted and
can provide specific instructions as to how to proceed.
- If the computer's physical environment cannot be secured, pull the
power plug and lock the computer in a secure room or closet. Do not
power down or shut off the computer via normal shutdown procedures.
Normal shutdown procedures may delete trails (evidence) left by the
perpetrator.
- Finally, identify and stop the perpetrator. This is primarily a
technical problem and thus will be the responsibility primarily of
technical experts.
Building a Case. Once the initial, mainly technical,
damage control measures are accomplished, a lawyer becomes vital to
assist the client in building a case - civil or criminal - against the
perpetrator. The goal of the company's response ought to be to develop a
"prosecution package": a ready-made case that includes all the evidence
necessary to file charges against the perpetrator. This is important
because even though more intellectual property charges have been brought
in recent years, law enforcement resources are stretched thin and this
still is uncharted territory for many prosecutors and law enforcement
officials. It is often difficult to persuade prosecutors to pursue
intellectual property cases without providing assistance of this nature.
Even if prosecution is declined, the prosecution package provides a
civil case against the wrongdoer. It is critical for the lawyer to work
hand-in-hand with a technical expert to create a viable case.
The first step in putting together a prosecution package is to gather
evidence in an admissible form. Cyber evidence is especially vulnerable
to tainting, so it is important to proceed with care. The victimized
company should immediately conduct a computer forensic investigation to
preserve evidence relating to the incident to assure its admissibility
in court. Lawyers and technical experts should be involved in this
process, because preserving electronic evidence is challenging.
Involving lawyers and technical personnel also allows the investigation
to proceed under the protections of the attorney-client privilege. It is
nearly always preferable for a forensic computer consultant (as opposed
to in-house IT personnel) to conduct the investigation. Evidence in
these kinds of cases is often irreparably tainted as a result of the
otherwise sound efforts of in-house IT personnel, who are unfamiliar
with the rigorous legal standards for handling and admitting
evidence.
Legal Toolbox. As you assist your clients in
building a case, it is helpful to be aware of the various criminal laws
that can be used to prosecute computer criminals. Understanding the law
allows you to target your evidence-gathering efforts to the elements of
the claims that may be asserted. Dozens of federal and state laws
authorize criminal prosecutions for IP theft or misappropriation. The
most important criminal laws, their elements, and recent examples of
prosecutions brought under each law are discussed below.
- Computer Fraud and Abuse Act.2
This federal law criminalizes certain forms of computer hacking. It
prohibits the intentional accessing of a computer without authorization
or by exceeding authorized access to a computer either 1) to obtain
certain specified information, including certain financial records,
government records, and information from any protected computer, if the
conduct involves an interstate or foreign communication;3 or 2) to commit a fraud and thereby obtain
anything of value.4 "Information" is defined
broadly to include information stored in an intangible form, and
"obtaining information" can include merely reading it.
Recent prosecutions under this law include United States v.
Jeansonne,5 in which the defendant was
charged with transmitting to WebTV users a computer virus that
reprogrammed their computers to dial 911 instead of the local access
number; United States v. Williams,6
in which the defendant was charged with unlawfully accessing his
company's computer system to obtain credit information on approximately
60 persons; United States v. Heckenkamp,7 in which the defendant pleaded guilty to gaining
unauthorized access to the computer systems of high-technology
companies, including eBay and Qualcomm, defacing certain Web pages, and
installing "Trojan" programs that captured user names and passwords of
authorized users; and United States v. Lamo,8 in which the defendant pleaded guilty to hacking
into the New York Times' computer system and accessing a
database containing personal information for more than 3,000
contributors to the paper's Op-Ed page.
- The Digital Millennium Copyright Act.9 The Digital Millennium Copyright Act's (DMCA's)
anti-circumvention provisions make it a crime to: 1) circumvent
technological measures that effectively control access to protected
copyrighted works; 2) do so willfully; and 3) do so for the purpose of
commercial advantage or private financial gain.10 Congress described the crime the
anti-circumvention provision is designed to combat as "the electronic
equivalent of breaking into a locked room in order to obtain a copy of a
book."11
"Circumvention" is defined as to "descramble a scrambled work, ...
decrypt an encrypted work, or otherwise ... avoid, bypass, remove,
deactivate, or impair a technological measure, without the authority of
the copyright owner."12 According to the
legislative history, "if unauthorized access to a copyrighted work is
effectively prevented through use of a password, it would be a violation
of this section to defeat or bypass the password."13 A "technological measure" that "effectively
controls access" to a copyrighted work means a measure that, "in the
ordinary course of its operation, requires the application of
information, or a process or a treatment, with the authority of the
copyright owner, to gain access to the work."14 Thus, Congress explained, "measures that can be
deemed to 'effectively control access to a work' would be those based on
encryption, scrambling, authentication, or some other measure which
requires the use of a 'key' provided by a copyright owner to gain access
to a work."15
Only a handful of criminal prosecutions have been brought under the
DMCA. These include United States v. Sklyarov,16 in which the defendant was charged for writing a
software program, the primary purpose of which was to remove limitations
imposed by the publisher of an "ebook" on the purchaser's ability to
copy, distribute, or print the book; United States v.
Rocci,17 in which the defendant
pleaded guilty to conspiring to import, market, and sell circumvention
devices known as modification (or "mod") chips, which were designed to
circumvent copyright protections built into game consoles such as
Microsoft Xbox and Sony PlayStation 2, once installed, by allowing
unlimited play of pirated games on the consoles; and United States
v. Whitehead,18 in which the defendant
was convicted of producing and distributing illegally modified DirecTV
access cards.
- The Economic Espionage Act.19
The Economic Espionage Act (EEA) criminalizes the theft or
misappropriation of trade secrets. Trade secrets are defined broadly to
include "all forms and types of financial, business, scientific,
technical, economic, or engineering information" if "(A) the owner
thereof has taken reasonable measures to keep such information secret;
and (B) the information derives independent economic value ... from not
being generally known to, and not being readily ascertainable through
proper means by, the public."20 Virtually
any misuse or misappropriation of a trade secret can give rise to
liability. The EEA is a specific intent crime; to support criminal
liability the defendant must have acted knowingly.
Recent EEA prosecutions include United States v. Ye,21 in which the defendants were accused of stealing
microchip blueprints and other trade secrets for the benefit of the
government of China; United States v. Kissane,22 in which the defendant pleaded guilty to
stealing the source code for software produced by his former employer
and attempting to sell the code to two competitors of his former
employer; United States v. Morris,23 in which the defendant pleaded guilty to
attempting to steal and transmit to a competitor proprietary bid pricing
information belonging to his employer; and United States v.
Keppel,24 in which the defendant
pleaded guilty to selling the answers to Microsoft's Certified Systems
Engineer exams on the Internet.
- The Copyright Act.25 Under
some circumstances, the federal Copyright Act criminalizes the willful
infringement of copyrighted works, including computer programs.
"Willful" is generally defined as a voluntary, intentional violation of
a known right.26 Courts recognize that
willfulness is a somewhat elusive concept that "is rarely provable by
direct evidence, and most often can be proven only by inference from the
evidence introduced."27
Recent criminal copyright prosecutions include United States v.
Barbot,28 in which the defendant was
convicted of illegally copying and distributing more than $7 million
worth of Microsoft software; United States v. Pnewski,29 in which the defendant was convicted of the
illegal sale of copyrighted motion pictures over the Internet; and
United States v. Woo,30 in which
the defendant was convicted of distributing pirated software over the
Internet.
- Other Federal Laws Used to Prosecute IP Computer Crime.
Other federal laws have been used to prosecute intellectual property
crime. For example, federal prosecutors can employ the federal mail and
wire fraud statutes in intellectual property cases.31 The U.S. Supreme Court has held that a scheme to
defraud a person of his or her intangible property falls within the
scope of the mail and wire fraud statutes.32 Other potentially implicated federal laws
include those that prohibit trafficking in counterfeit labels,33 trafficking in counterfeit goods,34 and money laundering,35 and RICO.36
- Wisconsin Laws. Although most of the prosecutorial activity
has occurred at the federal level, Wisconsin has several statutes that
criminalize the theft of intellectual property. These include various
computer crimes, including computer hacking,37 criminal trademark infringement,38 trade secret theft,39 and fraudulent data alteration.40 One of the few published opinions arising out of
a prosecution under Wisconsin's criminal intellectual property laws is
State v. Corcoran,41 in which the
court of appeals affirmed the defendant's Wisconsin Computer Crimes Act
conviction. Corcoran was convicted of destroying the computer data of
his former employer. Concerned that he would not get paid for his work,
Corcoran inserted two "Trojan horses" or "booby traps" into the programs
he wrote for the company, which, when he activated them, destroyed
valuable information on the company computer system.
Conclusion
For most companies, intellectual property crime poses serious threats
and similarly serious compliance challenges. Good lawyering requires
informing clients of these threats and challenges. It also requires the
preparation and knowledge to quickly and substantively respond if a
cyber-criminal strikes.
Endnotes
1See www.usdoj.gov/criminal/cybercrime/pattersonIndict.htm.
218 U.S.C. § 1030.
318 U.S.C. § 1030(a)(2).
418 U.S.C. § 1030(a)(4).
5See www.usdoj.gov/criminal/cybercrime/ipcases.htm.
6See www.usdoj.gov/criminal/cybercrime/williamsIndict.htm.
7See www.usdoj.gov/criminal/cybercrime/heckenkampPlea.htm.
8See www.usdoj.gov/criminal/cybercrime/lamoPlea.htm.
917 U.S.C. §§ 1201,
1204.
1017 U.S.C. §§
1201(a)(1)(A), 1204(a).
11Universal City Studios Inc.
v. Reimerdes, 111 F. Supp. 2d 294, 316 (S.D.N.Y. 2000) (quoting
House Report).
1217 U.S.C. §
1201(a)(3)(A).
13S. Rep. No. 105-190, 1998 WL
239623 (Leg. Hist.) at *11.
1417 U.S.C. §
1201(a)(3)(B).
15H.R. Rep. No. 105-551(II), 1998
WL 414916 (Leg. Hist.) at *39.
16See www.usdoj.gov/criminal/cybercrime/ipcases.htm.
17See www.usdoj.gov/criminal/cybercrime/rocciPlea.htm.
18See www.usdoj.gov/criminal/cybercrime/whiteheadConviction.htm.
1918 U.S.C. § 1332.
2018 U.S.C. § 1839(3).
21See www.usdoj.gov/criminal/cybercrime/yeIndict.htm;
see also Daniel Sordid, Economic-Spying Case May Signal
Crackdown, Chi. Trib., Nov. 28, 2003, at C1.
22See www.usdoj.gov/criminal/cybercrime/kissaneSent.htm.
23See www.usdoj.gov/criminal/cybercrime/morrisPlea.htm.
24See www.usdoj.gov/criminal/cybercrime/keppelPlea.htm.
2517 U.S.C. § 506, 18 U.S.C.
§ 2319.
26See, e.g., United
States v. Cross, 816 F.2d 297, 300 (7th Cir. 1987).
27United States v.
Sherman, 576 F.2d 292, 297 (10th Cir. 1978).
28See www.usdoj.gov/criminal/cybercrime/ipcases.htm.
29See www.usdoj.gov/criminal/cybercrime/ipcases.htm.
30See www.usdoj.gov/criminal/cybercrime/ipcases.htm.
3118 U.S.C. §§ 1341,
1343.
32Carpenter v. United
States, 484 U.S. 19 (1987); see United States v. Wang, 898
F. Supp. 758, 760-61 (D. Colo. 1995).
3318 U.S.C. § 2318.
3418 U.S.C. § 2320.
3518 U.S.C. §§ 1956,
1957.
3618 U.S.C. §§
1961-1968.
37Wis. Stat. § 943.70.
38Wis. Stat. §§ 132.02,
.03.
39Wis. Stat. § 943.205.
40Wis. Stat. § 943.392.
41186 Wis. 2d 616, 522 N.W.2d 226
(Ct. App. 1994).
Wisconsin Lawyer