On November 30th, the U.S. Supreme Court will hear oral argument in Van Buren v. United States, and consider what constitutes “unauthorized access” under 18 U.S.C. Section 1030(a) of the Computer Fraud and Abuse Act (CFAA).
The issue is whether violating written restrictions on computer use (such as a website’s terms of service or an organization’s acceptable use policy) “exceed authorized access” in violation of the CFAA.
As part of briefing this case, Professor Orin Kerr highlights a particular challenge for any organization in the information age, one he calls “The Insider Problem”:
In the age of computers and the Internet, it is easier than ever to share sensitive information. That has pros and cons. On the plus side, it’s easy for information to be made available to those with a legitimate interest in seeing it. Anyone with an Internet connection can connect. That’s good. On the minus side, it’s easy for those who can see sensitive information to convert it to improper uses. Once they have the information, they can press a button to create a new copy, send it to others without permission, or misuse it themselves. That’s bad.
To tackle “The Insider Problem,” implement the “Principle of Least Privilege” across the organization: give an employee only the access privileges she needs to perform her job. If an employee does not need access to certain documents (particularly those that are sensitive), then she should not have permission to access those documents.
Some points to consider when implementing the “Principle of Least Privilege”:
- Map Your Information. You can’t protect sensitive information or limit access appropriately if you don’t know where it is. Create a written document that maps information (visually and otherwise) by repository (where it is stored), inventories the information stored in those repositories, identifies the information owners/managers, and classifies the information’s sensitivity.
- Make Limited Access the Default. Consider making limited access the default, as opposed to the unlimited or unfettered access that computers and computer networks provide “out-of-the-box”.
- Assign and Monitor Access Privileges. Assign specific access privileges at the outset of an employment relationship, keep and update a list of all such privileges, and monitor those privileges over the course of the employee’s tenure. Audit and assess those privileges periodically.
- Create and Follow an Exit Process. Terminate a departing employee’s access privileges to company resources (which may include numerous devices and access methods) immediately, and document same.
- Monitor and Manage Vendor Access. Keep and update a running list of those third parties with access to the organization’s networks and data.
- Protect Sensitive Information Appropriately. Consider implementing additional access or security controls (such as encryption) for sensitive documents and information.
See also our alert on Have You Asked Your CIO These 10 Information Security Questions?
Our Privacy, Cybersecurity and Data Management Team will continue to share the latest developments and provide insights as we continue to monitor the ever-changing, ever-shifting legal landscape.