Breach, Data Security, Incident Response, Network Security, TDR

Geek squad vs. mod squad: Should use policy become a federal beef?

If your geek squad uncovers an employee working as an insider to obtain corporate information, should this be a crime on the federal level? In a brief recently filed in the case U.S. vs. Nosal, the Electronic Frontier Foundation (EFF) says it shouldn't:

The government claims that the violation of this private policy constitutes a violation of the Computer Fraud and Abuse Act (CFAA). Following a decision issued just last year by the U.S. Court of Appeals for the 9th Circuit, the District Court ruled against the government, holding that violations of corporate policy are not equivalent to violations of federal computer crime law.

The government appealed to the 9th Circuit.

In an amicus brief filed in the case on Tuesday, EFF argues that turning mere violations of company policies into computer crimes could potentially create a massive expansion of the CFAA, turning millions of law-abiding workers into criminals.

Perspective: Insider theft

Trade secrets protections for business have particular limitations. They must be protected and they must be labeled as sensitive to operations. Without that provision, it is hard to make theft stick – let alone intent. While the EFF is mainly concerned with the broader implications of this, known as establishing precedence, the actual events were described on this employment law site:

Prior to leaving the firm, [the defendant allegedly] stole competitively sensitive data from his employer's computer. The court rejected the defendant's argument that 'the CFAA was aimed primarily at computer hackers and that the statute does not cover employees who misappropriate information.'

The court adopted Citrin, finding that 'ample authority exists to permit criminal actions to proceed based on violations of [ß 1030(a)(4)] by employees, as interpreted by civil cases, and there is simply no statutory basis to suggest otherwise.'

The court also emphasized that the defendant was wrong in 'focusing exclusively on the later misuse of information by an employee against an employerís interests,' when the 'ìgravamen of the charge' is that the employee accessed the computer 'with the intent to defraud.'

Thus, the critical element is that, at the time the employee accessed the company computer, he intended to use it in a fraudulent way.

Finally, Citrin is not the only circuit court decision sanctioning use of the CFAA against employees. The Third Circuit recognized that its reach includes actions against employees who steal data from their employers' computers.

It is therefore critical for employers to review and amend company rules and agreements to maximize their ability to use the CFAA.

Opinion: Mixed

I am split on this one. Insider threat is significant, with upwards of 60 to 70 percent of employees polled stating they intend to take company data with them when they leave the company. When asked to justify this position in polls, overwhelmingly they responded they did so in order to preserve their best chance of future employment.

On the other hand, giving any IT department broad sweeping powers to criminalize conduct unbecoming an employee is unnerving at best. Even with a human resources check and balance, the rights of the individual become threatened, and future employment opportunities after being a defendant in a lawsuit are limited.

What are your thoughts?

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.