We have seen countless articles on organizations that fail to remove access when it is no longer required for a person’s functional role or when a person ends their relationship with the organization. An interesting article in the December 2009 issue of HR Magazine highlights the importance of access rights revocation from a legal perspective.
###
Be careful what computer use you authorize
The 9th U.S. Circuit Court of Appeals affirmed summary judgment against a substance abuse treatment center’s claim under the Computer Fraud and Abuse Act (CFAA) that a former employee committed violations when he downloaded confidential company information for use in his personal consulting business while employed and continued to access the company’s system after leaving its employ.
The court held that the employer authorized the employee to access the computer system as part of his job; that in exceeding employer-imposed limitations on access, the employee did not exceed authorized access under the law; and that undisputed evidence did not show either that the company deactivated the former employee’s password or that he accessed the company’s site after his employment ended.
###
What’s interesting about this case is that the court found against the plaintiff (the company) because they did not deactivate the former employee’s access credentials to a critical information resource. It’s clear from this judgment that organizations have an obligation to proactively protect their information resources, and when failing to put the proper access controls in place the organization may be forgoing its ability to seek legal recourse.
If this organization had dynamic access governance in place, it would have been able to see that there was an orphaned account to a core information resource that couldn’t be mapped to an active user in the company’s HR system and revoke the account.
