A recent ruling by the U.S. Supreme Court “leaves a gap” in one of the laws applying to insider threats by federal employees, among others with access to an employer’s computer systems, a Congressional Research Service report says.
The report noted that in Van Buren v. United States, the high court held that it is not a violation of the Computer Fraud and Abuse Act if an employee who is authorized to obtain information on a computer for certain specific purposes instead accesses that information for other purposes. The court held that there is a violation only if the employee accesses an area of a computer or information on one that is completely “off limits to him,” as opposed to accessing a computer or information that he is entitled to use in at least some circumstances.
Said the report: “Given the ubiquity of computers, and the broad swath of computers and computer-enabled technology governed by the CFAA, the implications of Van Buren could be considerable . . . In the context of the rogue employee, for instance, if he is authorized to obtain his employer’s business records for an official purpose such as billing, he will not violate the CFAA if he instead obtains them to sell to a competitor or foreign government.”
It added that such conduct still could have serious adverse consequences to the employee, including being fired and potentially being prosecuted under other laws. Such laws could include those protecting classified information, another person’s health information or a company’s trade secrets; and those governing fraud, if the information is used for that purpose.
However, “not all data misappropriation by an insider will necessarily involve such motives or information subject to specific protections . . . To the extent this leaves a gap where certain aspects of the insider threat are not covered by federal law, Congress might examine whether legislation is needed to address the insider threat,” it said.