Sentencing of Keys, Responsible for 2010 LA Times Data Breach, Should Remind Companies to Fortify Cybersecurity and Plan Response to Breaches

 
May 13, 2016

A federal judge in California recently sentenced a former employee of KTXL Fox40, a Tribune Company-owned television station, to two years in prison for three felony convictions relating to his assistance to the “hacktivist” group Anonymous in accessing and changing content on the Los Angeles Times’ (“LA Times”) website in 2010.1 This incident should remind companies of the need to implement effective cybercrime prevention strategies. 

Federal prosecutors proved at trial that in December 2010, a month after Matthew Keys’ argument with his boss led to his departure from KTLX Fox40, Keys shared log-in credentials with members of Anonymous that he obtained while employed by Tribune Co., owner of the LA Times.2 Anonymous used Keys’ credentials to access the LA Times’ website and make edits to a news article.3 Evidence also showed that Keys repeatedly accessed his former employer’s content management system to disrupt Tribune Co. work, including sending anonymous emails criticizing KTLX Fox40 and suggesting that proprietary information was not secure.4 Prosecutors argued that Tribune Co. spent more than $900,000 gauging the damages caused by the security breach and securing its system. Testimony showed that Tribune Co. employees, upon discovering Anonymous’ online edits, “spent an urgent night searching for and deactivating unauthorized credentials” and resetting all network passwords.5 After the breach, Tribune Co. investigated the extent of the unauthorized intrusion, which was not immediately clear, and how it happened. This investigation required review of “literally hundreds of servers with thousands of pages and archives and things of that nature,” and took more than a month to complete.6 

For Keys’ involvement in facilitating the security breach, the jury convicted him of three felony counts: conspiracy to cause damage to a protected computer, transmission of malicious code, and attempted transmission of malicious code.7 In addition to the two-year prison sentence, Judge Kimberly J. Mueller sentenced Keys to two years of supervised release.8 

Increased Federal Resources Allocated to Cybersecurity Includes Federal Prosecutors Increasingly Prosecuting Individuals Responsible for Data Breaches at American and Multinational Companies 

The federal government’s aggressive approach to prosecuting Keys is representative of a recent trend in which federal resources are steered toward cybersecurity issues, and federal prosecutors forcefully prosecute crimes relating to corporate data breaches. 

In December 2014, the Department of Justice’s (“DOJ”) Criminal Division created the Cybersecurity Unit to “bring [cybercriminal] perpetrators to justice while also protecting the privacy of every day Americans.”9 In April 2015, the Cybersecurity Unit issued a summary of “Best Practices for Victim Response and Reporting of Cyber Incidents,” to “assist organizations in preparing a cyber incident response plan and . . . respond[ing] to a cyber incident,” and which included a “Cyber Incident Preparedness Checklist.”10 Among other suggestions, the DOJ recommends that organizations “have a plan in place . . . before an intrusion occurs,” and retain outside counsel specializing in the legal questions that inevitably arise in connection with data breaches.11 

The DOJ’s focus on cybersecurity is also reflected in its recent prosecutorial record. In September 2015, for example, the DOJ announced that a Russian national had admitted to participating in a hacking and data breach scheme that attacked corporate networks and compromised credit card numbers.12 Corporate victims of the breach included well-known companies from a number of different industries. Two months later, the DOJ announced the indictment of four individuals alleged to have participated in a scheme to steal the private information of tens of millions of customers of U.S. companies.13 

Companies Must Seek to Secure Private Data, But Be Prepared to Respond to Data Breaches 

The DOJ’s recent focus on cybersecurity makes clear that companies must acknowledge the significant threat cybercriminals pose to the security of their, and their clients’ and customers’, data, and should establish rigorous procedures to prevent cybercrime. That Keys was fired by Tribune Co. shortly before engaging in the unlawful conduct is a reminder that one category of individuals against whom companies must secure their systems is their own disgruntled employees, as well as former employees who retain access to those systems after their employment ends.14 

Furthermore, companies would be wise to implement procedures to identify and quickly respond to breaches if they occur (including conducting internal investigations to understand the scope of the breach and how it was achieved, and to identify the location and/or identities of the culprits), and, where appropriate, disclose the information and findings to the applicable regulatory and prosecutorial agencies. Indeed, companies attacked by cybercriminals may have an obligation to report cybercrime.15 Having established robust procedures to prevent and respond to cybersecurity threats helps companies protect private information, as well as demonstrate to regulators and prosecutors the significant efforts made to do so. 

Footnotes 

1) DOJ Press Release, “Former Fox40 Web Producer Sentenced to Prison for Attack on Media Sites,” April 13, 2016
2) Id.
3) Id.
4) Id.
5) Id.
6) Id.
7) DOJ Press Release, “Jury Convicts Former Fox 40 Web Producer for Conspiring to Hack into and Alter Los Angeles Times Servers,” October 7, 2015
8) Suevon Lee, “Ex-Reuters Editor Gets 2 Years For LA Times Hack,” Law360, April 13, 2016
9) Cybersecurity Unit, Department of Justice
10) DOJ Cybersecurity Unit Guidance Document, “Best Practices for Victim Response and Reporting of Cyber Incidents,” April 2015
11) Id.
12) DOJ Press Release, “Russian National Admits Role in Largest Known Data Breach Conspiracy Ever Prosecuted,” Sept. 15, 2015
13) Liz Moyer, The New York Times, “Prosecutors Announce More Charges in Hacking of JPMorgan Chase
14) DOJ Press Release, “Former Fox40 Web Producer Sentenced to Prison for Attack on Media Sites,” April 13, 2016,(“‘[T]his was simply a case about a disgruntled employee who used his technical skills to taunt and torment his former employer,’ said U.S. Attorney Wagner.”)
15) See, e.g., “Enforcing Privacy Promises,” Federal Trade Commission,(“When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.”); see also FTC v. Wyndham Worldwide Corporation, 799 F.3d 236 (3d Cir. 2015) (affirming district court ruling that the FTC could challenge companies’ data security lapses pursuant to Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce)

Subscribe to Dechert Updates