Shawn E. Tuma 2017-12-20 04:56:36
New Texas Cybersecurity Laws This update addresses two laws enacted by the Texas Legislature during its most recent session that went into effect on September 1, 2017. The Texas Cybercrime Act, or HB 9, amended the criminal version of Texas’ “hacking” law, the Breach of Computer Security, or BCS,1 section of the Texas Penal Code to ensure that the methods of cyberattacks criminals currently use are understood to be prohibited by the statute. Ransomware, malware, and direct denial of service attacks are now specifically prohibited by the BCS. While this author believes these acts were already illegal under Texas’ prior version of the BCS and the federal Computer Fraud and Abuse Act,2 both of which are unauthorized access laws, having a belt and suspenders never hurts. The Texas Cybersecurity Act, or HB 8, applies to state agencies and compels them to make cybersecurity a top priority. This law places significant and much-needed cybersecurity requirements on state agencies that will help them better defend against cyberattacks and be in a much better position to respond should they occur. Examples include required risk assessments, cyberrisk management planning, vulnerability and penetration testing, and incident response planning. Employee Theft of Data Violates Texas “Hacking” Law In Merritt Hawkins & Associates, L.L.C. v. Gresham,3 the 5th Circuit Court of Appeals upheld a jury’s verdict finding that an employee’s actions violated the Harmful Access by Computer Act,4 or HACA, where, before leaving his employment, the employee accessed his employer’s computer network and copied proprietary files and deleted files in an effort to hide his activities. While the court did not explain its reasoning, an employee violates Texas’ “hacking” law, HACA,5 by accessing the employer’s computer system without its “effective consent” and taking data to use for non-company business related purposes. Effective consent can mean using the computer system (a) for a purpose other than that for which consent was given, (b) in violation of a clear and conspicuous prohibition, or (c) in violation of an express agreement, inter alia. Insurance Coverage for Social Engineering Requires Specialized Policy In Apache Corp. v. Great American Insurance Co.,6 the 5th Circuit Court of Appeals found losses stemming from social engineering scams like the business email compromise are not covered by computer fraud provisions of commercial crime insurance policies. Here scammers pretended to be a vendor of Apache and called one of its employees in the accounts payable department to advise that they were changing bank accounts then followed up the call with an email (on the purported vendor’s letterhead) to the employee advising of the new bank wiring instructions. After receiving this confirming email, Apache sent $7 million to the fraudsters (all but $2.4 million was recovered). Apache made an insurance claim under the “Computer Fraud” provision of its commercial crime insurance policy premised on the argument that the email caused the transfer of the funds. This provision covered losses “resulting directly from the use of any computer to fraudulently cause a transfer” of funds. Rejecting this argument, the court found that the use of the email was incidental to the transfer. Honorable Mentions All Texas businesses should pay close attention to the New York State Department of Financial Services’ Cybersecurity Regulation that went into effect in March 2017 and the European Union’s General Data Protection Regulation that goes into effect in May 2018. Notes 1) Tex. Penal Code § 33.02, et seq. 2) 18 U.S.C. § 1030, et seq. 3) No. 16-10439, 2017 WL 2662840 (5th Cir. June 21, 2017). 4) Tex. Civ. Prac. & Rem. Code § 143.001, et seq. 5) Tex. Civ. Prac. & Rem. Code § 143.001, et seq. 6) 662 Fed.Appx. 252 (5th Cir. Oct. 18, 2016). SHAWN E. TUMA is a cybersecurity lawyer who helps solve problems with issues involving cybersecurity, data privacy, computer fraud, and intellectual property law. Tuma is a frequent author and speaker on these issues and has used social media to help build his practice. He is a partner in Scheef & Stone, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, throughout the world.
Published by State Bar of Texas. View All Articles.
This page can be found at http://mydigimag.rrd.com/article/Cybersecurity+and+Data+Privacy+Law/2967547/463027/article.html.