TechFite Case Study

Section A: Application of the Law

The Computer Fraud and Abuse Act (CFAA) of 1986 (most recently amended in 2008) makes it a criminal offence to access a protected computer either without authorization or in excess of ones authorized access (US Department of Justice, 2022). For a claim of access without authorization to be valid, the individual must be aware of the facts that make such access unauthorized and must have accessed the computer without the authorization of an entity or person authorized to give such access (US Department of Justice, 2022). For individuals with authorized access, the CFAA imposes limits on such access, making it illegal to knowingly access areas in a protected computer, including databases, user accounts, folders and files, to which ones access does not extend (US Department of Justice, 2022). Under the CFAA, the investigating team will check the divisions networks and computer systems, and evaluate the mechanisms that are in place to prevent employees from gaining unauthorized or excess access into protected computers. The division may be criminally liable if the investigation finds evidence of breaches that may have allowed employees to gain unauthorized access into the protected computers of other companies.

The Electronic Communications Privacy Act (ECPA) prohibits individuals from accessing without proper authorization, electronic communications in the form of data, telephone conversations, or email, while such communication is in transit, stored in a computer, or being made (Bureau of Justice Assistance, n.d.). The BI unit may be criminally liable under the ECPA if there is evidence to indicate that the division maintained surveillance over emails of other companies with the aim to gather intelligence.

Besides the risk of criminal liability as provided in statute, it may also be prudent to assess the companys risk of legal action based on the tort of negligence. Investigators could make use of several laws and court cases in justifying legal action based on negligence from the information provided in the case study. In the case of Raleigh vs Performance Plumbing and Heating 130 P.3d 1011,1015 (Colo. 2006), the court held that for a negligence claim to succeed, the defendant must prove four elements of negligence by a preponderance of the evidence and the extent of their damages. The court identified the four elements as: duty, causation, breach, and damages (Scordato, 2022). The defendant must owe a legal duty of care to the plaintiff (duty), which they failed to fulfil (breach), causing (causation) harm or injury to the plaintiff (damages).

The California Supreme Court, in Brown vs USA Taekwondo (2021) set a standard that courts could use to determine whether...

In the courts view, the plaintiff must prove that the parties share a special relationship that gives rise to a reasonable duty of care and that the defendants failure to act reasonably resulted in a foreseeable injury (Scordato, 2022). The foreseeability requirement is satisfied if the plaintiff can demonstrate that the possibility of danger resulting from the defendants actions was apparent and reasonably foreseeable (Scordato, 2022).

In determining whether a breach of duty occurred, Judge Learned Hand, in United States vs. Caroll Towing 160 F.2d 482 (2d Cir. N.Y. Mar. 17, 1947) established the Hand formula, which determines whether a breach exists using the relationship B < PL, where B is the burden of acting reasonably, P is the probability of loss, and L is the extent of loss suffered by the plaintiff (Legal Information Institute, n.d.). A breach exists when B is less than the product of the probability of injury and the extent of loss (Legal Information Institute, n.d.).

Besides...

…access by infringing on the databases of other divisions. As a consequence of this non-compliance, employees are able to access sensitive and proprietary information outside their division. There is also evidence of non-compliance with The Electronic Communications Privacy Act (ECPA), which prohibits individuals from accessing without proper authorization, electronic communications in the form of data, telephone conversations, or email. The investigation reveals that the companys employees use tools that violate the ECPA by monitoring clients emails and other forms of electronic communication with the aim of gathering intelligence. There is also evidence of non-compliance with the Sarbnes-Oxyley Act, which prohibits public officers from misrepresenting financial information. The investigation points to cases of employees using fictitious clients to inflate sales revenues to mislead customers, shareholders, and internal stakeholders. At the same time, the company is at risk of legal action based on the tort of negligence, resulting from employees failure to exercise reasonable duty of care owed to the company.

The company could address most of its non-compliance issues by strengthening its internal controls and increasing oversight over internal activities taking place on the network. There is a need for increased monitoring of activities on user accounts and regular audits into client databases to minimize the risk of fraud. The companys senior management could play a more active role in compliance by demanding regular accurate reports from IT security staff and engaging external auditors to regularly carry out inspections and assessments to identify potential areas of non-compliance before they escalate. There is also a need to invest in a Chinese wall methodology and ensure strict adherence to the principle of least privilege as a means to safeguard sensitive client information by ensuring that such information is segregated from each other. Finally, the compan could strengthen its oversight procedures by establishing policies that bar…