Linked: Federal Law Won’t Protect Your Organization from Bad User Access Control Practices
If you’ve seen references to a court ruling sort of redefining the Computer Fraud and Abuse Act recently, or even if you haven’t, this paragraph from the folks at McGuire Woods boils down the real life implications pretty well.
“The practical result of the Court’s holding is that a user that has been granted access to a resource cannot face liability under the CFAA for simply accessing that resource for an improper purpose. To face liability, a user must access a resource to which he or she has not otherwise been granted access. Thus a payroll employee will not be exposed to liability under the CFAA for accessing a company payroll database to which he or she already has access in a manner that violates company policy. Instead, the payroll employee would have to break into a database to which he or she had not been granted access or potentially steal the credentials of another employee who did have access.”
At some level, this makes sense. If a user doesn’t have to do anything to access data, it’s not really fraud or abuse, is it? It’s, literally, using the access they’ve been granted. The fact that they are using that access to do something with that data that you would prefer they not do, doesn’t fall under a criminal court as much as it falls under your own use policies and possibly, if they use that information in another illegal act, there could be a criminal charge, but it would be related to that charge, not anything to do with computer misuse.
What that means for companies, as they go on to point out in the article below, is if someone has access to data that you would prefer they not have access to, you should figure out how to lock that down instead of relying on the CFAA to scare people into not misusing that date. It might not actually help you.
Federal Law Won’t Protect Your Organization from Bad User Access Control Practices