Authorized Access – Understanding how US laws affect your authorization policies

In 1986, the United States Congress passed the Computer Fraud and Abuse Act (CFAA).  While the intent of these laws were originally to protect government computers and information from hackers, the laws have been applied to commercial interests, as well. Specifically, the Computer Fraud and Abuse Act subjects punishment to anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”  While it is not our position to advise clients on this topic, it is important to understand how the US Courts interpret the phrase “authorized access,” and “exceeds authorized access.”

Through litigation, the US legal system has attempted to interpret the CFAA and determine the legal definition of “authorized access” and “exceeds authorized access.” Before getting into the value of Varonis features, it is essential to review the prevailing case law and judicial opinions about this topic.  While there have been a number of cases addressing this issue, there are two cases and an opinion by a US District Court that stand out, each of which provides a basis for current legal decisions that address authorization issues.  Not surprisingly, most available case law involves data “theft” by individuals who, at some level, had permission to access the information that they accessed.  For example:

• USA v Nosal – In this case Nosal (a former employee of Korn/Ferry) obtained proprietary information from his former co-workers which he used to start a competing business. The former co-workers had authorization to access the information via the access permissions provided to them by Korn/Ferry, but the courts challenged whether they “Exceeded Authorized Access” because they signed a Non-Disclosure Agreement as well as an Acceptable Use Policy.
• LVRC Holdings LLV v. Brekka – Brekka (an employee of LVRC) emailed business documents to his and his wife’s personal email accounts. Brekka had permission to access the business documents and LVRC did not have an acceptable use policy, so Brekka did not violate any access restrictions and ultimately maintained “Authorized Access.”
• The United States Seventh Circuit District Court has stated that “an employee accesses a computer without authorization the moment the employee uses a computer or information on a computer in a manner adverse to the employer’s interest.”   This opinion stated that access permissions were only one factor in determining authorized access.  In this case, the access permissions available to the employee were considered, as well as whether the employee used these permissions and data in a manner which was detrimental to his employer’s interests. In other words, regardless of the permissions available to an employee, a “disloyal” employee may be guilty by accessing information available to them with ill-intent.  Other courts have offered differing opinions about this specific issue, creating additional confusion.

As you can see, the ability to determine what constitutes authorized access is still subject to interpretation in the courts. Acceptable Use policies and Non-Disclosure Agreements are important, but they are only useful after an incident has taken place.  Written policies and expectations of loyalty don’t safeguard important data and they don’t prevent disloyal employees from using data to their advantage.  Ultimately, IT Administrators must enforce rightful access via best practices–data owner involvement in authorization processes in conjunction with an audit trail to validate acceptable use. In other words, access should be granted purposefully and periodically reviewed.

Varonis products provide the following features which will help to address the legal issues identified above:

• Complete visibility into the permissions that each individual has across Windows, Unix, Linux, SharePoint and Exchange environments
• A full audit trail which demonstrates whether an employee has accessed data that an employer would consider important or inappropriate
• The ability to ensure rightful access, involving data owners in the decision making process
• The ability to determine the sensitivity of data, as defined by data owners
• A provisioning system complete with an audit trail which can report on why a person was granted access to a resource, when, and by whom
• Automated entitlement reviews to ensure that permissions are always appropriate

Moral of the story: Make every effort to ensure and validate rightful access so that you can peacefully co-exist with the vagaries of the law. Varonis products can ensure ongoing authorized access and provide information to support a claim that a person exceeded their authorized access.