Grant Turner

Spring 2004

Legal Issue of the 21^st Century

Professor Friedman

Trouble Online and Computer Crime

MEMOGATE: PROSECUTION AND POLITICS

ISSUE 1: What if an employee accesses confidential information and documents on network drives or other computers within their same organization, which they would otherwise not be entitled to see? What if it is a governmental organization? What if the employee(s) is a Republican Senate Staffer who accessed confidential documents from Democrat Senators? All hell would break loose.

This scenario describes what has come to be known as ãMemogate.ä Briefly some background facts: Due to changes in Network Administrators, and political control of the Senate, some Republican Senate staff members were able to gain access to confidential memos on Democrat staffer computers. Reasons for this are twofold. First, several of the new staffers, those who were hired after 2001, were given ãopenä access to most locations on the Judiciary Committee computer network. Staffers hired before 2001 had their access restricted. Secondly, the staffers were curious. The SAS determined that a ãmajority of the files and folders on the server were accessible to all users on the network. Any user on the network could read, create, modify, or delete any of the files or folders within these folders.ä[1] After memos were leaked to the Wall Street Journal, Democrats demanded an investigation from the Sergeant at Arms, the chief law enforcement officer of the Senate. Now that his findings show that Republican staffers did access Democrat network locations, which laws govern this situation? (Leave aside the politics of actually pressing charges).

The Computer Fraud and Abuse Act, more specifically 18 U.S.C. ¤ 1030(a)(2)(B), provides that whoeverä intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains·information from any department or agency of the United Statesä shall be punished. The purpose of this section is to protect confidentiality of computer data.[2] This raises the question of whether or not the Republican staffers had authorization or not to access the Democrat network folders.

18 U.S.C. ¤ 1030(e)(6) defines the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter. Now, questions remain as to whether or not the network locations should have been restricted, but based on the reaction of the Democrats, they obviously wanted their memos to be confidential. Itâs also clear from the report that very little was done by the Democrats to ensure that their information was kept confidential.

If this is the case, it would appear that the Senate is not abiding by the laws that it requires private sector companies to follow. For instance, Section 404[3] of the Sarbanes-Oxley Act states that it is the responsibility of management for ãestablishing and maintaining an adequate internal control structure and procedures for financial reporting.ä[4] One of the major reasons for the Act was the deletion of computer records as means of destroying evidence.[5] The SEC, in effectuating the rules to enforce the Act said, ãinternal control is a broad concept that extends beyond the accounting functions of a company.ä[6]

If, for example, a private or publicly-held corporation was to fail to effectuate ãinternal controlsä over its confidential data that allows the public or lower level employees to gain access to read, create, modify, or delete any of the files or folders, they would be in violation of Securities laws. Corporate officials that sign off on internal controls could be held liable for steep fines or even jail time. Network administrators could face charges as well, if they were to fail at maintaining security.

Another such law that requires tighter computer security is the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, health plans, doctors, hospitals, clinics, nursing homes and other covered entities, to protect confidential health information of patients. Under the 45 C.F.R. ¤ 164.306(a), these entities must:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits,

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information, and

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

(4) Ensure compliance with this subpart by its workforce.

45 C.F.R. details precisely which technical safeguards these covered entities must implement to ensure compliance.[7] Naturally, none of these requirements are actually in effect. The earliest compliance date is April 2005, and varies depending on the entity.[8]

            Another such federal law is the Gramm-Leach-Bliley Act of 1999(GLBA). This act ensures financial privacy. ¤ 6801(a) states that ãeach financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.ä[9] Failure to comply with these prescriptions can lead to fines or even closure of the institution.

            These are Federal laws designed to ensure maintenance of security measures to protect confidential and nonpublic information. At the very least the effect of these laws forces companies to be more careful (i.e. not reckless) with their confidential and private data. If Congress wishes that its internal data remain confidential, or at least off limits to the political opposition, regardless of whether the information is truly that which could be classified as confidential, then Congress should take reasonable steps to effectuate its own internal controls.