Quote of the Day - Let's drive not just breakthroughs in new products, but new ways to give more and more people access to these inventions and their benefits. This is a broad and important mission, and I believe we all have a part to play in it.
Fine. You've got hardware firewalls, software firewalls, spam filters, phishing filters and even antivirus programs running on your computers to keep out hackers.
But do you have rules?
What's that? Rules, you say? We don't need no stinkin' rules; nobody can get in our computer system from the outside.
Perhaps true, but what about your employees on the inside? How do you protect your computer data from them and prevent unauthorized access? According to a spate of recent court decisions under the Computer Fraud and Abuse Act, you need rules if you intend to protect your data from access by your employees and former employees. That means a set of written rules specifically tailored to your industry and thoroughly communicated to your employees.
Take, for example, a hospital. An employee in the hospital's IT department should not be allowed access to the actual content of patient files and records because that employee is not treating the patient. Doctors and nurses, on the other hand, need to see the patient's chart, but at the same time, probably don't need to see the patient's social security number or financial information to properly treat the patient. You get the idea.
But don't stop there. If your customers or vendors access your servers to place orders or obtain other information, then you need a clear set of guidelines for them, as well. You'll also want to ensure your customers and vendors receive notice of your guidelines, too. This article provides an in-depth discussion of the relevant cases, if you're interested in the specifics. If you're in need of a set, give me a call. I'm not only a geek, I'm a lawyer, too.
Once you have a set of rules in place that have been clearly communicated to those concerned, you can then use the CFAA as a weapon to prosecute employees and others who gain unauthorized access to your computer data. Although it may also be a crime, you don't even have to wait for the U.S. Attorney or your local District Attorney to prosecute the case. Your company can rush in and get an injunction preventing further use of the data, access to your computer systems and requiring the return of the data.