On Monday, January 25th, the Supreme Court issued the most recent Computer Fraud and Abuse Act decision in Michael Musacchio v. United States. After leaving his employer to start his own company, the defendant (a former executive) continued to use his password and login credentials to get access to his now former employer’s computer and e-mail system. The government charged the Musacchio with violating the CFAA for intentionally accessing his former employer’s computer systems without authorization. However, at trial the court instructed the jury incorrectly that a CFAA violation required proof that he gained unauthorized access and exceeded authorized access. The CFAA, however, only requires proof that the individual either “intentionally accesses a computer without authorization or exceeds authorized access.” The Supreme Court upheld his conviction, explaining that “[w]hen a jury finds guilt after being instructed on all elements of the charged crime plus one more element, the jury has made all the findings that due process requires.”
Unfortunately, this most recent CFAA decision does not offer any insight into the CFAA debate that we discussed previously here: whether an employee “exceeds authorized access” when, in the course of utilizing his computer (as permitted for his/her job), the employee accesses information for unauthorized purposes. That said, it highlights how human resources and IT Security (or IT) can coordinate implementation of identity access management protocols when an employee is terminated or departs. Specifically, we recommend that human resources and IT (or IT security) develop standardized procedures to closely coordinate their efforts when an employee is terminated or departs to ensure his/her access to the company network is revoked as close in time to the departure as possible. For shared accounts that will persist after the employee’s departure, we recommend that passwords be changed immediately, and that human resources and IT coordinate to obtain the return of company property, particularly laptops, tablets, and mobile phones that can also give the now-former employee access to the company’s network, trade secrets, and other confidential information. If the employer gives the soon-to-depart employee an opportunity to extract or copy personal information from the company network, we recommend that the employee be very closely supervised and that robust logging be implemented to enable the company to validate what the employee did. As best practices evolve further, companies should consider what other activities should be coordinated to ensure that human resources and IT security personnel are meeting as necessary to continually improve these processes.