TBJ January 2022

2021: The Year in Review

CYBERSECURITY AND DATA PRIVACY

Written by Shawn E. Tuma

New Data Breach Notification Requirements The 2021 Texas Legislature updated Texas’ data breach notification law.¹ A summary of changes to the law is available on page 720 of the September 2021 issue of the Texas Bar Journal.

Improper Use of Information Otherwise Authorized to Access Does Not Violate Federal “Hacking” Law The U.S. Supreme Court resolved a long running circuit split over the federal Computer Fraud and Abuse Act, or CFAA, in Van Buren v. United States² by narrowly construing the meaning of “exceeds authorized access.”3 A police officer who was authorized to access a computer database for law enforcement purposes used his credentials to access the database to obtain license plate information in exchange for money (i.e., non-law enforcement purposes). A jury convicted him for violating the CFAA by intentionally exceeding authorized access of a computer by using for an improper purpose the information in the particular database. The U.S. Court of Appeals for the 11th Circuit affirmed.

The Supreme Court reversed, finding that using for an improper purpose information otherwise available to an individual, that is located in an area of a computer he is authorized to access, is not exceeding “authorized access.” The court held “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off-limits to him.”⁴

City Cybersecurity Manager’s Whistleblower Claim for Reporting Non-Compliance Raised Fact Issue for Trial A city’s cybersecurity manager responded to a Texas Department of Public Safety questionnaire with information indicating the city failed to comply with federal and state requirements for maintaining computerized criminal history-related information in a secure manner. Approximately six weeks later, the manager was placed on administrative leave and subsequently terminated. The manager filed a lawsuit with whistleblower claims; the city denied, alleging he was terminated for cause, and filed a plea to the jurisdiction based on failure to follow the whistleblower procedure. The trial court denied the plea and the appellate court affirmed finding claims raised fact issues for trial.⁵

Did Uncle Have Mother’s Effective Consent to Obtain Laptop Revealing Sexual Abuse of Child? A child’s mother requested that the child’s uncle go to her home and assemble a working laptop for her to use out of a pile of non-working laptop computers. The uncle obtained several of the non-working laptops and a USB drive to use for assembling one working laptop. The uncle later discovered videos depicting abuse of the child on one of the laptops and the USB drive, which he provided to the police department. Charges were brought and the defendant moved to suppress the evidence. The trial court found the uncle had the mother’s effective consent to obtain the devices and the appellate court affirmed.⁶

Finding Child Porn on USB Drive—Is It a Violation of the Hacking Law? A mechanic discovered a USB drive containing child porn while working on a vehicle and turned it over to police. Charges were brought and the defendant moved to suppress, alleging the mechanic’s access of the USB drive was an unauthorized access of a computer in violation of Texas’ criminal “hacking law,” or breach of computer security.⁷ The trial and appellate courts determined that the USB drive was not a “computer” as defined in the statute.⁸

SHAWN E. TUMA is an attorney widely recognized in data privacy and cybersecurity law, areas in which he has practiced for over two decades. He is co-chair of the Data Privacy and Cybersecurity Practice Group at Spencer Fane and works primarily in the firm’s Collin County office.