In a recent court case U.S. v. David Nosal, Judge Alex Kozinski ruled that the Computer Fraud and Abuse Act (CFAA), the nation’s anti-hacking law, applies to people accessing data by circumventing technological access barriers, but it does not extend to employees violating their employer’s restrictions on the use of that information. Under the new interpretation, an employee who has valid credentials to access company data and then misuses that data, however inappropriately, cannot be prosecuted under the CFAA. However, an employee who has valid credentials to access a company computer, but hacks into company data for which he does not have authorization can be prosecuted under CFAA.
The reason for the new interpretation, according to the ruling summary, was that using the CFAA to take action against employees that violate use restrictions could lead to prosecution of millions of Americans for largely harmless activities at work, like Gchatting, using Facebook or playing games.
The summary noted:
“If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose.”
Most people would agree that the CFAA was not intended for prosecution of employees who play online Sudoku or view videos on YouTube, but this new interpretation — whether right or wrong — holds significant implications for companies combating malicious insiders. Insiders, who will no longer see this particular law as a deterrent, may be more willing to wade into the risky waters of intellectual property theft. Companies should note, however, that while these malicious insiders can’t be prosecuted under the CFAA, they can still be culpable for trade secret theft, conspiracy and other similar crimes.
According to a recent study, IP theft costs U.S. companies more than $250 billion every year, and the number is only increasing. Furthermore, the majority of IP thieves are, in fact, current or former employees.
Even a relatively good employee can turn bad, given the right circumstances. Many businesses overlook concerning workplace behaviors that show individuals are on the path to IP theft. A personal predisposition to inappropriate behavior, combined with stressors, should wave a few red flags at administrators.
With the new interpretation of the CFAA in place, it is more important now than ever before that companies understand the behaviors of malicious insiders and how to protect against them. Consider these best practices from a recent study Symantec released, “Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall”:
- Build a Multidisciplinary Team: To fully address insider theft, organizations need to have a dedicated team made up of HR, security, and legal professionals that create policies, drive training, and monitor problem employees.
- Address Organizational Issues: Understand if your organization is at greater risk due to inherent organizational factors. Some of these include having remote offices, suppliers, or subcontractors where differences in cultures, politics or language could lead to potential conflicts.
- Pre-screen Potential Employees: The information collected during this process will help hiring managers make informed decisions and mitigate the risk of hiring a “problem” employee.
- Establish Policies and Practices: Include policies that delineate appropriate IP property use and behavior; the organization’s right to monitor and audit employee activity on proprietary systems; and policies describing how employees report grievances and their own and others’ risk behaviors.
- Implement technical solutions to protect company data: Preempt IP theft by flagging high-risk insider behavior with a security technology like Data Loss Prevention (DLP). Implement a data protection policy that monitors inappropriate use of IP and notifies employees of violations, which increases security awareness and deters insider theft. Alert managers, HR, and security staff when exiting or terminated employees access and download IP in unusual patterns.
- Conduct Training and Education: Policies and practices that are not recognized, understood and adhered to may be of limited effectiveness. For instance, most IP thieves have signed IP agreements. Organizations should have more direct discussions with employees about what data is and is not transferrable upon their departure and the consequences for violating these contracts.
- Evaluate continuously: Without effective monitoring and enforcement, compliance will lapse and insider risk will escalate.
Learn more about the malicious insider threat here.
Cross-posted from In Defense of Data.