An Employer’s Guide to Responding to and Avoiding Employee-Related Computer Breaches
Storing and protecting employee and customer data is one of the most important parts of any business. This goal is hampered by employee computer breaches of sensitive information. Many company breaches are committed by “insiders”—current or former employees who have access to or the means to steal confidential company information for financial gain, dissemination, retaliatory purposes, etc. All 50 states and several territories have enacted breach notification statutes which require employers to send notifications to victims impacted by the data breach. Despite this, employee computer breaches can wreak havoc on a company’s reputation and the continuity of its operations.
This article, drafted by the senior defense attorneys at Oberheiden, P.C. experienced in data security breaches, explains the Computer Fraud and Abuse Act; Section 1030 generally; and — most importantly — what employers should do when setting up a compliance plan to identify, monitor, and prevent employee computer breaches.
Overview of the Computer Fraud and Abuse Act
Over the past several decades, Congress has repeatedly sought to fight computer crimes by enacting legislation making it a felony or misdemeanor to access classified data without authorization or to access a government computer. Section 1030 of the U.S. Code is a compressive statute that addresses a host of computer-related offenses. 18 U.S.C. § 1030. In 1986, Congress amended Section 1030 by adopting the Computer Fraud and Abuse Act (“CFAA”). The CFAA includes criminal provisions and authorizes victims of the Act to bring civil actions for compensatory damages, injunctions, or other equitable relief.
Briefly, under the CFAA, it is a crime to obtain information from any protected computer by intentionally accessing a computer without being authorized to do so or by exceeding one’s authorized access. While the statute was originally directed at “hackers” for entering electronic systems without any obvious authorization, the scope of the statute has been expanded multiple times to keep up with the sophistication of technology and the Internet. The CFAA, as with many other provisions in Section 1030, have very broad application—all of which are critical for employers to understand.
Key Terms in Section 1030
Relevant terms worth noting in Section 1030 include “protected computer,” “exceeds authorized access,” and “without authorization.” The term “protected computer” is broad and encompasses all computers used in or affecting interstate or foreign commerce as well as computers used by the government and financial institutions. 18 USC § 1030(e)(2) For instance, this statute can include computers outside the territory of the United States if they somehow affect interstate or foreign commerce.
“Exceeds authorized access” means accessing a computer without authorization in order to obtain or alter information that one is not entitled to obtain or alter. 18 USC § 1030(e)(6) Issues with this term include whether the defendant accessed the computer with authorized access but for an improper purpose. For instance, it is sometimes unclear whether defendants can be liable for accessing information for which they were entitled to access but then using such information for improper purposes. “Without authorization” is a more difficult term to define. Those who use the computer without authorization access clearly violate this provision. However, those with authorization can lose such authorization where they breach their duties of faith, loyalty, and care to the company. Because of the uncertainty with this term, many Section 1030 violations analyze whether the defendant “exceede[d] authorized access.”
Helping Employers Adopt A Compliance Plan to Prevent Employee Computer Breaches
A properly developed compliance plan helps employers better respond to employee computer breaches. Below is a useful guide for employers to adopt within their compliance plan in case of employee computer breaches:
- Retain a dedicated group of defense attorneys. If there is a breach by a former or current employee of the company’s sensitive data, affected individuals can sue the company for the data breach. Attorneys can advise your company on privileged information—meaning information that does not have to be revealed during the course of a legal action—as well as crisis management strategies.
- Decide whether your company has an obligation to notify individuals/relevant parties that their personal data has been implicated. Many states and industry sectors such as financial institutions have notification requirements.
- Determine if the breached information can be safely returned to the affected parties. If the breached data has not been disseminated to third parties, containment of the breach may be easy and typically involves the threat of litigation to the violating employee. If the breached data has been disseminated to third parties, you may need the assistance of an attorney to obtain injunctive relief from court.
- Regularly train company employees regarding the importance of safeguarding sensitive company information, respecting authorized access, and the company’s enforcement of computer breaches.
- Review employee access to sensitive company information and employee control of such information to determine if any employee’s credentials need to be restricted or revoked.
- Have in place a comprehensive investigation strategy that outlines to your company personnel the steps to follow shall an internal investigation begin. This step should document reasonable steps the company should follow in the event of an employee computer breach.
- Maintain active reviews of the company’s logs for suspicious users and activity. This should also include regular reviews of the personnel conducting the reviews, including checks of their credentials. These logs should be monitored on a regular basis.
- Double check that all employees who have access to sensitive data involving the company are given proper access on a need-to-know basis. This may involve restricting access to specific business needs or based on seniority.
- Block certain suspicious websites that pose high risk to the company’s operation.
- Utilize software within the company that prevents the transmission of company data from one device to another without additional security checks and clearance. This eliminates the simple transfer of data by employees who can merely access data as a result of their position as an employee and restricts access to employees with special credentials.
- Enforce a stringent code of conduct and code of ethics that emphasize proper employee conduct. Make sure these codes as well as any employee handbooks are regularly revised and updated.
- Employ a reliable system for monitoring employee email accounts in the workplace. Employees should be informed of this policy.
- Review the company’s IT and security systems. This is especially important where there has been a vulnerability in the company’s system due to a prior employee computer breach.
- Maintain periodic reviews of the company’s internal controls and risk assessment procedures to optimize company policies regarding computer breach prevention.
“In today’s technologically advanced era, it is more important for employers to develop an internal compliance plan that responds to and avoids employee computer breaches. This is critical because, despite the notification requirements, computer breaches committed by current or former employees can cause irreparable harm to the business’ reputation and lead to fines and/or lawsuits.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
Companies of all sizes and all industries face the threat of computer breaches by former or current employees. These risks are exacerbated in a technologically advanced world where cyber-crimes and disgruntled employees meet. Companies experiencing these circumstances need to understand not only the repercussions of a computer breach on their reputation and business operations, but also the imperative of developing a comprehensive compliance plan to combat such risks in the future. Developing a compliance plan allows employers to identify and prevent employee computer breaches by creating a reliable system that monitors employee access to data and flags suspicious activity.
Dr. Nick Oberheiden, founder of Oberheiden P.C., focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation.