Friday, July 11, 2008

Lawyer Hacks Email Accounts

The West Virginia Supreme Court recently suspended a lawyer for hacking.

While this isn’t really a cybercrime case (since he wasn’t facing criminal charges), it’s still a case about hacking. And it raises some interesting legal issues . . . as well as illustrating the various motives that can drive people to do things they know they shouldn’t.

Here are the facts as set out in the Supreme Court’s opinion:

[Markins] has been a practicing attorney since October, 2001. . . . [H]e was . . . an associate . . . at the law firm of Huddleston Bolen, LLP (“Huddleston”). His wife, also an attorney, was . . . employed at the law firm of Offutt, Fisher & Nord (“OFN”). In . . . 2003, [Markins] began accessing his wife's OFN e-mail account without her . . . knowledge. . . . to secretly monitor her activities because he believed she had become involved in an extramarital affair with an OFN client. . . . [I]nitially, he improperly accessed only his wife's account and later, that of . . . an OFN partner. Eventually, . . . [Markins]. . . began accessing the e-mail accounts of seven other OFN attorneys.

Lawyer Disciplinary Board v. Markins (2008). (The testimony and evidence mentioned in the opinion were presented at an attorney disciplinary hearing held in 2007.)

His activity came to light after an OFN lawyer suspected her email had been improperly accessed. OFN hired an expert to investigate; he found Markins gained unauthorized access to the OFN email accounts “on numerous occasions from sometime prior to November 7, 2003, until March 16, 2006”. Lawyer Disciplinary Board v. Markins, supra.

At the hearing, OFN’s managing partner, D.C. Offutt, Jr., testified that while they could not view the e-mails Markins read, they could determine which accounts he accessed and when they were accessed. If an email had an attachment, they could tell if it had been opened. Lawyer Disciplinary Board v. Markins, supra. They also found that Markins had opened “confidential OFN financial information sent by the firm's chief accountant to the firm's partners by e-mail attachment”. Lawyer Disciplinary Board v. Markins, supra.
The Supreme Court summarized the scope of Markins’ intrusions as follows:
[Markins] accessed the e-mail accounts of OFN attorneys on more than 150 occasions. . . . [H]e learned personal information about certain attorneys which had been relayed confidentially. . . . OFN and Huddleston, [Markins]'s employer, represented co-defendants in a large mass tort case that was in litigation during the time period at issue. In March, 2006, [Markins] . . . was monitoring the trial from the Hampton Inn in Beckley. . . . [He] gained unauthorized access into . . . OFN e-mail accounts from the Hampton Inn's IP account. . . . Huddleston's mass tort client had . . . a claim for indemnity against OFN's client. . . .Mr. Offutt testified that information . . .in the firm's e-mail system would have been `helpful’ to Huddleston's client. However, neither Huddleston nor OFN found evidence that any information between OFN attorneys and its client in that case had been compromised.
Lawyer Disciplinary Board v. Markins, supra.

As to the effects of Markins’ email voyeurism, Mr. Offutt submitted an affidavit which explained that after his activities were reported by the press, OFN
`suffered further damage to its image and reputation .’ . . . [O]ne of the firm's clients expressed `serious concerns’ . . . about whether [Markins] . . . accessed important information concerning that client. According to Mr. Offutt, this client has put the firm on notice of a potential claim for damages against it. Mr. Offutt . . . anticipates that similar concerns will be expressed by other clients . . . and that the . . .ramifications and stigma of [Markins’] misconduct will be felt for many years. Finally, Mr. Offutt indicated that his firm suffered direct economic losses as a result of [his] actions: Mr. Offutt, along with other firm lawyers and staff, spent considerable time and resources investigating . . . the matter and were distracted by the events and their aftermath.
Lawyer Disciplinary Board v. Markins, supra.

Markins’ voyeurism had other, more personal consequences: After his wife told him someone had been breaking into OFN email accounts and the firm was investigating, Markins admitted he was responsible for the intrusions. Later, his attorney contacted OFN and told them Markins was their hacker. His admission of responsibility apparently came after their expert identified him as the person responsible for the break-ins; after OFN learned that, Offutt asked Markins’ wife if she knew he was responsible. She said she did not, though she had “just learned” of it. Lawyer Disciplinary Board v. Markins, supra.

OFN fired her and Huddleston fired Markins. Lawyer Disciplinary Board v. Markins, supra. (According to an article in the ABA Journal, he “reportedly landed” another job with a different firm, at a salary of $80,000, $2,000 more than he was making at Huddleston.)

At the disciplinary hearing, Markins claimed he never revealed, forwarded or used any information in the emails he accessed, and the court found that there was “no evidence to the contrary.” Lawyer Disciplinary Board v. Markins, supra. He also said he took full responsibility for what he had done and was remorseful. According to an article published in the ABA Journal before the Supreme Court issued its decision, Markins’ lawyer said the penalty was “very hard’” and “`excessive for the acts committed.’”

In deciding what sanction should be imposed on Markins, the court considered the factors mitigating his responsibility (notably the reason he began accessing the emails in the first place) and the aggravating factors (the fact he kept going, the scope of his intrusions and the effects it was having on OFN). It also considered the importance of sending a message:
[W]ith the widespread use of . . . e-mail as an important method of communication between . . . attorneys and their clients comes the potentiality that the communication might be improperly infiltrated. This Court does not take lightly . . . that . . . it was an attorney who repeatedly accessed the confidential e-mails of other attorneys without their knowledge. . . . [T]he imposition of a suitable sanction in a case such as this is not exclusively dictated by what sanction would appropriately punish the offending attorney but, just as importantly, this Court must ensure that the discipline imposed adequately serve as an effective deterrent to other attorneys,
Lawyer Disciplinary Board v. Markins, supra.

The Supreme Court imposed the sanctions that had been recommended by the Lawyer Disciplinary Board (which held the hearing): Markins was suspended from practicing law for 2 years; upon being reinstated, his practice would be supervised for 1 year; he had to complete 12 hours of continuing legal education in ethics before he could be reinstated; and he had to pay the costs of the disciplinary proceeding. Lawyer Disciplinary Board v. Markins, supra.

In a concurring opinion, Justice Stracher said he would have preferred sanctions that also required Markins to “make restitution for injuries that resulted from his conduct.” Justice Stracher said the Lawyer Disciplinary Board should be asked to “quantify the damages, review Mr. Markins' earnings capacity, evaluate his ability to make restitution, and recommend a payment schedule to the Court.”

This case raises two interesting issues, the first of which goes to the “harm” inflicted by what Markins did. As I’ve explained before, crimes are intended to discourage the infliction of particular type of “harm,” such as the death or injury of human beings, the theft of property and so on. As I’ve also noted before, it can be difficult to quantity or even articulate the “harm” in a cybercrime case.

This is essentially an unauthorized access to computers case. The obvious victim is OFN because they suffered “direct economic loss,” in the form of a damage suit from one or more clients plus the time and expense involved in finding out what Markins had done. Were there any other victims? Were the clients whose information was accessed improperly (but not, according to Markins, used) “harmed”? They certainly suffered a loss of confidence in their attorneys, but criminal law tends to focus on tangible “harm,” so a loss of confidence probably doesn’t quality. What about Markins’ wife? She was “harmed” by having the privacy of her emails violated and by being fired by her firm. And what about Huddleston? Was Markins’ law firm also a victim? If so, what was the “harm”?

I throw those questions out not to be annoying but to illustrate the ripple effects actions like Markins’ can have and the criminal law’s essential uncertainty as which of those effects should trigger the imposition of criminal liability.

And that brings me to the other interesting aspect of the case: As far as I can tell, Markins has not been charged with a crime, even though West Virginia has at least one criminal statute that seems like it might apply to what he did:
Any person who knowingly, willfully and without authorization accesses a computer or computer network and examines any employment, salary, credit or any other financial or personal information relating to any other person, after the time at which the offender knows or reasonably should know that he is without authorization to view the information displayed, shall be guilty of a misdemeanor, and, upon conviction thereof, shall be fined not more than five hundred dollars or confined in the county jail for not more than six months, or both.
West Virginia Code § 61-3C-12.

The attorney disciplinary proceeding would not bar criminal charges; since it’s not a criminal proceeding, the prohibition on double jeopardy would not apply.

I’m not lobbying to have Mr. Markins convicted of however many misdemeanor counts his activity might support. I’m just noting an apparently unexplored possibility . . . .

No comments: