Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Identity theft, credit card fraud and sabotage are just a few of the crimes occurring many times over, every day inside the computer networks of corporate America. For reasons that range from displeasure to greed, some employees use the vast databases and computer technology of their employers to engage in criminal enterprises. Undetected, these employees cost corporations millions of dollars in lost work time, revenue and restoration of damaged systems. But general counsel can help prevent problems and limit a corporation’s exposure to potential legal liability by following some fairly simple steps. Often when computer crimes are mentioned, we think of hackers — those who break into computer systems from the outside. The fact is that about 80 percent of corporate computer crimes are inside jobs, committed by employees with free access to sensitive information on a daily basis, according to InterGov, an international organization that works with police agencies to combat cybercrime. These crimes cause an average loss of about $110,000 per corporate victim, says InterGov. Corporate computer crimes generally fall into two categories: those where the computer is the target of the crime and those where the computer is the tool of the offense. Prosecutions of crimes in both of these categories show up daily in news headlines. Examples range from employees who use financial and other personal information housed on their employers’ computer systems to open fictitious credit card accounts to disgruntled workers who unleash viruses or format hard drives to thwart company business. The federal Computer Fraud and Abuse Act, 18 United States Code § 1030, was the first truly comprehensive federal computer crime statute. The act, also known as CFAA, describes various computer-related crimes that can be federally prosecuted. These include intentionally accessing a computer without authorization or exceeding authorized access to obtain financial and credit card information, as well as obtaining any information from any protected computer if the conduct involved an interstate or foreign communication. The scope of the CFAA is extremely broad, considering that use of computer information usually involves an interstate or foreign communications and that most computer systems are deemed “protected” by the corporations that they service. The CFAA does not include provisions for holding corporations liable for crimes committed by their employees. However, the United States’ signature on the Treaty on Cyberspace could bring about legislation holding corporations responsible for the acts of employees engaging in computer crimes. In November, President Bush transmitted the Council of Europe Convention on Cybercrime to the Senate for ratification. According to a letter sent by Bush to the Senate, the Treaty on Cybercrime “promises to be an effective tool in the global effort to combat computer-related crime.” But it could place more burdens on corporations and in-house counsel to ensure their networks cannot be commandeered for criminal use. The treaty requires its signatories to take steps to ensure that a corporate entity can be held responsible for cybercrimes committed by its employees. Two conditions must exist before the corporation can be held responsible. First, there must be a lack of supervision that made the commission of the crime possible. Second, the commission of the crime must benefit or be intended to benefit the corporate entity. It will be interesting to see the development of the legislation that will implement these treaty provisions. Statutory definitions for “lack of supervision” and “benefit of the entity” will provide the framework for corporate liability in this area. The first step in keeping a computer network from being the source of criminal activity is to develop a plan to prevent abuse. This sounds simple, but can be quite difficult since, no matter how advanced a computer system may be, it still needs the human touch to put the technology to work. Insider attacks often pose a larger threat than those perpetrated by outside hackers because the attackers have direct access to many critical systems, usually via their own password or that of a colleague. In addition, employees often are familiar with existing security weaknesses present in the system. Start by limiting access to critical applications. If necessary, evaluate the quantity of people who really need the information that is available on the system. Next, consider one of the many security products that can be installed on a computer system to detect insider abuse. Most of the these products collect information from log files on the server, applications and other devices such as firewalls and routers, and then perform analytical measures to pinpoint problems. A simple Internet search for software security products will lead to a host of vendors that provide such products. If, even after taking all the appropriate steps to protect the computer system from being either the target or tool of criminal activity, it’s discovered that an employee has been up to no good, take immediate steps to limit the potential for criminal liability on the part of the corporation. These steps will include determining whether the corporation contributed in some way to the criminal activity through an omission in the security process. Also, determine if the corporation benefited in any way, directly or indirectly, from the employee’s activity. Finally, it’s a good idea to consult with outside counsel specializing in white-collar crime to determine a company’s potential exposure in a criminal investigation even if that investigation seems to focus on the actions of an individual employee. Tom Mills is a partner at Mills & Williams in Dallas, Texas, which specializes in white-collar and other criminal defense work. Teresa Cain is an associate at the firm.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.