This is an opinion post by Tom Allen, Senior Security Analyst for Foresite. This post is meant to raise awareness of the varying circumstances that our client’s may experience and to provoke thought about their policies as related to data access and privacy. You will want to check with your legal counsel if you have specific questions.
News broke earlier this summer about a major league baseball team being investigated by the FBI for ‘hacking’ into a rival team’s database and gaining access to internal discussions about trades, proprietary statistics and scouting reports. What was of particular interest for us is how the access was gained. Reportedly, the General Manager of one team was formerly involved with the other, the staff knew that he used weak passwords, and the team’s network was accessed by someone guessing the password. So the question is, if you guess a password, is that still illegal?
Since the FBI is investigating the breach, the answer is obvious. If someone shaves a car key to fit my car and takes the car, it’s still stealing. In most organizations, policies are written to state that accessing any computer information without authorization is a punishable offense. Even in scenarios where someone suspects a significant other of something and installs a keylogger on the home computer to get that person’s password, it is illegal in most places.
This leads to a larger conversation. Most companies reserve the right to access employee’s email. This is legal as long as the employee knows and agrees to this intrusion as a condition of employment. It may even be legal even without the notification based on local laws. It gets murkier when you get into your personal email. For most states, it is legal for an employer to ‘eavesdrop’ on your personal email if you use their computer equipment, network, and internet access to access it.
Mobile phones muddy the water even more. If you use your own data connection and phone to access your personal email, it’s likely not legal for your company to eavesdrop on it. The employer however may have policies about using mobile devices for personal use during work time, and you could be subject to the sanctions defined in policy. What about texts? Once again, if the device is owned by the employer there is a good chance they inherently have the right to read your texts. If it’s your own device (BYOD) it depends on the policies you agreed to by accepting employment.
There are a couple of lessons here for employers. First make sure your users (even at the top of an organization) have complex passwords, and use 2-factor authentication for sensitive information. Second, verify that you have strong user policies and make sure they are blessed by your legal counsel.
If you are an employee, make sure you know and understand the IT policies of your organization, and if you are concerned about the privacy of your communications, don’t use the company supplied resources for personal communication.