Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Identity theft, credit card fraud, and sabotage � these are just a few of the crimes occurring many times over, every day in the computer networks of corporate America. For reasons ranging from displeasure to greed, some employees use the vast databases and computer technology of their employers to engage in criminal enterprises. Undetected, these employees cost corporations millions in lost work time, revenue, and restoration of damaged systems. But general counsel can help prevent problems and limit a corporation’s exposure to potential legal liability by following some fairly simple steps. Often when computer crimes are mentioned, we think of hackers � those who break into computer systems from the outside. The truth is that approximately 80 percent of corporate computer crimes are inside jobs, committed by employees with free access to sensitive information on a daily basis, according to InterGov, an international organization that works with police agencies to combat cybercrime. And, according to InterGov, these crimes cause an average loss of about $110,000 per corporate victim. Corporate computer crimes generally fall into two categories: those where the computer is the target of the crime and those where the computer is the tool of the offense. Prosecutions of crimes in both these categories headline the news daily. Examples range from articles detailing how employees use financial and other personal information housed on their employers’ computer systems to open fictitious credit card accounts to articles about disgruntled employees unleashing viruses or formatting hard drives to thwart company business. CHANGING LEGAL LANDSCAPE The Computer Fraud and Abuse Act, 18 U.S.C. �1030, was the first truly comprehensive federal computer crime statute. The CFAA describes various computer crime offenses that can be federally prosecuted. These include intentionally accessing a computer without authorization or exceeding authorized access to obtain financial and credit card information, as well as obtaining any information from any protected computer if the conduct involved an interstate or foreign communication. The scope of the act is extremely broad, considering that use of computer information usually involves an interstate or foreign communication and most computer systems are deemed “protected” by the corporations that they service. The CFAA does not include provisions for holding corporations liable for crimes committed by their employees. However, the United States’ signature on the Treaty on Cyberspace could bring about legislation holding corporations responsible for the acts of employees engaging in computer crimes. On Nov. 17, 2003, President George W. Bush transmitted the Council of Europe Convention on Cybercrime to the Senate for ratification. According to the president’s letter to the Senate, the treaty on cybercrime “promises to be an effective tool in the global effort to combat computer-related crime.” But it could place more burdens on corporations and in-house counsel to ensure their networks can’t be commandeered for criminal use. The treaty requires its signatories to take steps to ensure that a corporate entity can be held responsible for cybercrimes committed by its employees. Two conditions must exist before the corporation can be held responsible. First, there must be a lack of supervision that made the commission of the crime possible. Second, the commission of the crime must benefit or be intended to benefit the corporate entity. It will be interesting to see the development of the legislation that will implement these treaty provisions. Statutory definitions for “lack of supervision” and “benefit of the entity” will provide the framework for corporate liability in this area. PROTECTING THE NETWORK The first step in keeping a computer network from being the source of criminal activity is to develop a plan to prevent abuse. This sounds simple, but in reality can be quite difficult because no matter how advanced a computer system may be, it still needs the human touch to put the technology to work. Insider attacks often pose a larger threat than hackers do because the attackers have direct access to many critical systems, usually via their own password or that of a colleague. In addition, employees often are familiar with existing security weaknesses present in the system. Start with limiting access to critical applications by re-evaluating the quantity of people who really need the information available on the system. Next, consider one of the many security products that can be installed on a computer system to detect insider abuse. Most of these products collect information from log files on the server, applications, and other devices such as firewalls and routers, then perform analytical measures to pinpoint problems. A simple Internet search for “software security products” will lead to a host of vendors that provide such products. If, even after taking all the appropriate steps to protect the computer system from being either the target or tool of criminal activity, it’s discovered that an employee has been up to no good, take immediate steps to limit the potential for criminal liability on the part of the corporation. These steps will include determining whether the corporation contributed, in some way, to the criminal activity through some omission in the security process. Also, determine if the corporation benefitted, directly or indirectly, in any way from the employee’s activity. It’s a good idea to consult with outside counsel specializing in white collar crime to determine a company’s potential exposure in a criminal investigation, even if that investigation seems to focus on the actions of an individual employee. Tom Mills is a partner and Teresa Cain is an associate at Mills & Williams in Dallas. The firm’s practice includes white collar and other criminal defense cases, as well as civil trial work related to criminal law issues. This article first appeared in the American Lawyer Media newspaper Texas Lawyer.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.