Cyberbullying. Employer social media password requests. Crowdfunding. Those were some of the hot tech topics that the Hawai‘i State Legislature grappled with this session. (See my post on Internet related legislative proposals in the 2013 session). The bills addressing those topics didn’t pass, however. In fact, none of the bills listed in my chart of Internet Related Legislative Proposals survived. The closest to passing, perhaps, were two bills prohibiting employer requests to employees to disclose their personal social media account information, but the bills got stuck in committee.
That’s not to say that the 2013 session was completely devoid of tech. I’ve prepared a chart of all the bills related to electronic, digital, and information technology that the Hawai‘i State Legislature passed this session. (Many thanks to the Legislative Reference Bureau for providing the summaries that are incorporated into the chart). Governor Neil Abercrombie has already signed some of the bills into law. Others are pending a decision from the Governor. To summarize, the legislature this year addressed:
- Adoption of the Uniform Electronic Legal Material Act
- Portable electronics insurance
- Clarification of relationship between Uniform Commercial Code Article 4A and Electronic Fund Transfer Act
- Licensing requirements for telemedicine practitioners employed by the U.S. Department of Defense
- Duties of the State Chief Information Officer
- Electronic posting of reports of Department of Health inspection of state licensed care facilities
- Availability of State open data
- Approval of broadband related permits
- Tax credits for film and digital media industry
- Ban on use of mobile electronic devices while operating a motor vehicle
For summaries of all the bills that passed this session, read the full LRB report. For even more information visit the Legislature’s website for the full text of bills, committee reports, and testimony. I’ll update the chart after the Governor’s veto deadline has passed, so check back in a while.
Now that the 2013 legislative session in Hawai‘i is in full swing, let’s take a look at what new measures are in the pipeline to regulate Internet activity. A chart of relevant information about each bill is available here. Here’s a summary of the Internet-related proposals working their way through the legislature.
Social Media and Internet Account Passwords
A set of bills (SB207 and HB713) proposes to join other states in banning employers from asking employees or job applicants to disclose the passwords to their personal social media accounts. Another set of proposals (HB1104 and HB1023) would extend the ban to educational institutions and their students or prospective students.
Three bills (HB1226, SB525, and HB397) would require the board of education to adopt various policies and programs to combat cyberbullying in public and charter schools.
Apparently responding to incidents in which teachers and students conducted inappropriate relationships online, HB678 would allow a teacher in a public or charter school to engage in electronic communication with a student (including cell phone calls) only on Department of Education networks and systems.
SB325 would require businesses to implement a comprehensive, written policy and procedure to prevent identity theft and train all employees in implementation of the same.
HB462 would establish a statewide cybersecurity council to identify and assess critical computer infrastructure, identify cybersecurity “best practices,” recommend incentives for voluntary adoption of such best practices, evaluate the efficacy of such practices, and report annually to the legislature.
We’ll be tracking these bills, reporting on their status periodically, and posting revisions to the chart. Stay tuned!
A round-up of recent developments in CFAA litigation is in order. In the last three months, a series of cases have provided answers to important questions about the requirements for bringing a CFAA claim under the Computer Fraud and Abuse Act (CFAA). The recent cases address three general questions:
1. What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?
2. What computers are subject to the protections of the CFAA?
3. What “losses” count toward the standing requirement to bring a civil claim under the CFAA?
What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?
The CFAA prohibits various activities involving the access of a computer “without authorization” or “exceeding authorized access.” Whether the defendant’s actions constitute wrongful access is frequently litigated in CFAA cases. The recent cases are no exception. The cases considered three different factual situations and found that two of them satisfied the wrongful access requirements.
Downloading Information From a Publicly Accessible Website
Downloading information from a website that any member of the public could access via a hyperlink posted on another site does not constitute access “without authorization,” according to CollegeSource, Inc. v. AcademyOne, 2012 WL 5269213 (E.D. Pa. Oct. 25, 2012). The case involved two competing business that offered online access to college catalogs. One of the plaintiff’s (CollegeSource) services was CataLink, which provides subscribing schools with a link to CollegSource’s digital archive of the school’s course catalogs. The link could be inserted into the school’s homepage. If a person browsing on the school’s homepage clicked on the link, he or she would be sent to CollegeSource’s website without being told that they were leaving the school’s web domain. Unlike CollegeSource’s other offerings, CataLink is not a subscription-based service.
The defendant (AcademyOne) maintained an online course description database. To populate its database, AcademyOne hired a company to collect college catalogs available on the Internet. AcademyOne’s contractor obtained over 700 catalogs through CataLink.
Enlisting the Aid of a Person With Authorized Access to Obtain Restricted Information
Asking others to get you information that you’re not entitled to have will get you in trouble. In Synthes, Inc v. Emerge Medical, Inc., 2012 WL 4205476 (E.D. Pa. Sept. 19, 2012), former employees of a medical devices company who formed a competing business obtained the company’s proprietary information from current employees of the company. Inducing those with authorization to access a computer to retrieve and give information to a person who is not entitled to access such information constitutes access of a computer “without authorization,” the court held.
Hacking Into an Employees’ Email Account
This seems fairly obvious, but hacking into an employee’s email account could constitute a violation of the CFAA. The litigants in Mintz v. Mark Bartelstein & Associates, Inc., 2012 WL 5391779 (C.D. Cal. Nov. 1, 2012), didn’t even bother to fight over whether the defendant-employer violated the CFAA by ordering an employee to hack into the plaintiff’s Gmail account. The wrongfulness of the act was undisputed. The parties instead dueled over whether the plaintiff sustained “loss” as a result of the unauthorized access (see below).
What constitutes a “protected computer”?
Various prohibitions in the CFAA are tied to the accessing of a “protected computer,” which has two definitions. A “protected computer” could be a computer used exclusively by a financial institution or the U.S. government, or if not exclusively, then for a use affected by the conduct that violated the CFAA. A “protected computer” could also be a computer “which is used in or affecting interstate or foreign commerce or communication ….” 18 U.S.C. § 1030.
In Freedom Banc Mortgage Services, Inc. v. O’Harra, 2012 WL 3862209 (S.D. Ohio Sept. 5, 2012), the court held that a computer with a connection to the Internet is enough to satisfy the definition of a “protected computer” because of its use in or effect on interstate commerce. If a computer is connected to the Internet (and an allegation that the computer is used for email communications sufficiently establishes that fact), no additional link to interstate commerce needs to be shown.
What “losses” count toward meeting the standing requirement?
A claimant must have suffered “damage or loss by reason of a violation of” the CFAA to maintain a civil action under the CFAA. 18 U.S.C. § 1030(g). One way to meet this standing requirement is to establish loss during any 1-year period aggregating at least $5,000. § 1030(c)(4)(A)(i)(I). What costs qualify toward the threshold amount, and how they can be aggregated to meet the threshold, is a common issue.
The court in CollegeSource held that the costs to conduct an internal investigation, hire a computer expert, and implement subsequent security measures in response to an incident of unauthorized access count as qualifying “losses.” To that list, Synthes added expenses to conduct damage assessments; identify and trace the information that has been misappropriated; and restore data, programs, systems, and information to the condition they were in before the defendant engaged in CFAA violation. Legal expenses, however, are not “losses” unless necessary to remedy the harm caused by the violation. So in Mintz, attorneys’ fees incurred by the plaintiff to issue subpoenas to confirm the identity of the person who hacked into his email account were not “losses” because the plaintiff already knew who the hacker was before the subpoenas issued. The Mintz court contrasted another case (SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975 (N.D. Cal. 2008)) in which the victim of a hacked email account had to hire attorneys to identify the recipients of the victim’s confidential information that the hacker obtained and distributed. The attorneys’ fees in that case were “losses” because the plaintiff needed to know whom it had to contact to mitigate the damage caused by the hacker.
In regards to whether losses can be aggregated, the Freedom Banc court held that qualifying “losses” need not flow from a single wrongful act. Losses stemming from multiple CFAA violations could be added together to meet the threshold $5,000 amount.