Cloudy With A Chance of Disaster: Avoiding the Security Risks of BYOC (Bring Your Own Cloud)

Posted by on Nov 18, 2013 in Data Security, Employment and Labor

Photo by Ian Lamont (CC BY 2.0) courtesy of Flickr

Photo by Ian Lamont (CC BY 2.0) via Flickr

You’ve probably heard of BYOD (Bring Your Own Device).  But do you know about BYOC?  It stands for Bring Your Own Cloud, and it’s more prevalent than you might think.

Cloud storage services like DropBox, Google Drive, and SkyDrive sport features that are attractive to an increasingly mobile workforce.  They provide gigabytes of storage for free.  Files in the cloud are accessible anywhere with an internet connection.  Changes to a file in a cloud account are synced across all devices with access to the account.  It’s not difficult to see why cloud services are gaining popularity among individuals and companies alike.

Therein lies the problem.  Because personal cloud accounts are so handy and easy to set up, an employee can create a security risk for a company in a matter of minutes.  An employee can essentially connect the organization to the cloud without the company’s knowledge via a private cloud account.  This enables the transfer of confidential company data to a location outside the company’s reach.

ComRent International, LLC v. Palatini, 2013 WL 5761319 (E.D. Pa. Oct. 24, 2013), involved such a scenario.  ComRent hired Clayton Taylor to serve as a vice president of product development.  Taylor primarily worked on matters related to Experium, a company that he co-founded and of which he was a minority owner.  Taylor set up a Google Drive account to store, access, and edit all of Experium’s intellectual property and confidential commercial information.  Only Taylor knew the username and password necessary for the account.  When ComRent hired an engineering firm to consult on options for the future of Experium, Taylor refused to grant the firm access to any of Experium’s intellectual property, believing that ComRent might appropriate the intellectual property for itself.  As a result, ComRent terminated Taylor and filed a lawsuit seeking access to the Google Drive account containing Experium’s corporate files.

Here are some tips for avoiding problems with unauthorized use of personal cloud storage accounts by employees.

Set a Policy: Remaining silent—and therefore ambiguous—about the organization’s stance on cloud storage can lead employees to believe they may use personal cloud accounts for work purposes without letting management know.  To eliminate such misconceptions, set a policy on whether or not the organization will use cloud storage.  If the decision is yes, then adopt measures to ensure responsible use of cloud storage.  If the decision is no, then clearly communicate to employees that storing work data in a personal cloud account is against company policy.

Maintain Control: If an organization decides to use cloud storage, it should retain control over the information necessary to access the cloud storage account (e.g., login credentials).  It is advisable to create an account under the organization’s name for official work purposes instead of allowing employees to use their personal accounts.

Restrict Unauthorized Cloud Services: Consider restricting access to private cloud storage sites from any device that can also access company data, including mobile devices, through the use of blacklists, proxies, and other network security measures.  This will prevent the transfer of work files to a private cloud account.  Organizations with BYOD programs might find it challenging to eliminate all access to private cloud services, but it is worthwhile consulting with the IT department about the feasibility of implementing such restrictions.

Retain Ownership: Make it clear that company information remains property of the company regardless of where it is stored.  It’s also a good idea to have employees sign written non-disclosure agreements.

Stay safe in the cloud!

 

Read More

Bring It: Preparing for the BYOD Movement at Your Workplace

Posted by on Aug 20, 2013 in Data Security, Employment and Labor

No, it’s not an acronym advising you to come to dinner with your favorite vintage of pinot noir.  BYOD stands for Bring Your Own Device, a movement that’s changing the landscape of information technology at workplaces across the globe.  In the “old days,” companies issued electronic equipment to employees for work use.  Today, employees want to use the latest electronics of their own choice for both work and play.  Surveys consistently show that companies are giving in to such requests, citing the benefits of increased productivity and morale, as well as cost savings from not having to buy the equipment themselves.  However, BYOD programs also create legal risks for companies, including:

  • Violation of labor laws like the Fair Labor Standards Act due to the ability of workers to rack up overtime by doing work on personal devices practically anywhere and at any time, whether or not such overtime is authorized by management
  • Violation of laws prohibiting disclosure of the private information of customers, clients, or patients, such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act
  • Inadvertent disclosure of proprietary company information, which jeopardizes their confidentiality, and as a result, their status as protected trade secrets
  • Complicating the e-discovery process, because electronic data that fall within the scope of a discovery request may reside on devices besides those under the direct control of the company

In light of these risks, the knee-jerk response of management might be to forbid BYOD entirely, but that is not necessarily the best approach.  BYOD is more prevalent than one might think.  A form of BYOD is in play whenever someone stores work data on a personal cloud storage account, uses a personal laptop to draft a memo for work, or forwards work-related word processing files to a private email account for easy access from home.  A company need not officially adopt a BYOD program to have one, which is all the reason why management should be proactive about putting BYOD policies in place.

Learn about the specific risks that a BYOD program creates for your company.  Develop guidelines on acceptable and unacceptable use of personal devices for work-related purposes.  Notify employees of the policies in writing and provide training.  Don’t wait until it’s too late!

Want more tips on BYOD?  Come to the Advanced Employment Issues Symposium in Las Vegas from November 13-15, where I’ll be giving a presentation on “BYOD Challenges: When Employees Bring Their Own Devices to Work.”  Registration information is available at www.aeisonline.com.

Enhanced by Zemanta
Read More

The Electronic Wake Employees Leave Behind

Posted by on May 21, 2013 in Data Security, Employment and Labor

Employer sues ex-employee for not updating his LinkedIn profileJefferson Audio Visual Systems, Inc. v. Light, 2013 WL 1947625 (W.D. Ky. May 9, 2013).

What would you do if your ex-employee told everybody he still works for you?  One company’s response was to sue.  In the first case of its kind, the company decided to sue its former employee for fraud for not updating his LinkedIn profile.

Jefferson Audio Visual Systems, Inc. (JAVS) fired its sales director, Gunnar Light, after he mishandled a potentially lucrative deal and made defamatory statements about JAVS to a prospective customer.  Shortly afterwards, JAVS filed a lawsuit against Light alleging various claims, including fraud.  JAVS argued that Light was fraudulent in failing to update his LinkedIn profile to reflect that he was no longer a JAVS employee.  A Kentucky federal court dismissed the fraud claim because JAVS failed to show that it was defrauded by Light’s LinkedIn profile.  At most, JAVS alleged that the profile tricked others.  Under Kentucky law, a party claiming fraud must itself have relied on the fraudulent statements.

LegalTXTS Lesson: JAVS’ actions against its ex-employee might have been rather extreme, but the case is a reminder that ex-employees can leave behind an electronic wake that is damaging.  Because computer technology is an integral part of work life, management needs to be intentional in disengaging ex-employees from the electronic systems and online persona of the organization.  Each organization must determine for itself what measures for dealing with such post-termination issues are feasible, effective, and consistent with its objectives, but here are some suggestions:

1.  Promptly update the organization’s website, social media profiles, and any other official online presence to reflect that the former employee no longer works for the organization.

2.  Specify who owns Internet accounts handled by the ex-employee for the organization’s  benefit and the information stored in the accounts.  This includes social media accounts and cloud storage accounts (e.g., DropBox, Google Drive, SkyDrive) to the extent they contain proprietary data.  As part of this measure, be sure to obtain the information needed to access the accounts, including any updates to login credentials.

3.  Restrict the amount of access to which former employees, as well as current employees whose departure is imminent, have to workstations, databases, and networks of the organization.  Limiting access helps to prevent theft of trade secrets and proprietary information.  Many CFAA lawsuits have been spawned by a failure to take this precaution.

4.  Check if the employee left behind anything that would enable him or her to gain unauthorized access to company systems, like malware, viruses, or “back doors.”

5.  Enable systems that allow of erasure of the organization’s data from electronic devices used by the ex-employee to remotely access the work network, such as smartphones, laptops, and tablet computers.

6.  Establish guidelines on employee use of the company’s intellectual property on personal internet profiles (e.g., Facebook, Twitter, LinkedIn), including trademarks and trade names.
Enhanced by Zemanta

Read More

A Hack By Any Other Name

Posted by on May 8, 2013 in Data Security, Employment and Labor

The Computer Fraud and Abuse Act (CFAA) criminalizes forms of “hacking” other than actually breaking into a computer system — United States v. Nosal, 2013 WL 978226 (N.D .Cal. Mar. 12, 2013)

Nosal is back.  This is the case that spawned a Ninth Circuit decision narrowing the reach of the CFAA to hacking activity.  The case returned to the trial court after the Ninth Circuit decision.  The trial court recently convicted the defendant (David Nosal) of violating the CFAA.  But before analyzing the decision, let’s take a brief look at the background.

Nosal is a former employee of Korn/Ferry, an executive search and recruiting firm.  After leaving Korn/Ferry, Nosal obtained access to Korn/Ferry’s confidential and proprietary data with help from others.  In some instances, Nosal got Korn/Ferry employees to give their passwords to outsiders to enable them to access the firm’s computer systems.  In another instance, a Korn/Ferry employee logged onto the firm’s computer system using her password and then allowed a non-employee to use the system.  Nosal used the stolen data to start his own executive search business.  Nosal and his co-conspirators were indicted for violating the CFAA by exceeding authorized access to Korn/Ferry’s computers “knowingly and with intent to defraud.”

An en banc panel of the Ninth Circuit held that the CFAA’s prohibition on accessing computers “without authorization” or “exceeding authorized access” is limited to violations of restrictions on access to information, not restrictions on its use.  The Ninth Circuit reasoned that the CFAA primarily targets hacking rather than misappropriation of information.  The Ninth Circuit returned the case to the trial court to determine if Nosal violated the CFAA under its interpretation of the statute.

Nosal tried to persuade the trial court to push the Ninth Circuit’s rationale one step further.  Nosal argued that, since the CFAA is an anti-hacking statute, it is violated only when someone circumvents technological barriers to access to a computer.  Under this narrow interpretation, not every form of unauthorized access to a computer necessarily violates the CFAA.  The trial court disagreed with Nosal’s interpretation because the Ninth Circuit did not base CFAA liability on the manner in which access is restricted.  Moreover, password protection is a form of a technological access barrier, and Nosal and his co-conspirators clearly bypassed password restrictions.

Nosal next argued that his co-conspirators did not act “without authorization” because they used a valid password issued to a Korn/Ferry employee.  The court wasn’t enamored with this argument either.  Whether an act is authorized must be viewed from the perspective of the employer who maintains the computer system.  Clearly, an employer would not authorize an employee to allow another person to use his or her password.  Nosal attempted to analogize consensual use of an employee’s computer password to consensual use of an employee’s key to gain physical access to a building, a situation that Nosal argued would not violate trespass law.  The court also rejected this argumen.

Finally, Nosal argued that the Korn/Ferry employee who engaged in “shoulder surfing” (i.e., logging into the firm’s computer system and then letting another person use the system) did not engage in unauthorized “access.”   The court found no difference between an employee who gives her password to an outsider and an employee who logs into the firm’s computer system with her password and then lets an outsider use the system.  Both situations qualify as “access” under the CFAA.

LegalTXT Lesson: The CFAA targets hacking instead of misappropriation (so the Ninth Circuit says), but hacking could take various forms.  According to the latest Nosal decision, the CFAA criminalizes at least these forms: (a) breaking into a computer system; (b) letting an outsider use your password to access a system; (c) logging into a system with your password and then letting an outsider use the system.

Enhanced by Zemanta
Read More

Another Court Interprets the CFAA Narrowly

Posted by on Feb 7, 2013 in Data Security, Employment and Labor

A New York federal judge rules that misuse of computer information  gained through legal access does not violate the CFAAAdvanced Aerofoil Techs., AG v. Todaro, 2013 WL 410873 (S.D.N.Y. Jan. 30, 2013)

Judge Carter of the Southern District of New York joined a growing number of federal courts adopting a narrow interpretation of the Computer Fraud and Abuse Act (CFAA) that precludes liability for misappropriation under the Act.  Several high-level personnel in the plaintiff companies (AAT) defected to a competing company, apparently taking with them AAT’s confidential and proprietary technology.  AAT sued the ex-employees for, among other things, alleged violations of the CFAA.

An obstacle that AAT faced in pressing the CFAA claim was the fact that the ex-employees had “unfettered and unlimited access” to the information they took with them.  Liability under the CFAA requires that the defendant have “access[ed] a computer without authorization.”  Courts across the country are split on whether the CFAA is violated where a person legally accesses to a computer but misuses the information obtained with such access, such as what the former AAT employers allegedly did.

After noting that the Second Circuit has not decided the issue, and surveying decisions on both sides of the issue, including those written by his colleagues in the same district, Judge Carter answered the question in the negative.  A CFAA violation occurs when one accesses a computer without permission.  Judge Carter gave three reasons for his conclusion.  First, the ordinary meaning of the word “authorization” refers to the absence of permission.  Second, the legislative history of the CFAA indicates that the Act is directed primarily at access instead of misuse.  Third, a violation of the CFAA could lead to criminal liability, the statute should be read narrowly, and ambiguities should be resolved in favor of the defendant.  Because AAT had not revoked the defendants’ unlimited access to its system when they siphoned off the confidential and proprietary information, the court dismissed the CFAA claim.

LegalTXTS Note: I’ve blogged on this issue quite a bit.  That indicates increased use of the CFAA in data misappropriation cases, or the uneasiness courts have in stretching the CFAA beyond its origin as an anti-hacking statute–or both.  Here are my previous posts on similar cases.

Court Carves Back Oracle’s Computer Fraud and Abuse Act Claim Against Gray Market Reseller

CFAA: Recent Cases

One Is Not Like the Other: Access vs. Use Restrictions Under the CFAA

Don’t Just Because You Can

Read More
%d bloggers like this: