As the line between work and personal life becomes thinner and thinner, employee use of social media sites has become a more and more important (and vexing) issue for organizations. Companies are building their brands online, but so are employees. Social Media posts made by employees (on or off the clock) can work to enhance or sully companies’ online reputations. In response, most social media policies include a clause prohibiting employees from making disparaging comments about their employer online. However, these policies may not be legal without a very specific carve out – whoever is responsible for social media policies in your organization should take some time to read this blog post over at the Workplace Privacy Counsel blog.
This week, the Ninth Circuit US Court of Appeals ruled on a case which has an important impact on us information security types: US vs. Nosal.
Nosal was employed by recruiting firm Korn/Ferry. He left the firm to start his own, competing firm. After he left, he persuaded some of his Korn/Ferry colleagues to access confidential information owned by K/F and provide it to him. The K/F employees had access to the information as part of their work for the company, but were violating company policy in providing confidential information to a third party. When Korn/Ferry discovered the theft of information, they initiated legal proceedings against Nosal. In addition to suing him for civil damages, they filed a criminal complaint stating that he had “aided and abetted” the Korn/Ferry employees in violating the Computer Fraud and Abuse Act of 1984 by encouraging them to “exceed their authorized access to” Korn/Ferry computers.
Let’s stop here for a moment… what Nosal and the Korn/Ferry employees are alleged to have done was clearly wrong, and Korn/Ferry would be entitled to fire the employees and recover civil damages from the whole lot of them (IMHO). The question here is whether Nosal or the employees committed a federal crime which could lead them to jail time.
The Appeals Court did not agree with Korn/Ferry (and the federal prosecutors on the case). In its opinion, the court pointed out that the K/F employees were allowed to access the data in the course of their work, and thus did not “exceed their authorization” and that when they passed on the information to Nosal, they were in breach of their (civil) responsibilities of their employer. The court went further and said that interpreting the CFAA in the broad way advocated by Korn/Ferry and the prosecutors would make many very common behaviors federal crimes.
In particular, the court felt that the wider interpretation would make violation of corporate computer use policies and terms of service for Internet services criminal acts. For example, an employee who spent time shopping, playing games, or reading the sports pages online at a company with a computer usage policy limiting use of corporate systems to business use could find themselves in the “big house.” Now, as a corporate security professional, even I think that this is a bit excessive; corporate policy violations should lead to disciplinary actions and/or termination of employment, but prison time seems just a wee bit excessive to me.
The court also pointed out that criminalizing such a wide range of common behaviors would lead to a situation where the law would be applied inconsistently and arbitrarily.
There was a dissenting opinion, which contended that the ultimate use of the data (theft and providing it to a competitor) in and of itself was “exceeding authorized access.” The dissenting judge used the example of a bank teller’s access to their employer’s cash. The teller is authorized to access the cash in the course of doing their job, but would be exceeding their access should they access the cash to take it for their own use. I am not convinced by this argument, as the taking of the cash is a separate act which is criminal in and of itself.
In any case, this court has said that federal criminal law is not meant to help companies enforce their computer usage policies and that violation of those policies is a civil matter between employer and employee. This seems like a reasonable decision to me.
The court’s decision is worth a read – it was refreshing to read a decision which shows awareness of how the Internet is used in real life.
Apple has been getting some grief over the past week or so for their handling of the “FlashBack” trojan which infected over 500,000 Mac users worldwide. Well, yesterday, they released a new Java patch to address Flashback, and it has some interesting properties:
It looks for and removes FlashBack
It requires users to specifically enable Java on their systems
It automatically disables Java if no Java applets are run for “an extended period” – some bloggers are stating that this period is 35 days.
I’m glad Apple is taking these steps – if users are not using Java, disabling it will protect them from the rising tide of Java based malware that is out there. I just hope that the process for re-enabling Java when needed is made easy for the non technical user. It would be nice if Apple added a feature to “Software Update” which would be a little more proactive in nagging users to install security related updates as well.