Cry me a river
Security practitioners have long decried the practices of password sharing. Now an appellate court has bolstered that sentiment by handing down a decision in United States v. Nosal, ruling that a former employee of executive search firm Korn/Ferry International has violated the Computer Fraud and Abuse Act, acting “without authorization” when he used credentials supplied to him by a current employee. Upon the defendant’s termination, Korn/Ferry’s IT department revoked system credentials. So far, so good: employee decides to leave company, company turns off access. Score one point for security!
Waters become murky when a current employee—with legitimate, authorized access to the company’s customer database—offered up her credentials to the defendant. He, himself, did not use the provided credentials, but handed them over to two other colleagues, also former Korn/Ferry employees now working for the defendant’s competing company, who then accessed the sought after database.
So you took a chance and made other plans
There’s a lot of sketchy going on here. However, one particular question that looms large when reading various articles and opinions on the court’s ruling (which was 2-1, not anonymous) is that none of the court documents refer to acceptable use policies (AUPs). Maybe Korn/Ferry had acceptable use policies in place, but they were not referenced; only a confidentiality agreement, required at the start of new—not throughout—employment, was mentioned (N.B., “confidentiality” does not equal “acceptable use”). Will a policy stop malicious or negligent behavior? Of course not, but it could have prevented a whole mess of expensive and stressful litigation (and probably lost business for Korn/Ferry).
Notably, the recent case is the second instance this issue was brought to court (the first argument was submitted in 2011 and the first filing occurred in 2012). This wasn’t a one-and-done situation; it took five years for the company that owned the data to receive a ruling in its favor. That’s five years of distraction, cleaning up a mess that could have been, at least, mitigated had the company instituted, documented, and required employees to sign off on acceptable use policies throughout the terms of employment. These policies should also have been a part of any termination agreement, whether termination was initiated by the employee or the company. This isn’t a novel idea, and any company that abides by it won’t eliminate all bad behavior. It does, however, say to anyone contemplating nefarious activities: “We’re watching, and if you violate our terms, there will be a price to pay.” That price will be significantly less for all parties involved than five years’ worth of legal fees. Guaranteed.
Bet you didn’t think that they would come crashing down
Why did this matter take so long and why did the court disagree about whose granted permission held greater weight? Well, for one: No acceptable use policy. Had one been in place, the courts could not have argued whether or not the employee had permission to share her access credentials. If an acceptable use policy, agreed to and signed by all company employees, had clearly and definitively stated that sharing of passwords was explicitly not allowed under any circumstance, and that use of all company systems, devices, applications, etc. were governed by the AUP, the case wouldn’t have dragged on. The CFAA is a nice fallback, but companies shouldn’t be relying on falls back when it comes to protecting data and driving down risk. Companies need to do everything in their power to protect proprietary information, even if that means stating the obvious and requiring employees to stick to it. “Don’t steal our data” should be pretty straightforward, but apparently different ideas of “stealing” exist.
Bridges were burned, now it’s your turn
A policy isn’t going to keep a company safe. Nor is the security team—even with the aid of this court case, as a result of which the defendant was sentenced to one year in prison and required to pay restitution of over $800,000—going to suddenly make users realize password sharing isn’t acceptable. It will, however, lessen other risks and many headaches. Not that security practitioners need another item on their to-do lists, but it seems like a small, relatively simple task compared to the outcomes that could result from not bothering. Write a clear but definitive AUP with HR and legal teams involved. Require all new employees to agree to and sign it. Revisit it every year to ensure the company is still covered under the current plan (and revise if necessary). Then reissue it to every employee once each year, making acceptance a term of continued employment.