As an IT pro, you’re well aware of the relentless attacks aimed at your network by outside threats. But let’s not forget about potential threats on the inside.
A recent court case brings home the point.
A mid-Atlantic energy company filed suit against a former employee after it discovered he downloaded confidential information before he quit, which he later used to win a contract for his new employer.
The company sued under the Computer Fraud and Abuse Act (CFAA), alleging the former employee violated its “policy prohibiting employees from misusing confidential information or downloading it to a personal computer.” In practice, the employee’s access to the confidential information wasn’t restricted.
And that proved to be the tipping point in court. The CFAA covers unauthorized access not unauthorized use. So even though the former employee misused the information he downloaded, his actions weren’t found in violation of the law under which he was sued because the company gave him access to the information.
In this case, the company may have succeeded in court if its computer usage policy had been worded correctly, says lawyer Todd J. Horn. Horn advises companies include specific language that prohibits employees from accessing confidential information on behalf of third parties. That way the company can argue an employee who downloads confidential data to which he has access and then gives it to another company has “exceeded the scope of his authorized access under the CFAA.”
Computer usage policy requirements
In light of this ruling, now is a good time to review your company’s computer usage policies to make sure they include the following:
- Definitions of restricted or confidential data, internal data, and public data and instructions for handling each type.
- Language expressly prohibiting employees from downloading or transmitting confidential information or trade secrets on behalf of third parties.
- Language expressly prohibiting employees from accessing, transmitting, receiving, or seeking confidential information to which they do not have access, especially on behalf of third parties.
Depending on the nature of your company’s business, it may be a good idea to prepare a stand-alone confidential data policy and/or a data classification policy. Be sure to have legal counsel review your policies.