Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Identity theft, credit card fraud and sabotage — these are just a few of the crimes occurring many times over, every day in the computer networks of corporate America. For reasons ranging from displeasure to greed, some employees use the vast databases and computer technology of their employers to engage in criminal enterprises. Undetected, these employees cost corporations millions in lost work time, revenue and restoration of damaged systems. But general counsel can help prevent problems and limit a corporation’s exposure to potential legal liability by following some fairly simple steps. Often when computer crimes are mentioned, we think of “hackers” — those who break into computer systems from the outside. The truth is that approximately 80 percent of corporate computer crimes are inside jobs, committed by employees with free access to sensitive information on a daily basis, according to InterGov, an international organization that works with police agencies to combat cybercrime. And, according to InterGov, these crimes cause an average loss of about $110,000 per corporate victim. Corporate computer crimes generally fall into two categories: those where the computer is the target of the crime and those where the computer is the tool of the offense. Prosecutions of crimes in both of these categories headline the news daily. Examples range from stories detailing how employees use financial and other personal information housed on their employers’ computer systems to open fictitious credit card accounts to stories about disgruntled employees unleashing viruses or formatting hard drives to thwart company business. CHANGING LEGAL LANDSCAPE The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. �1030, was the first truly comprehensive federal computer crime statute. The act describes various computer crime offenses that can be federally prosecuted. These include intentionally accessing a computer without authorization or exceeding authorized access to obtain financial and credit card information, as well as obtaining any information from any protected computer if the conduct involved an interstate or foreign communication. The scope of the CFAA is extremely broad, considering that use of computer information usually involves an interstate or foreign communications and most computer systems are deemed “protected” by the corporations that they service. The CFAA does not include provisions for holding corporations liable for crimes committed by their employees. However, the United States’ signature on the Treaty on Cyberspace could bring about legislation holding corporations responsible for the acts of employees engaging in computer crimes. On Nov. 17, 2003, President George W. Bush transmitted the Council of Europe Convention on Cybercrime to the Senate for ratification. According to the letter the president sent to the Senate, the Treaty on Cybercrime “promises to be an effective tool in the global effort to combat computer-related crime.” But it could place more burdens on corporations and in-house counsel to ensure their networks can’t be commandeered for criminal use. The treaty requires its signatories to take steps to ensure that a corporate entity can be held responsible for cybercrimes committed by its employees. Two conditions must exist before the corporation can be held responsible. First, there must be a lack of supervision that made the commission of the crime possible. Second, the commission of the crime must benefit or be intended to benefit the corporate entity. It will be interesting to see the development of the legislation that will implement these treaty provisions. Statutory definitions for “lack of supervision” and “benefit of the entity” will provide the framework for corporate liability in this area. PROTECTING THE NETWORK The first step in keeping a computer network from being the source of criminal activity is to develop a plan to prevent abuse. This sounds simple, but in reality it can be quite difficult since, no matter how advanced a computer system may be, it still needs the human touch to put the technology to work. Insider attacks often pose a larger threat than hackers do, because the attackers have direct access to many critical systems, usually via their own password or that of a colleague. In addition, employees often are familiar with existing security weaknesses present in the system. Start with limiting access to critical applications by re-evaluating the quantity of people who really need the information that is available on the system. Next, consider one of the many security products that can be installed on a computer system to detect insider abuse. Most of the these products collect information from log files on the server, applications and other devices such as firewalls and routers, then perform analytical measures to pinpoint problems. A simple Internet search for “software security products” will lead to a host of vendors that provide such products. If, even after taking all the appropriate steps to protect the computer system from being either the target or tool of criminal activity, it’s discovered that an employee has been up to no good, take immediate steps to limit the potential for criminal liability on the part of the corporation. These steps will include determining whether the corporation contributed, in some way, to the criminal activity through some omission in the security process. Also, determine if the corporation benefited, directly or indirectly, in any way from the employee’s activity. It’s a good idea to consult with outside counsel specializing in white-collar crime to determine a company’s potential exposure in a criminal investigation, even if that investigation seems to focus on the actions of an individual employee. Tom Mills is a partner in and Teresa Cain is an associate with Mills & Williams in Dallas. The firm’s practice includes white-collar and other criminal-defense cases, as well as civil trial work related to criminal law issues. If you are interested in submitting an article to law.com, please click here for our submission guidelines.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.