Yale e-Spy

New Jersey Law Journal August 2, 2002

Copyright 2002 NLP IP Company - American Lawyer Media
All Rights Reserved.
New Jersey Law Journal

August 2, 2002

LENGTH: 1203 words

HEADLINE: Spying on Corporate Spies
Princeton-Yale Web-hacking scandal is latest target for growing breed of lawyer-sleuths

BYLINE: By Charles Toutant

One Ivy League university accuses another of cyberfraud and identity theft, and among the confidential records intercepted are those of the U.S. president's fashion-model niece.

It sounds like a plot from the kind of novel that bookstores consign to the markdown bin, but attorney William Maderer is untangling just such a tale.

Maderer, of Newark's Saiber, Schlesinger, Satz & Goldstein, was hired by Princeton University to investigate the entry into a Yale University admissions database from Princeton computers.

He arrived on campus July 26 to find out "what happened, why it happened and who was involved," says Princeton president Shirley Tilghman, adding that Maderer has no previous ties to the university. The FBI is conducting its own investigation into possible unauthorized access into a Web site that Yale established to inform applicants whether they won acceptance to the school.

Princeton's assistant director of admissions, Stephen LeMenager, told the Yale Daily News that he accessed student information from the Yale site by inputting names and social security numbers obtained from applications to Princeton. Among those browsed were Ara Parseghian, the grandson of the former football coach at Notre Dame University, and Lauren Bush, the fashion-model daughter of President Bush's brother, Neil.

It's becoming a common practice for companies or institutions under investigation - especially in the post-Enron era - to hire their own, internal sleuths. The purpose is to create an objective record of what happened to help the corporation plan a remedial course of action.

Maderer typifies the in-house shamus: a former assistant U.S. attorney who specializes in white-collar criminal defense and employment law.

Princeton has instructed Maderer to keep a tight lip about his work, but other lawyers who conduct internal corporate probes say the task involves altering the traditional attorney-client relationship.

Edwin Stier, whose firm, Stier, Anderson & Malone in Skillman, conducts independent investigations for corporations, universities and government agencies, says that the key to success is an unfettered hand. Stier, a former assistant state attorney general who was director of the Division of Criminal Justice from 1977 to 1982, says he insists that the attorney-client privilege be waived. What's more, Stier typically arranges to share all his findings with the relevant government agency.

Stier won't even take the job if all the client wants to do is prepare for litigation. "We're not acting as an advocate for the client, we're acting as a fact finder for the client," he says. "The overriding interest is that the client wants to demonstrate that it wants to be honest about the problem."

To ensure its integrity, an investigation should also include an exhaustive documentation of data, such as transcripts of interviews, to avoid manipulation through selective presentation of data, and a report with specific citations in that data to support conclusions reached, says Stier. The firm's report does not reach legal conclusions about liability but offers factual conclusions based on appropriate standards of conduct.

Once the report is complete, his firm does not represent the client in any other capacity, in order to avoid a conflict that would compromise the investigation, he says.

Stier says that when his firm was founded in the early 1980s, many potential clients didn't understand the concept his firm offered. "Now there's a much better understanding of it, given the issues that have been raised publicly. I think the market [for business investigations] is going to grow, and I'm seeing indications of that."

LeMenager has hired Brian Neary, a solo practitioner in Hackensack, to defend him. Neary, a former first assistant Bergen County prosecutor and former president of the Association of Criminal Defense Lawyers-New Jersey, did not return calls.

LeMenager's motivation for breaking into a rival university's database would be the first thing that Jack Mattera, a computer security consultant for The Intelligence Group of Far Hills, would want to ask him about. Mattera says an investigator would try to determine how much a hacker gained, if anything, because that's something crucial to a criminal prosecutor's determination of whether charges should be brought.

Mattera, who was an investigator with the U.S. Treasury Department and a special agent with the State Department's Diplomatic Security Service, frequently hears from companies seeking to assess an employee's computer-related misconduct.

He faults Yale for designing a Web site that reveals sensitive information upon production of a Social Security number, instead of a password. Social Security numbers aren't secure; thieves can get them easily from discarded mail.

For Donald Belsole, the primary question is, what's the value of the losses suffered by Yale and the students? Putting a dollar amount to those losses would help determine the existence of criminal liability, says Belsole, who was director of the state Division of Criminal Justice from 1986-89 and First Assistant Attorney General from 1983-89.

Belsole, of Morristown's Belsole & Kurnos, suggests an investigator would want to compare the administrator's alleged actions with offenses listed in fraud statutes. To assess the crime's degree might require examining the commercial advantage enjoyed by Princeton if the students chose to enroll there instead of Yale, he says. How best to assess the loss incurred by the students, however, is unclear, says Belsole.

Help with assessment of losses has arrived, in the form of the post-Sept. 11 anti-terrorism measures known as the USA Patriot Act, says Rod Dixon, a visiting assistant professor at Rutgers-Camden School of Law. The law codifies case law that established a mechanism for determining the value of data stolen from computer networks and sets a $5,000 threshold for charges to be filed.

Since that threshold is low, the U.S. government might use the Princeton-Yale case to test the Patriot Act, says Dixon, who teaches computer law courses at Rutgers-Camden.

"Although the law in this area is evolving and is not well developed, this might be the perfect time to assess whether accessing a database by an unauthorized person is actionable under the Patriot Act," Dixon says.

Dixon agrees with Mattera that Yale could theoretically be liable to applicants claiming there was inadequate security at Yale's newly established admissions decision Web site. Dixon says that might lead Yale to "back off" on its case against Princeton and LeMenager.

Jonathan Bick, an Internet lawyer who is of counsel to Roseland's Brach Eichler, disagrees, saying security measures need not be foolproof and that the mens rea of the alleged intruder would determine his guilt. If he were investigating the Princeton caper, Bick says, his first question would be to find out what guidance the university gave its employees about computer use. As with sexual harassment, employers are protected from computer-related misconduct by their staff if they have clearly delineated computer use policies that are backed up by annual seminars.