Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jonathan Cain and Paul Pelletier’s Responding to Insider Data Theft & Disclosure presentation. Jonathan and Paul discussed how distinguishing the insider threat differs from the techniques used to identfy and stop hackers, creating an environment that deters insiders from stealing data, and the legal remedies – both civil and criminal – that are available to recover stolen data and compensate for its loss. Nearly 100 participants joined us for this webinar.
For those who missed the webinar, some of the key takeaways include the following:
- Data losses due to insiders are not the most common source of loss, but they are consistently among the most damaging to the company’s finances and future. They target customer data, intellectual property, future business plans and embarrassing skeletons.
- Insiders are not hackers and traditional technology based barriers to outside hackers don’t stop them because the insider is entitled to be in the network and have authorized access to the data.
- Detecting insiders is an ongoing exercise of analyzing the data of nominally equivalent employees and identifying anomolous conduct.
- Deterring insiders through social engineering is easier and more productive than trying to identify an attacker after the fact. Where employees are aware that indicators of insider attacks are being watched, there is less liklihood that attacks will occur.
- The Computer Fraud and Abuse Act (CFAA), which is the most commonly employed federal statute to redress insider attacks, has inconsistent interpretations throughout the federal courts, and its effectiveness varies. State computer abuse, trade secrets, and breach of fiduciary duty law continues to provide suitable remedies, both civil and criminal.
- Criminal prosecution of insiders under federal law based on the CFAA, wire fraud, HIPAA and other federal criminal statutes is feasible, but is likely to be available only in the largest cases.