Analysis TechFite Case Study

11

TechFite Case Study

Name

Course

Institution

Tutor

Submission Date

Contents

A. Application of the Law 2

1. Computer Fraud and Abuse Act (CFAA) and the Electronic Communications Privacy Act (ECPA) 2

Computer Fraud and Abuse Act (CFAA) 3

Electronic Communications Privacy Act (ECPA) 3

2. Laws, Regulations, or Legal Cases Justifying Legal Action for Negligence 4

i. General Data Protection Regulation (GDPR) 4

ii. Federal Trade Commission (FTC) Act – Section 5 4

iii. Restatement (Second) of Torts – Duty of Care 5

3. Instances of Lack of Duty of Due Care 5

i. Failure to Implement Data Segregation 5

ii. Inadequate Oversight of Privileged User Accounts 6

4. Application of the Sarbanes-Oxley Act (SOX) 6

B. Legal Theories 7

1. Alleged Criminal Activity at TechFite 7

a. Criminal Actors and Victims 7

b. Failures of Cybersecurity Policies and Procedures 7

2. Alleged Acts of Negligence at TechFite 7

a. Negligent Actors and Victims 7

b. Failures of Cybersecurity Policies and Procedures 8

C. Summary for Senior Management 8

References 8

A. Application of the Law

1. Computer Fraud and Abuse Act (CFAA) and the Electronic Communications Privacy Act (ECPA)

The Computer Fraud and Abuse Act (CFAA) and the Electronic Communications Privacy Act (ECPA) are foundational laws in the U.S. legal framework governing computer and network activities. Both statutes directly address the criminal activities discovered within TechFite’s Applications Division.

Computer Fraud and Abuse Act (CFAA)

The CFAA, codified in 18 U.S.C. §1030, was introduced to combat unauthorized access to computer systems and networks. This act makes it unlawful to gain unauthorized access to or use a protected computer beyond what is permitted, especially when it\\\\\\\'s being utilized for theft or fraudulent activities (Thomas, 2023). Evidence in the TechFite case shows that workers, including Sarah Miller and Jack Hudson, used privileged accounts to access systems without authorization. This resulted in the unapproved interception of private financial records from several departments. These actions, particularly the unauthorized access to competitors\\\\\\\' networks using the Metasploit penetration testing tool, clearly violate the CFAA (Okuh, 2010). The division\\\\\\\'s activities qualify as unlawful under this act as they involved “dumpster diving” and infiltrating private business networks without authorization (Walden, 2007).

Electronic Communications Privacy Act (ECPA)

The ECPA, passed in 1986, provided wiretap protections in the electronic communication provisions of the act prohibiting interception or disclosure of a communication without proper authorization (18 U. S. C. §§2510-2522) (Gudgel, 2013). In the TechFite case, the following practices, namely unauthorized access to internal emails, executive communications and other employees’ sensitive client data with no necessary supervision qualify for ECPA violations. It is unlawful to perform such interception and organizations are required to act to make sure that e-communications are secure. Another example of TechFite\\\\\\\'s void of internal controls entails the lack of control to monitor internal E-mail traffic between divisions which violates ECPA protection (Martin & Cendrowski, 2014). Furthermore, the leakage of, and general conduct within S using the cover of legitimate operations to obtain unauthorized access to sensitive information also shows a great contempt of the law.

2. Laws, Regulations, or Legal Cases Justifying Legal Action for Negligence

The following laws and regulations will help guide the company to ensure that TechFite is penalized for negligence of client’s sensitive data. The definition provided for cyber negligence is the failure to exercise reasonable care to avoid harm where there are inadequate information security precautions (O’Dell, 2023). The following laws apply:

i. General Data Protection Regulation (GDPR)

The GDPR is a European Union regulation, and yet it comes with very high standards for handling the personal data of EU citizens for organizations across the globe. Its broad jurisdiction means any organization processing data of EU residents must comply with its standards. TechFite violates the GDPR if its clientele consisted of individuals or businesses in the EU and they did not separate sensitive data and put data loss prevention (DLP) procedures in place. In particular, GDPR Article 32 mandates the adoption of steps to guarantee a degree of security suitable for the risk, such as pseudonymization and encryption of personal information (Schwartz & Solove, 2021). Neglecting these security requirements could lead to substantial penalties under the GDPR, based on the harm caused to customers like Orange Leaf Software and Union City Ventures, whose proprietary information was compromised (Chimes & Sankar, 2014).

ii. Federal Trade Commission (FTC) Act – Section 5

Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices” in commerce. Failure to implement effective data security measures can be classified as unfair or deceptive, particularly when clients are led to believe their proprietary data is secure (Kolasky, 2014). TechFite’s failure to adequately protect client information from breaches, especially after promising to do so via nondisclosure agreements (NDAs), would likely be seen as deceptive under the FTC’s standards. This would justify legal action on grounds of negligence in data protection practices, as reflected in the FTC’s frequent enforcement actions for similar lapses in cybersecurity (Cooper & Kobayashi, 2022).

iii. Restatement (Second) of Torts – Duty of Care

In tort law, companies are required to meet a duty of care to avoid negligence in handling sensitive information. The Restatement (Second) of Torts, §282 defines negligence as the failure to act reasonably to prevent foreseeable harm (Robinette, 2018). In TechFite’s case, the lack of proper safeguards for client data, failure to monitor internal traffic, and absence of data segregation represent a breach of this duty of care. TechFite should have foreseen the potential harm caused by the lack of internal controls and properly addressed the associated risks (Moore, 2018).

3. Instances of Lack of Duty of Due Care

Due care is the key to dealing with information security risks. TechFite likewise was unsuccessful at least in the following two cases:

i. Failure to Implement Data Segregation

There is a lack of duty of due care since there is no process known as the Chinese wall to reduce access to such data by clients. Since they lacked proper restrictions on the data, TechFite made it possible for the information to be accessed by other people within the company who may in one way or the other misuse it. This directly led to the leakage of Orange Leaf Software and Union City Ventures data making the company responsible for negligence (Kumar et. al, 2016).

ii. Inadequate Oversight of Privileged User Accounts

The second form of negligence of due care seen in TechFite is lack of proper supervision of user accounts particularly the accounts with administrator access. This is because there were no internal audit and monitoring activities within the organization and hence creation of other accounts by Carl Jaspers and the use of those accounts in other suspicious activities went unnoticed. A standard of reasonable care would have involved conducting regular audits, and the principle of least privilege, which was not followed as was evident (Haber, 2020).

4. Application of the Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act of 2002, or SOX, was enacted with the intention of making corporations more accountable for their corporate management, particularly financial reporting. Section 302 of SOX requires executives to certify that the financial statements they present are true on behalf of their individual organizations, whereas Section 404 of SOX requires businesses to adopt and implement sufficient internal controls for financial reporting (Gupta et al., 2016).

Anyhow, it is clear that to a large extent, creating artificial clients like Bebop Software and FGH Research Group and using them to pop up the sales for the Applications Division most probably violates one or many cracks of the SOX provisions. This is mainly due to the absence of internal controls that allowed one employee to generate clients and write sales, which only complicates it. SOX requires better controls in financial reporting to overcome fraud and that was completely absent in the TechFite. Besides, the use of shell companies to hide the fact of revenue manipulation also points to the violation of at least one of the SOX provisions since financial fraud affects stakeholder confidence (Gupta et al., 2016).

B. Legal Theories

1. Alleged Criminal Activity at TechFite

From this case study, there is enough information showing that several criminal incidents took place in TechFite specifically involving unauthorized access and corporate spying.

a. Criminal Actors and Victims

The criminal actors that were established in the case include Carl Jaspers, Sarah Miller, and Jack Hudson. These individuals used malicious accesses to carry out unauthorized access, using unauthorized accounts with privileged access and accessing some sensitive corporate documents. These actions affect clients such as Orange Leaf Software and Union City Electronic Ventures where their secret information is stolen and shared with their competitors (Koehler, 2017).