Technology

The Computer Fraud and Abuse Act

Published on: January 23, 2023 | by Law Offices of Salar Atrizadeh

The Computer Fraud and Abuse Act (“CFAA”) amends the federal criminal code to change the scienter requirement from “knowingly” to “intentionally” for certain offenses regarding accessing the computer files of another. It revises the definition of “financial institution” to which the financial record provisions of computer fraud law apply. It applies such provisions to any financial records, including, but not limited to, those of corporations and small businesses, not just those of individuals and certain partnerships. It modifies existing federal law regarding accessing federal computers. It makes the basic offense trespass. The federal statute removes criminal liability for exceeding without the intent to defraud authorized access to a federal computer in one’s own department or agency. This law creates new federal criminal offenses of: (1) property theft by computer occurring as part of a scheme to defraud; (2) altering, damaging, or destroying information in, or preventing the authorized use of, a federal interest computer; and (3) trafficking in computer access passwords. It eliminates the special conspiracy provisions for computer crimes. These conspiracies shall be treated under the general federal conspiracy statutes. It amends penalty provisions to remove the cap on fines for certain computer crimes. Finally, it exempts authorized law enforcement or intelligence activities.

Whoever (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains:

Ireland’s Data Protection Commission Fines Meta Platforms

Published on: December 19, 2022 | by Law Offices of Salar Atrizadeh

Ireland’s Data Protection Commission (“DPC”) has reached its final decision related to Meta Platforms Ireland Limited (“MPIL”) which is Facebook’s data controller in that country. The DPC announced last month that it will be imposing a fine of €265 million against the company and will issue a set of corrective measures.

The investigation was instigated last year based on reports of published personal data on the internet that Facebook controlled and managed. In fact, there was a report of a data leak involving the personal information of 533 million users around the world. The investigation started by examining and assessing Facebook’s search, messenger contact importer, and Instagram contact importer tools. The main issue was whether Facebook complied with the GDPR obligation for data protection by design and default. Therefore, the investigating body – i.e., DPC – examined the technical and organizational measures under Article 25 of the GDPR and determined that MPIL had infringed Articles 25(1) and 25(2) of the GDPR and imposed a reprimand and order compelling the company to remedy the issues within certain deadlines.

Articles 25, and its subparts, were drafted to address data protection by design and default. These articles state as follows:

CISA Releases Cloud Security Technical Reference Architecture

Published on: November 21, 2022 | by Law Offices of Salar Atrizadeh

The Cybersecurity and Infrastructure Security Agency (“CISA”) released the second version of its cloud security Technical Reference Architecture (“TRA”) several months ago. CISA is the country’s cyber defense agency that works with other interagency partners to improve cybersecurity. The purpose of the TRA is to outline the suggested approaches to data protection or cloud migration. The federal government is slowly transitioning to the cloud and the reference architecture is designed to provide guidance. The TRA also explains the considerations for shared services, cloud security posture management, and cloud migration.

It’s important to know how to securely migrate information to the cloud. There are important considerations when transferring information from one database to another one. Data migration can be a multi-faceted process that requires information evaluation. In other words, the information that is being transferred should be categorized based on its sensitivity – e.g., non-confidential, confidential, highly confidential. In that way, the data migration team can implement the necessary safeguards.

President Joseph Biden recently issued Executive Order 14028 called “Improving the Nation’s Cybersecurity” in an effort to support cybersecurity and safeguard critical infrastructures. The key points of the executive order are as follows:

Wire Fraud Laws – Part III

Published on: September 5, 2022 | by Law Offices of Salar Atrizadeh

It’s a crime when you use interstate wire communications (e.g., phone, radio, television, internet) to engage in a scheme to defraud or to obtain money by false pretenses. Wire fraud is one type of cybercrime that takes place by using technology. In most cases, the culprit uses some kind of software or hardware technology to inject him or herself into the private computer network of a third party such as an escrow/title company or financial institution. The culprit spies on the third party’s internal communications to gain access to confidential information such as bank wire instructions.

Wire fraud is similar to mail fraud except that it requires the communications to be transmitted by wire rather than conventional mail. Generally, the plaintiff must prove the existence of a fraudulent scheme, usage of wire, radio, television, or internet communications to further that scheme, and intent to commit fraud. The culprit commits the wire fraud by deceiving the victim into thinking that he or she is dealing with a legitimate party. For example, the culprit intervenes in a pending real estate transaction by using a fake email account and sends a message to instruct the victim into transferring the funds to another bank account. The victim, who has been dealing with multiple individuals (e.g., real estate agent, broker) legitimately believes that he is sending the money to the right financial institution. However, unbeknownst to the victim, the culprit’s fraudulent scheme is intended to send the funds to a different bank or financial institution.

These situations are extremely time sensitive and complicated because the victims have a limited time to determine the facts – i.e., who, what, when, where, and how the wire fraud was committed without their authorization. The victims will need to contact law enforcement agencies and a qualified lawyer who know the intricacies of these matters. The government agencies usually collaborate with the victim’s lawyer to locate and identify the culprits. These government agencies include, but are not limited to, the local police, Federal Bureau of Investigation, United States Secret Service, or United States Treasury Department. Nonetheless, a tremendous amount of time and resources are necessary to initiate and finalize the investigations.

Big Data Rules and Regulations – Part III

Published on: June 13, 2022 | by Law Offices of Salar Atrizadeh

A business organization has legal responsibilities when it comes to data access, control, and management. The government has recently issued an opinion regarding disclosure requirements for the so-called “inferred data” which comprise of internally generated inferences within the context of a consumer’s right of access request. California Civil Code Section 1798.140(v)(1)(K) defines “inferred data” as inferences drawn from a consumer’s personal information to create a profile which reflects the consumer’s preferences, characteristics, psychological trends, predispositions, behaviors, attitudes, intelligence, abilities and aptitudes.

Under California Civil Code Section 1798.110(a)(1), consumers have the right to know the specific pieces of personal information a business organization has collected about them. The California Consumer Privacy Act (“CCPA”) did not address inferred data in its provisions and only implied that businesses should disclose personal data they collected from consumers. However, the Attorney General’s Office issued Opinion No. 20-303 to address whether business organizations that are subject to the CCPA should include inferred data when a consumer submits a Data Subject Access Request (“DSAR”). In short, with limited exceptions (e.g., trade secret protection), the answer was affirmative.

The question is whether inferred data elements fall under trade secret protection rules. In his opinion, the state Attorney General stated that the CCPA only mandates a business to share the product of its internal algorithms even though the algorithms themselves are protected trade secrets. In fact, internal algorithms fall under the classic definition of trade secrets because they’re not publicly accessible to competitors, they confer a competitive advantage, their secrecy is maintained from external disclosure. See California Civil Code § 3426.1(d)(2) for more information about trade secrets. In fact, trade secrets include customer lists, processes, and software or commercial methods. It is conceivable, and probably foreseeable that, a business may withhold inferences because they’re protected trade secrets but it has the burden of proof. So, in short, a business has two options when it comes to disclosing inferred data. First, it can fulfill the DSAR according to the most recent opinion and face the risk of exposing its internal algorithm. Second, it can withhold the data inferences and face the risk of receiving a non-compliance notice from the state Attorney General’s office.

Big Data Rules and Regulations – Part I

Published on: May 9, 2022 | by Law Offices of Salar Atrizadeh

The term “big data” is generally used for the collection and analysis of a large amount of electronic data by using special and complex algorithms. The process is to analyze the correlation between large data sets which would not make sense independently. Now, another reason for its expansion is because the cost of storing data has decreased so it has become an easier process.

The problem with big data is that there isn’t a uniform set of rules or regulations that would govern the collection of electronic information. Obviously, the owners of the data sets are usually the consumers who somehow relinquish access to their information. So, privacy and security are major concerns. It’s important to realize that even if metadata (i.e., data about the data) is removed from the information, it can also reveal the user’s identity by looking at the relationship between the pieces of information. Also, it’s important to obtain consent from the users when collecting that information.

The potential privacy concerns have been addressed by using a mechanism called “differential privacy” which is when the data collector makes a promise to the data owner that he or she won’t be affected by giving access to the particular information. It is a type of mathematical guarantee of privacy to the interested party – e.g., the consumer. This type of mechanism has been used by large technology companies and government agencies. Nonetheless, with every new technology or mechanism that has been used by the private or public sector, there have been instances of state or federal litigation. For example, the State of Alabama filed a lawsuit in district court against the United States Census Bureau regarding this new mechanism’s viability. In fact, several years ago, the Obama Administration addressed this issue to minimize the privacy risks. Yet, there are many unanswered questions that should be addressed by lawmakers. For example, what are the potential harms and risks? Is there any kind of uniform law? And if not, should there be state and federal laws focusing on big data? What level of transparency should be required? What type of technological parameters should be implemented? Should we follow other countries’ rules and regulations? In response, the federal government granted an opportunity to the public to disclose their concerns. The government released a Department of Justice 2014 Report as a result of another lawsuit wherein the president was warned about the dangers of law enforcement agency’s predictive analytics. This report was in relation to the general public’s historical data and how a defendant’s actions may impact criminal history.

Corporate Cybersecurity

Published on: March 14, 2022 | by Law Offices of Salar Atrizadeh

It’s important to implement practical corporate cybersecurity measures especially in today’s volatile climate. The number of reported cyber threats are increasing as we progress and it will most likely continue on the same trajectory. All businesses and commercial enterprises are a target especially if they have access or control over valuable information such as trade secrets and intellectual properties.

The common tools or methods of infiltrating the corporation’s cybersecurity infrastructure is by using some form of malicious software (i.e., malware) that’s designed to penetrate the network and cause havoc. Malware includes viruses and ransomware. The hackers can also use other methods to infiltrate the system such as “phishing” which is usually done by sending an email to encourage the recipient to click on the link. Now, once the recipient clicks on the link or opens the attachment, the malicious software is released into the network.

It’s important to have a dedicated team of information technology experts who can evaluate the network and improve the cybersecurity measures. They can use all sorts of tools and techniques (e.g., penetration testing) to evaluate the strengths and weaknesses of the network infrastructure. It is crucial to have a “cybersecurity planning tool” to assist the company with building a robust cybersecurity strategy. There are various governmental tools and resources that the company can use to achieve this goal.

Legal Issues Of Non-Fungible Tokens

Published on: February 28, 2022 | by Law Offices of Salar Atrizadeh

Non-fungible tokens (“NFTs”) are unique digital items that have been a focus of the United States Securities and Exchange Commission (“SEC”) which is the federal government agency that enforces security regulations to protect investors. NFTs are made out of computer code and recorded on a blockchain ledger that can prove authenticity and ownership of the unique item. As such, they are not interchangeable and can be used to verify ownership of the unique item (e.g., real estate, antique car, painting).

There is argument to be made that they should be considered as commodities pursuant to the Commodity Exchange Act (“CEA”) which yields a catch-all provision for all other goods and articles. The SEC has recently focused on celebrity advertisings on the internet in an effort to encourage the purchase of stocks and other investments. It’s important to note that the advertiser must disclose the nature, source, and compensation received by the advertisement.

The most prominent case that’s applicable in the determination of whether an NFT is a security or an asset is SEC v. W.J. Howey Co., 328 U.S. 293 (1946) which set out the following test: (1) there is an investment of money or some other consideration; (2) in a common enterprise; (3) with a reasonable expectation of profits; and (4) to be derived from someone else’s efforts.

Is Non-Fungible Token a Security or Asset?

Published on: February 14, 2022 | by Law Offices of Salar Atrizadeh

A non-fungible token (“NFT”) is a non-exchangeable unit of data that is stored on a blockchain and is transferrable to another party. In short, blockchain is a type of a digital ledger. NFTs can be related to photos, videos, or audio files. NFTs are not the same as cryptocurrencies because they are uniquely identifiable. In addition, the legal rights granted by NFTs are speculative as they cannot restrict the sharing and copying of digital files and do not convey their copyrights.

The question of whether NFTs are securities or assets revolves on several issues. One issue is whether the item has been “fractionalized” to permit the sharing of its ownership with other parties. It’s important to realize that fractionalization does not make the asset into a security since it depends on its purpose. For example, if an individual decides to fractionalize a personal property to allow shared ownership, the personal property does not automatically convert to a security. As such, the NFT may not constitute a “security” just because it has increased in value. But, if the fractionalization’s purpose is to assign shares to trade in a secondary market, and to provide liquidity, then it would fall under securities laws. Therefore, the test is whether a purchaser has a reasonable expectation of profits that is derived from someone else’s efforts. See Securities and Exchange Commission v. W. J. Howey Co., 328 U.S. 293 (1946) wherein the United States Supreme Court confirmed that an “investment contract” means a contract, transaction, or scheme whereby a person invests his money in a common enterprise and is led to expect profits solely from the efforts of the promoter or a third party, it being immaterial whether the shares in the enterprise are evidenced by formal certificates or by nominal interests in the physical assets employed in the enterprise.

The Securities Act of 1933 (which is codified under 15 U.S.C. §§ 77a, et seq.) defines “security” as any note, stock, treasury stock, security future, security-based swap, bond, debenture, evidence of indebtedness, certificate of interest or participation in any profit-sharing agreement, collateral-trust certificate, preorganization certificate or subscription, transferable share, investment contract, voting-trust certificate, certificate of deposit for a security, fractional undivided interest in oil, gas, or other mineral rights, any put, call, straddle, option, or privilege on any security, certificate of deposit, or group or index of securities (including any interest therein or based on the value thereof), or any put, call, straddle, option, or privilege entered into on a national securities exchange relating to foreign currency, or, in general, any interest or instrument commonly known as a “security” or any certificate of interest or participation in, temporary or interim certificate for, receipt for, guarantee of, or warrant or right to subscribe to or purchase, any of the foregoing.

Social Media Litigation – Part III

Published on: January 31, 2022 | by Law Offices of Salar Atrizadeh

Social media law comprises of several different components including free speech, privacy, online advertisement, and intellectual property rights. These issues come up regularly during the course of online transactions between parties. The courts have been inundated with social media litigation and have issued their rulings when faced with complicated problems.

The cases that arise on social media platforms involve state and federal laws such as the Digital Millennium Copyright Act and Communications Decency Act. In essence, these federal statutes were promulgated to protect copyrights and free speech rights.

According to the United States Copyright Office, the Digital Millennium Copyright Act (“DMCA”), which amended federal copyright laws, was passed to address important parts of the relationship between copyright and the internet. The three main updates were: (1) establishing protections for online service providers in certain situations if their users engage in copyright infringement, including by creating the notice-and-takedown system, which allows copyright owners to inform online service providers about infringing material so it can be taken down; (2) encouraging copyright owners to give greater access to their works in digital formats by providing them with legal protections against unauthorized access to their works (for example, hacking passwords or circumventing encryption); and (3) making it unlawful to provide false copyright management information (e.g., names of authors and copyright owners, titles of works) or to remove or alter that type of information in certain circumstances.