Techfite Case Study Cfaa Ecpa Legal Analysis

The Computer Fraud and Abuse Act (CFAA) of 1986 (most recently amended in 2008) makes it a criminal offence to access a protected computer either without authorization or in excess of one’s authorized access (US Department of Justice, 2022). For a claim of access without authorization to be valid, the individual must be aware of the facts that make such access unauthorized and must have accessed the computer without the authorization of an entity or person authorized to give such access (US Department of Justice, 2022). For individuals with authorized access, the CFAA imposes limits on such access, making it illegal to knowingly access areas in a protected computer, including databases, user accounts, folders and files, to which one’s access does not extend (US Department of Justice, 2022). Under the CFAA, the investigating team will check the division’s networks and computer systems, and evaluate the mechanisms that are in place to prevent employees from gaining unauthorized or excess access into protected computers. The division may be criminally liable if the investigation finds evidence of breaches that may have allowed employees to gain unauthorized access into the protected computers of other companies.

The Electronic Communications Privacy Act (ECPA) prohibits individuals from accessing without proper authorization, electronic communications in the form of data, telephone conversations, or email, while such communication is in transit, stored in a computer, or being made (Bureau of Justice Assistance, n.d.). The BI unit may be criminally liable under the ECPA if there is evidence to indicate that the division maintained surveillance over emails of other companies with the aim to gather intelligence.

Besides the risk of criminal liability as provided in statute, it may also be prudent to assess the company’s risk of legal action based on the tort of negligence. Investigators could make use of several laws and court cases in justifying legal action based on negligence from the information provided in the case study. In the case of Raleigh vs Performance Plumbing and Heating 130 P.3d 1011,1015 (Colo. 2006), the court held that for a negligence claim to succeed, the defendant must prove four elements of negligence by a preponderance of the evidence and the extent of their damages. The court identified the four elements as: duty, causation, breach, and damages (Scordato, 2022). The defendant must owe a legal duty of care to the plaintiff (duty), which they failed to fulfil (breach), causing (causation) harm or injury to the plaintiff (damages).

The California Supreme Court, in Brown vs USA Taekwondo (2021) set a standard that courts could use to determine whether a defendant owes a duty of care to a plaintiff. In the court’s view, the plaintiff must prove that the parties share a special relationship that gives rise to a reasonable duty of care and that the defendant’s failure to act reasonably resulted in a foreseeable injury (Scordato, 2022). The foreseeability requirement is satisfied if the plaintiff can demonstrate that the possibility of danger resulting from the defendant’s actions was apparent and reasonably foreseeable (Scordato, 2022).

In determining whether a breach of duty occurred, Judge Learned Hand, in United States vs. Caroll Towing 160 F.2d 482 (2d Cir. N.Y. Mar. 17, 1947) established the Hand formula, which determines whether a breach exists using the relationship B Besides showing that a defendant owes a duty of care, the plaintiff must show cause-in-fact or cause-and-effect relationship between the defendant’s conduct and the harm they suffered (Scordato, 2022). In the City of St. Louis vs Benjamin Moore and Co. 226S.W. 3d.110,113 (Mo,2007), the Montana Supreme Court established the but-for test of causation, which requires the plaintiff to prove that were it not for the defendant’s actions, they (plaintiff) would not have suffered harm or loss (Scordato, 2022).

Based on the above court cases, the TechFite case study reveals several instances where duty of due care may have been breached. According to Brown vs USA Taekwondo (2021), duty of due care is breached if an individual fails to adhere to expected reasonable care standards, resulting in harm to another person. The IT division breaches its duty of care by creating accounts solely on Carl Jasper’s request, and failing to monitor activity or to close down the accounts once the employees to whom they were assigned left the company. This allowed other employees to use the accounts and their associated emails for illegal intelligence-gathering that eventually caused harm to the affected companies. The IT security analyst, Nadia Johnson, also violated the duty of due care by failing to audit the division’s client list regularly. The failure to conduct regular and proper audits made it possible for the division head to onboard and trade with illegitimate and non-existent companies. These companies were used to move money that was used to inflate the division’s sales figures.

By inflating its sales revenues, the division may be in violation of the Sarbanes-Oxyley Act of 2002. The Sarbanes-Oxyley Act seeks to enhance public disclosure and the integrity of financial reporting mechanisms in public companies (Legal Information Institute, n.d.). Section 301 of the Act makes it a crime for an officer to willfully and knowingly misrepresent financial statements. Attempts to inflate the division’s sales figures using fictitious accounts may thus amount to criminal activity under Section 301 of the Sarbanes-Oxyley Act. Further, Section 404 of the Act imposes upon management of public companies the responsibility to put in place proper internal controls and to conduct annual assessments on their internal control systems (Legal Information Institute, n.d.). The investigation reveals fundamental gaps, such as the inadequate segregation of duties, which may point to possible failure by the management to maintain oversight as required under Section 404.

Evidence from the case study points to potential criminal activity at the applications division. The business intelligence (BI) unit of the Applications Division violates the provision of authorized access by using the Metasploit tool to intentionally access the IP addresses of multiple internet-based companies without the authorization of such companies. Senior analyst Sarah Miller and analysts Jack Hudson and Megan Rogers are criminally liable for illegally penetrating the IP addresses of different companies to gather intelligence. Their actions violate the provisions of the CFAA, which prohibit attempts from willfully gaining unauthorized access into protected computers. The victims were the internet companies whose IP addresses were penetrated, including Orange Leaf Software LLC and Union City Electronic Ventures.

Through their actions, the employees managed to gather crucial proprietary information from their victims, which was then shared with competitors to the detriment of the respective companies. The lack of a methodology to keep clients’ information segregated from each other made it possible for proprietary and sensitive information belonging to previous, potential, and existing clients to leak. The division also failed to enforce separation of duties and the principle of least privilege, granting full administrative rights to each workstation and computer. This provided room for employees to easily access proprietary information about client companies.

At the same time, criminal activity is also evident in the unit’s use of dummy accounts to access other units within the company. The division’s head, Carl Jaspers, ordered the creation of the two accounts and had been operating the same since the assigned employees left the company. Therefore, Mr. Jaspers assumes liability for criminal activity carried out using the accounts. The audit findings showed that Mr. Jaspers had intentionally escalated privilege on these accounts to gain access into the finance, human resource, and legal divisions, thus accessing executive and financial documents.

By infringing the databases and information of other divisions, Mr. Jaspers exceeded his authorized access, making him criminally liable under the excess authorization provision of the CFAA. Mr. Jasper’s victims were the finance, human resource, and legal divisions in the company, whose databases he was able to penetrate. This was made possible by the lack of proper oversight mechanisms over the division’s internal processes. The IT security analyst, Nadia Johnson, did not conduct regular audits on user accounts or carry out surveillance on accounts’ activity. This made it possible for Jaspers to escalate privileges on dummy accounts to access areas outside their scope and to also use the accounts for illegal activities. The social relationship between Jaspers and Johnson may have aided this, particularly because there is no policy barring IT security staff from entering into social relationships with those on whom they maintain oversight.

Carl Jaspers is also criminally liable for knowingly misrepresenting the division’s financial records through inflating sales revenues using non-existent clients. The Sarbanes-Oxyley Act makes it a criminal offence for an officer in a public company to misrepresent financial records. The division’s weak internal controls facilitated this. For instance, segregation of duties is lacking, making it possible for the same person to create clients, report sales and make sales postings on the system. The lack of regular and proper audits into the client database also made it possible for Jaspers to create and trade with fictitious clients, using fictitious bank accounts to inflate sales revenues. The victims of Jasper’s actions are the company shareholders and customers, who rely on the division’s financial reports for decision-making. The company’s CEO and CFO could also be regarded as victims since the Sarbanes-Oxyley Act makes them legally responsible for ensuring the accuracy of financial reports.

Besides evidence of criminal activity, the case study also provides evidence of negligence based on the elements outlined earlier. For a negligence claim to be valid, one needs to demonstrate that someone who owed a duty of care breached that duty, causing harm or loss to another person. The IT security analyst Nadia Johnson’s actions satisfy the elements of negligence. Johnson’s position as the application division’s IT security analyst created a special relationship with the company that established a reasonable duty to ensure the effectiveness of internal processes. As the division’s security analyst, she had a duty to conduct audits on user accounts, conduct surveillance on internal activity on the network, and monitor attempts to escalate privileges on user accounts. By failing to carry out the same, Johnson breached this duty. This breach weakened the oversight role at the division, causing network breaches that led to proprietary client information leaking through the system. In line with the court’s ruling in Brown vs USA Taekwondo (2021), the failure to discharge her duties placed the division at a foreseeable risk of network breaches. The loss suffered by Orange Leaf and Union City Electronic Ventures (the victims) through leakage of proprietary information to competitors was a direct result of Johnson’s breach of duty.

The lack of proper oversight by the company’s top management into the division’s internal activities created room for Johnson’s negligent actions. Negligence was also fueled by the absence of policies barring IT security staff from forming social relationships with those on whom they maintain oversight. The close relationship between Johnson and the division head, Jaspers, provided room for the former to overlook crucial areas in their oversight that eventually caused losses to clients. At the same time, there is no evidence of independent external audits as required by the Sarbanes-Oxyley Act. Independent external audits would have identified the areas of negligence and brought the same to the attention of the company’s management before they escalated.