LVRC Holdings v. Brekka - Legal Impact of Zombie Accounts
Okay, before I dive in, a bit of a mea culpa here. I know and understand that part of the responsibilities of authoring a blog is frequency. Woops. Given my last entry was back in October, and that was the first since May, I'm not sure I'm really doing too well here. Is the end of February still an opportunity for a New Year's Resolution? Well, the journey back starts with a first step, right? So, why not start with a late February, 2010 entry about a court ruling filed back in September, 2009?
To be fair, it's not like I regularly scan the US Court of Appeals findings on a regular basis, and the following story didn't make front page headlines. But, at a recent CSO Breakfast Club meeting this case was brought up and inspired me to take a deeper look. It was interesting reading.
Seems LVRC Holdings (which operates a residential treatment center for addicted persons in Nevada) filed a lawsuit against a former employee Christopher Brekka. LVRC alleged that Brekka violated the Computer Fraud and Abuse Act (CFAA) by accessing LVRC's computer "without authorization" both while Brekka was employed at LVRC and after he left the company.
LVRC alleged that Brekka exceeded authorized access by emailing sensitive documents from his work computer to a personal computer as well as accessing accounts without authorization after he left the company. Amongst other accusations, LVRC alleged that Brekka, who left the company in September, 2003, accessed critical resources by using an account firstname.lastname@example.org which was discovered in November, 2004, more than a year after Brekka left. It was at this point that the account was disabled.
What makes this interesting is the Court ruling. The US Court of Appeals ruled in favor of Brekka. In their ruling they state that "authorization" is defined in the dictionary as "permission or power granted by an authority." Based on this definition, an employer gives an employee "authorization" to access a company computer when the employer gives the employee permission to use it, which LVRC did for Brekka. The Court further ruled that, "It is the employer's decision to allow or to terminate an employee's authorization to access a computer that determines whether the employee is with or ‘without authorization'." Additionally it states, "If the employer has not rescinded the defendant's right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA."
What does all this legal stuff mean? Basically, by the fact that LVRC did not disable the access of Brekka when he left the company, the Court states that Brekka's continuing to use this access did not constitute a criminal or illegal action. Because it was originally granted, that account, my remaining active, essentially grants an employee the ability to keep using it, because in the Court's opinion that user "would have no reason to know" that using the account was a violation.
This seemingly obscure ruling has major ramifications for organizations around managing Zombie accounts (accounts that stay active for users that are no longer with the organization). Given the highly sensitive amount of information that various accounts grant access to, it is imperative that these accounts be disabled immediately when someone leaves the organization. In this Brekka case the account in question was an administrative account that seemingly offers significant access privileges. Without this, they could have no recourse in pursuing legal action against former employees who might misuse such access rights and data access.
There are easy ways to address this. An ongoing access certification by business managers would have identified the fact that Brekka's account was still active after he left the organization. By automating the account disablement process ensures that accounts are turned off immediately upon an employee being terminated or leaving the organization. By the mere fact that LVRC did not institute such practices, a critical account was allowed to stay open, and even though the former employee was alleged to be misusing these privileges, by not following its policies or detecting violations to them, an account was left active. As the Court states, by leaving this account active, it was not considered unauthorized access just because the employee was no longer with the firm.
It doesn't make sense to have a policy if you're not following it. A lax access assurance strategy inevitably can lead to trouble, and may even limit was legal recourses a firm can take.