David Thaw, Criminalizing Hacking, Not Dating: Reconstructing the CFAA Intent Requirement

David Thaw, Criminalizing Hacking, Not Dating: Reconstructing the CFAA Intent Requirement

Comment by: Jody Blanke

PLSC 2013

Published version available here:

Workshop draft abstract:

The Computer Fraud and Abuse Act (CFAA) originally was enacted as a response to a growing threat of electronic crimes, a threat which continues to grow rapidly.  Congress, to address concerns about hacking and cybercrime, criminalized unauthorized access to computer systems through the CFAA.  The  statute poorly defines this threshold concept of “unauthorized access,” however, resulting in widely varied judicial interpretation.  While this issue is perhaps still under-examined, the bulk of existing scholarship generally agrees that an overly broad interpretation of unauthorized access — specifically one that allows private contract unlimited freedom to define authorization — creates a constitutionally-impermissible result.  Existing scholarship, however, lacks workable solutions.  The most notable approach, prohibiting contracts of adhesion (e.g., website “Terms of Service”) from defining authorized access, strips system operators of their ability to post the virtual equivalent of “no trespassing” signs and set enforceable limits on the (ab)use of their private property.

This Article considers an alternative approach, based on examination of what is likely the root cause of vagueness and overbreadth problems in the CFAA — a poorly constructed mens rea element.  It argues that judicial interpretation may not be sufficient to effect Congressional intent concerning the CFAA, and argues for legislative reconstruction of the mens rea requirement requiring a strong nexus between an individual’s intent and the unique computer-based harm sought to be prevented.  The Article proposes a two-part conjunctive test:  first, that an individual’s intent must not only be to engage in an action (which technically results in unauthorized access), but that the intent must itself be to engage in unauthorized access; and second, that the resultant actions must be in furtherance either of an (enumerated) computer-specific malicious action or of an otherwise-unlawful act.  While courts may be able to reinterpret the statute to accomplish the first part, this still leaves substantial potential for private agreements to create vagueness and overbreadth problems.  The second part of the test mitigates this risk, and thus Congressional intervention is required to save both the validity of the statute as well as the important protections it affords.

David Thaw, Comparing Management-Based Regulation and Prescriptive Legislation: How to Improve Information Security Through Regulation

David Thaw, Comparing Management-Based Regulation and Prescriptive Legislation: How to Improve Information Security Through Regulation

Comment by: Derek Bambauer

PLSC 2012

Workshop draft abstract:

Information security regulation of private entities in the United States can be grouped into two general categories. This paper examines these two categories and presents the results of an empirical study comparing their efficacy at addressing organizations’ failures to protect sensitive consumer information. It examines hypotheses about the nature of regulation in each category to explain their comparative efficacy, and presents conclusions suggesting two changes to existing regulation designed to improve organizations’ capacity to protect sensitive consumer information.

The first category is prescriptive legislation, which lays out performance standards that regulated entities must achieve. State Security Breach Notification (SBN) statutes are the primary example of this type, and require organizations to report to consumers breaches involving certain types of sensitive personal information. This form of legislation primarily lays out performance-based standards, under which the regulatory requirement is that entities achieve (or avoid) certain conditions. Such legislation may also lay out specific means by which regulatory goals are to be achieved.

The second category describes forms of management-based regulatory delegation, under which administrative agencies promulgate regulations requiring organizations to develop security plans designed to achieve certain aspirational goals. Two notable examples are the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach- Bliley Financial Modernization Act (GLBA). The Federal Trade Commission also engages in such activity reactively through its data security consumer protection enforcement actions. The regulatory requirement in this case is the development of the plan itself (and possible adherence to the plan), rather than the necessary achievement of stated goals or usage of certain methods to achieve those goals.

This paper presents the results of an empirical study analyzing security breach incidence to evaluate the efficacy of information security regulation at preventing breaches of sensitive personal information. Publicly reported breach incidents serve as a proxy for the efficacy of organizations’ security measures, and while clearly limited in scope (as noted below) they are currently the only data point uniformly available across industrial sectors. Analysis of breaches reported between 2000 and 2010 reveals that the combination of prescriptive legislation and management-based regulatory delegation may be four times more effective at preventing breaches of sensitive personal information than is either method alone.

While this method of analysis bears certain limitations, even under unfavorable assumptions the results still support a conclusion that prescriptive standards should be added to existing regulations. Such standards would abate a current “race to the bottom,”

whereby regulated entities adopt compliance plans consistent with “industry-standards” but often (and in some cases woefully) inadequate to achieve the aspirational goals of the regulation. Since the conclusion of this study, there have been two notable such additions of performance-based standards: 1) the inclusion of a breach notification requirement in HIPAA, and 2) the recent promulgation of regulations by the SEC requiring publicly traded companies to report material security risks and events to investors. The results of this analysis also support the expansion of management-based regulatory models to other industrial sectors.

The second component of empirical analysis presented in this paper includes the results of a qualitative study of Chief Information Security Officers (CISOs) at large U.S. regulated entities. The interview data reveals the effects of regulation both on information security practices and on the role of technical professionals within organizations. The results of these interviews suggest hypotheses to explain both the weaknesses in compliance plan design and the proposition that, notwithstanding new performance-based standards, security conditions remain ineffective.

The first hypothesis suggests that the relative effects of prescriptive legislation and management-based regulatory delegation on the role of technical professionals in organizations explain the inability of performance-based standards fully to address information security failures. The data suggest two specific outcomes – first, that current performance-based standards weaken the role of technical professionals; and second, that management-based models of regulatory delegation strengthen professionals’ role. This result stems from reliance on technical professionals’ skill in developing compliance plans to meet management-based regulatory goals. The current model of performance- based regulation, by contrast, under which security failures are exempt from (the regulatory penalty of) reporting when the compromised data is encrypted, decreases reliance on technical skill by effectively specifying one means-based approach to “compliance.” By redirecting essentially-fixed resources to a specific means of compliance addressing only a single threat, these performance-based standards hamper the ability of CISOs adequately to address other salient threats. In this regard, SBNs effectively lock the front door to the bank while leaving the back window wide open.

The second hypothesis suggests that the lack of proactive guidance by regulators hampers the ability of CISOs to justify requests for increased resources to address vulnerabilities not covered by performance-based standards. This hypothesis answers the question of why “industry-standards” may be so ineffective at achieving the aspirational goals of the regulation. Management-based regulatory delegation models rely heavily on a context of “reasonableness,” many of which scale to the size, complexity, and capabilities of the regulated entity. Reasonableness is a well-examined concept in law, but becomes problematic in the context of a highly-technical and fast-changing regulatory environment. Regulators’ failure to provide proactive guidance regarding what constitutes reasonable security hampers the ability of CISOs to justify the need for greater resources. Combined with the “redirection” of resources to address specific compliance objectives associated with performance-based standards, these pressures cause broad-based security plans to be inadequate (either in design or implementation) at addressing the broader base of threats facing the organization. The effects of this condition are evident in the abundance of “low-hanging fruit” available to regulators – review of the Federal Trade Commission’s data security enforcement actions reveals few answers to “gray areas” of reasonableness, and many examples of security failures extreme in degree.

These findings and analysis suggest three conclusions. First, regulators should increase the use of performance-based standards, specifically standards not tied to specific means of implementation. Second, management-based regulatory models should be expanded to other industrial sectors beyond finance and healthcare, perhaps through the promulgation of proactive regulations by the FTC consistent with its history of enforcement action. Third, regulators should provide more proactive guidance as to the definition of reasonable security, so as to avoid a “race to the bottom” in the development security plans to address management-based regulatory goals.

David Thaw, Relationship Between Regulatory Models and Information Security Practices

David Thaw, Relationship Between Regulatory Models and Information Security Practices

Comment by: Gerry Steigmaier

PLSC 2010

Workshop draft abstract:

Two models of regulation are responsible for governing virtually all private-sector information security practices in the United States. The first is industry-specific regulatory delegation, such as that found in HIPAA’s Privacy Rule and GLB’s privacy and security rules. Under this model, federal legislation requires the development of standards for information security practice and ultimately delegates the power to establish and update such standards to industry through various administrative mechanisms. The second is a paradigm in which law ties performance to reputation. This describes the data breach notification laws in effect in most states, under which whenever a firm experiences an incident in which certain information about individuals is lost, that firm must notify the individuals, a central state authority, local media, and/or other measures.

Currently only two industrial sectors – finance and healthcare – are subject to the first type of regulation. All of the current state statutes comprising the second form of regulation are laws of general applicability and thus, given the highly interstate nature of information exchange, apply to nearly all organizations in the United States. To study the effects of these forms of regulation, we employed a mixed qualitative and quantitative methods approach. We first conducted a series of two-hour semi-structured interviews of Chief Information Security Officers (or functional equivalents) at key U.S. organizations in each of the finance, healthcare, consumer products, energy, and information technology sectors. We then performed analysis on the frequency of reported breach incidents based on data maintained by the Open Security Foundation.

Our research and analysis revealed that the two forms of regulation have differential effects on information security practices. Regulatory delegation models encourage collaboration, information sharing, secure information exchange, incorporation of security into system design, and intrusion detection and other perimeter security measures. Laws linking performance to reputation, in contrast, promote good authentication and provenance, auditing, and host security/internal site security.