Password Sharing and Actions Against Disgruntled Employees Who Exploit Access Password Sharing and Actions Against Disgruntled Employees Who Exploit Access

Password Sharing and Actions Against Disgruntled Employees Who Exploit Access

The world of business is changing rapidly. Where trade secrets, proprietary information, and other sensitive business files used to be physical documents housed exclusively in locked filing cabinets or electronic files on secured physical hard drives, today's reality of globally located business partners and cloud storage has an ever increasing share of our sensitive information residing on the internet. Data hosting services and IT professionals around the world are working diligently to protect us from the dangers presented by hackers, fraudsters, and scam artists. However, one of the biggest problems for businesses in the world of remote access is ACCESS. Who gets access? How do they get access? How do you control access? There are seemingly more questions than answers.

That said, in order to make the system work, employers must give their employees and business partners remote access to at least some of their systems housing sensitive data. Once you have entrusted someone with remote access to your electronic systems, it can be difficult to terminate that access, even if that someone is a terminated employee.

Two recent cases involving access credentials to proprietary information systems highlight some of the problems with access that many businesses are facing today.

Continued Access to Old Credentials. In Philips Medical Systems Puerto Rico Inc. v. GIS Partners Corp.[i], Philips Medical Systems Puerto Rico, Inc. ("Philips") issued remote access credentials to a proprietary Philips software system to a number of employee service technicians. However, sometime thereafter, some of the employee service technicians left the company to start a competing business, GIS Partners Corp. ("GIS"). Much to the dismay of Philips, the credentials were still being used several years later despite the fact that Philips had terminated access for the specific employees' credentials. Philips alleges that GIS somehow found a way to circumvent their deactivated access controls and was continuing to use the proprietary software system to run its competing business.

Password Sharing. Another case, which involves much less technical expertise on the part of the former employee, is United States v. Nosal[ii]. In this case, several former employees used the active credentials of an insider still employed by the business to gain access to proprietary information for use in a new competing business. In the manifestation of every IT professional and executive's worst nightmare, the former employees did not even have to steal the valid access credentials. The person who was still employed participated willingly in the scheme and shared her passwords to company systems with the former employees turned competitors.

According to a recent study of data breaches by Intel Security and McAfee, Inc., internal actors were responsible for 43% of all data loss in 2015, half of which was intentional[iii]. As the demand for remote access to cloud storage grows, businesses need to continue to review the internal policies and human procedures in place to protect against the very human problems with access. Here are some tactics for mitigating such problems.

1.      HR Policy Defining Scope of Access to Company Systems and Employee Training[iv]
 
Companies should work with their human resources ("HR") department and legal counsel to draft comprehensive employee policies that cover access to remote data systems and the sharing of passwords. How a business defines system access and the apparent authority it bestows on its employees may also impact the analysis of the courts regarding whether certain uses of access credentials were "authorized." It is important that your company’s HR policies and practices meet certain standards in order to maintain control of who has access to your sensitive information and how that access is granted/rescinded. Companies should train their employees on the risks of willingly sharing access credentials, including the possibility of criminal and civil charges, which may be filed against employees who knowingly provide access to outsiders.
 
2.      Monitor Access Credential Use Robustly
 
IT professionals at Philips were only able to detect the alleged unauthorized access to their systems after significant research into system logs that did not look right and years of continued unauthorized access. While data access security systems are essential, they can also provide a false sense of security, allowing one to feel complacent thinking that all potential threats are being monitored at the point of access. However, these protections often cannot stop the unauthorized use of valid (or hijacked) access credentials. Additionally, a lot of damage can be done by an employee who is validly accessing certain systems for an invalid reason such as looking up personal information of clients or customers for non-business reasons.
 
Employees and other insiders have a significant advantage over outside hackers both in being able to bypass access security systems and knowing what specific documents contain valuable information. In a recent study of serious data and security breaches, almost 70% of respondents felt their breach could have been prevented, or the loss could have been materially mitigated, if the organization had employed either a rigorous continuous network monitoring policy or invested in monitoring data loss prevention ("DPL") technology, which focuses on data flowing out of the system instead of access into the system, before the breach occurred[v]. That same survey also found that organizations with rigorous DPL programs in place at the time of the breach to identify security incidents first by an internal security team instead of external agents such as law enforcement, credit card companies, and customers, were 20% less likely to suffer an actual data loss or theft[vi]. As such, every business should pay close attention to how much active system monitoring is needed in order to protect against the dangers of unauthorized access.
 
3.      Individualize Access
 
Particular deliberation should be given to whether access credentials are "general" and allow for indiscriminate access to all of the business's systems. Where practical, it is preferable to provide employees with individualized, time-constrained access to only those systems they need in order to effectively do their jobs. Individualized access can help to limit the potential damage caused by any specific employee sharing his or her passwords or continuing to access proprietary systems after termination. It can also aid security teams and law enforcement in tracking down the persons responsible for a breach based on the information and systems accessed.

4.      Private Civil Actions Under the CFAA
If your business has already suffered a loss due to unauthorized access to your information systems, there are a number of remedies to pursue, but one federal statue is specifically targeted to address the problem of access: the Computer Fraud and Abuse Act ("CFAA")[vii]. The CFAA was originally enacted to combat the problem of hacking in the financial sector but has been expanded to protect electronic information stored on privately owned computers. In the relevant section, the CFAA states:

Whoever . . . knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct further the intended fraud and obtains anything of value . . . shall be punished. . . . .

While the CFAA is primarily a criminal statute, it gives private individuals a civil cause of action against individuals and other businesses which have accessed protected/private systems without authorization. Use of the CFAA to go after former employees gaining access to remote systems after their termination or disgruntled employees who exceed their authorized access, has increased in recent years and may provide a valuable remedy for businesses that have suffered from unauthorized access. Some things to consider when starting a CFAA action:

a.       Monetary Damages. You can only recover monetary damages and in order to sustain a court action, total damages must be at least $5,000. This minimum threshold can include the wage and benefits costs of labor for internal administrative time spent on identifying the access problem and substantive corrective actions plus any outside fees paid to investigators or other service professionals related to the access breach.
b.      Preliminary Injunctions. In certain instances, the courts have issued preliminary injunctions against a defendant's continued access to the information systems or use of information retrieved from previous access, even when such access was gained through the use of valid access credentials and the permission of the person to whom such valid credentials were originally issued.
c.       Question of Access. Use of the information accessed by a defendant and damage caused by such use need not be established and may, in fact, be totally irrelevant to proving a claim under the CFAA[viii]. The CFAA bars access, and evidence establishing access is enough to proceed.
 
Ice Miller’s Data Security and Privacy Practice helps clients assess risks. We work with clients to help them implement a strong data security and privacy program. Stephen Reynolds, a former computer programmer and IT Analyst, is a co-chair of Ice Miller’s Data Security and Privacy Practice. Stephen can be reached at stephen.reynolds@icemiller.com or (317) 236-2391. Emily Storm-Smith, a former engineer and certified data privacy professional, is an attorney in Ice Miller's Business Services Group focusing on Corporate Advising and Data Security and Privacy law. Emily Storm-Smith can be reached at emily.stormsmith@icemiller.com or (317) 236-2224.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how the issues discussed herein apply to the reader’s specific circumstances.


[i] 203 F.Supp.3d 221 (D.C. Puerto Rico 2016).
[ii] 844 F.3d 1024 (9th Cir. 2016) petition for cert. docketed May 5, 2017.
[iii] Grand Theft Data. Data exfiltration study: Actors, tactics, and detection. Intel Corporation and McAfee, Inc., available at https://www.mcafee.com/us/resources/reports/rp-data-exfiltration.pdf.
[iv] Schlossberg, Jeffrey M. and Jackson Lewis P.C., Sharing of Passwords Under Certain Circumstances Unlawful, 2016 Jackson Lewis P.C., available at www.jacksonlewis.com.
[v] Supra note 3.
[vi] Id.
[vii] 18 U.S.C. § 1030.
[viii] See Infinity Headwear & Apparel, LLC v. Coughlin, 447 S.W.3d 138, (Ark. App. 2014).

View Full Site View Mobile Optimized