A few lessons for us infosec professionals from this:
First: The definition of insiders expands as businesses continue to outsource functions which used to be done in house.
Second: Vendor Risk Management programs need to pay special attention to law firms. These guys are like companies’ confessors; we tell them all of our deepest secrets and rely on them to keep things secret.
In the UK, a disgruntled employee leaked payroll data for 100,000 employees of a very large supermarket chain to newspapers in order to embarrass the firm after they were disciplined for bad behavior. The courts found that employees have the right to sue the supermarket chain for damages as they were “vicariously responsible” for the acts of their employee.
In contrast, a similar case in the US against Coca Cola had a very different outcome. A Coca Cola employee sold laptops which they were tasked with destroying and these laptops contained personal information of employees. Employees sued, but the courts dismissed all of their claims, saying that Coca Cola could not have known about the rogue employee’s activities.
This case has a few lessons for infosec professionals:
First, if your firm operates in multiple jurisdictions, the laws and norms in these jurisdictions can be very different. When judging risk and formulating policy, work with your legal departments to make sure you understand these differences.
Second, I feel that this case also shows the differences in attitudes to personal information in the US and the rest of the world. It seems like the US does not value individual privacy nearly as much as other countries. Again, if you operate in multiple jurisdictions, you need to keep this in mind.
As the stakes get higher for organizations (for example $20M or 4% of global revenues for each breach of the EU GDPR), these are things we need to worry about. Buy your general counsel a beer and talk it out before you have to deal with a lawsuit.
Now, here is a head scratcher… a circuit court in Virginia has ruled that while law enforcement cannot force you to reveal the passcode for your mobile phone, they CAN force you to unlock your phone with a fingerprint, since a passcode requires you to divulge knowledge while a fingerprint is a form of physical evidence. While this seemingly nonsensical decision is not binding on other courts, it can be used as precedent in future cases. I guess the moral of the story is that you should disable TouchID on your iPhone before embarking on your life of mobile phone assisted crime. Alternatively, you could reboot your iPhone as John Q Law closes in, since TouchID will not work until you have entered your passcode after a reboot.
This article from the Guardian claims that our friends in Redmond are cooperating with the NSA to give the spying agency access to all sorts of cloud based comms and data as part of their 1984-esque PRISM collection program. The haul includes Skype audio, video, and chat messages, which were until recently thought to be resistant to eavesdropping.
It seems that the National Labor Relations Board (NLRB) is continuing to extend its push into the regulation of social media in non unionized work places. According to this Morgan Lewis LawFlash, two recent cases (which may end up in the appellate courts) continue the Board’s assault on workplace social media confidentiality policies.
In the first case, involving Costco, the NLRB found that a whole section of the firm’s social media policy dealing with prohibition of posting confidential information to social media platforms was rendered invalid because it included a ban on posting “payroll information,” which the NLRB felt pertains to protected activity under section 8(a)(1) of the Labor Relations Act.
The second case, involving an auto dealer named Knauz, struck down the employer’s social media policy based on the following language:
[c]ourtesy is the responsibility of every employee. Everyone is expected to be courteous, polite and friendly to our customers, vendors and suppliers, as well as to their fellow employees. No one should be disrespectful or use profanity or any other language which injures the image or reputation of the Dealership.
The Board felt that the language would discourage employees from using social media for activities covered under section 7 of the Labor Relations Act, such as organizing a union or having discussions about work conditions.
The lesson? Make sure that your company’s Social Media policy passes muster with your legal team – and make sure your legal team knows about what the NLRB has been up to in this area. Social media has the potential to be an exfiltration vector for your organization’s confidential information; you don’t want to end up with a policy which is thrown out when you need it most.
A while back, I wrote about how US organizations writing social media policies need to beware of the National Labor Relations Board’s requirements that these policies not interfere with the rights of employees to discuss their working conditions or organize unions. At the time of my original post, the NLRB had released a guidance document which raised more questions than it answered. Since then, they have released additional guidance which includes a number of examples of bad policies and explains the specific problems with each. More importantly, it includes a sample policy which is in compliance with NLRB rules and which can be used as a guide in writing (or updating) your company’s social media policy. It is really worth taking a look at this document – many things that any normal, reasonable infosec professional would expect to be acceptable (ie. “don’t post confidential information to social media sites”) are not.
If you are an information professional at a publicly traded company, I would strongly suggest reading a recent blog post by Richard Bejtlich about the SEC’s requirements for the disclosure of cybersecurity breaches. Bejtlich points out that the ramifications of these requirements go well past getting in to hot water with the regulators – they also raise other risks, such as whistleblowing by employees or third parties as well as the potential for shareholder lawsuits when companies do not take the proper steps to secure information (or are perceived as not doing so). Having a conversation about this issue with your General Counsel before an incident occurs makes a lot of sense. All this being said, kudos to the SEC for recognizing the role of cybersecurity in good corporate governance.
As the line between work and personal life becomes thinner and thinner, employee use of social media sites has become a more and more important (and vexing) issue for organizations. Companies are building their brands online, but so are employees. Social Media posts made by employees (on or off the clock) can work to enhance or sully companies’ online reputations. In response, most social media policies include a clause prohibiting employees from making disparaging comments about their employer online. However, these policies may not be legal without a very specific carve out – whoever is responsible for social media policies in your organization should take some time to read this blog post over at the Workplace Privacy Counsel blog.
This week, the Ninth Circuit US Court of Appeals ruled on a case which has an important impact on us information security types: US vs. Nosal.
Nosal was employed by recruiting firm Korn/Ferry. He left the firm to start his own, competing firm. After he left, he persuaded some of his Korn/Ferry colleagues to access confidential information owned by K/F and provide it to him. The K/F employees had access to the information as part of their work for the company, but were violating company policy in providing confidential information to a third party. When Korn/Ferry discovered the theft of information, they initiated legal proceedings against Nosal. In addition to suing him for civil damages, they filed a criminal complaint stating that he had “aided and abetted” the Korn/Ferry employees in violating the Computer Fraud and Abuse Act of 1984 by encouraging them to “exceed their authorized access to” Korn/Ferry computers.
Let’s stop here for a moment… what Nosal and the Korn/Ferry employees are alleged to have done was clearly wrong, and Korn/Ferry would be entitled to fire the employees and recover civil damages from the whole lot of them (IMHO). The question here is whether Nosal or the employees committed a federal crime which could lead them to jail time.
The Appeals Court did not agree with Korn/Ferry (and the federal prosecutors on the case). In its opinion, the court pointed out that the K/F employees were allowed to access the data in the course of their work, and thus did not “exceed their authorization” and that when they passed on the information to Nosal, they were in breach of their (civil) responsibilities of their employer. The court went further and said that interpreting the CFAA in the broad way advocated by Korn/Ferry and the prosecutors would make many very common behaviors federal crimes.
In particular, the court felt that the wider interpretation would make violation of corporate computer use policies and terms of service for Internet services criminal acts. For example, an employee who spent time shopping, playing games, or reading the sports pages online at a company with a computer usage policy limiting use of corporate systems to business use could find themselves in the “big house.” Now, as a corporate security professional, even I think that this is a bit excessive; corporate policy violations should lead to disciplinary actions and/or termination of employment, but prison time seems just a wee bit excessive to me.
The court also pointed out that criminalizing such a wide range of common behaviors would lead to a situation where the law would be applied inconsistently and arbitrarily.
There was a dissenting opinion, which contended that the ultimate use of the data (theft and providing it to a competitor) in and of itself was “exceeding authorized access.” The dissenting judge used the example of a bank teller’s access to their employer’s cash. The teller is authorized to access the cash in the course of doing their job, but would be exceeding their access should they access the cash to take it for their own use. I am not convinced by this argument, as the taking of the cash is a separate act which is criminal in and of itself.
In any case, this court has said that federal criminal law is not meant to help companies enforce their computer usage policies and that violation of those policies is a civil matter between employer and employee. This seems like a reasonable decision to me.
The court’s decision is worth a read – it was refreshing to read a decision which shows awareness of how the Internet is used in real life.