Security Demons and Legal Exorcism

David WotherspoonPresentation to

Information Systems Security AssociationApril 7, 2005

Disclaimer

• The information contained in this presentation is of a general nature. It is not legal advice and should not be construed as or in any way considered to be legal advice.

Security Demons and Legal Exorcism

• As IT systems increase in size, complexity, and importance, more and more legal issues will arise from their misuse.

• As important as it is to prevent misuse, it is equally important to be able for IT professionals to have the ability to identify the wrongdoer and the data at issue quickly, reliably, and in a form that can be utilized by the Courts.

Verizon Employee email to customer

• “You sir are a grumpy, horrible man who needs to grow up and realize that you are on earth, not some crazy place where everything works out for (customer name) and company!”

American Home Products• Manufacturer of Fen-Phen• 33 million emails searched• “Do I have to look forward to spending my

waning years writing checks (sic) to fat people worried about silly lung problems?”

• Charged with reckless indifference to human life

• Settled: $3.75 billion

Air Canada v. Westjet

• Ex-employee of Air Canada subsidiary goes to work at Westjet, and retains access to Air Canada employee website to check on how full Air Canada flights are.

• Air Canada accuses Westjet of using ex-employee’s access to gauge demand for flights, provide data for strategic planning and gain an unfair advantage.

• Ex-employee maintains he logged on only to satisfy curiosity… 243,260 times in one year.

What Do You Do When…?

Examples of workplace security demons…

Security Demon 1: Employee begins working for a competitor

• He’s involved in a workplace romance• He quits and goes off to work for competitor• However, he continues to have access to the

company’s network through his ex-lover’s passwords

Legal Issues

1) Breach of confidentiality?

2) Unfair competition?

3) Breach of loyalty?

Legal Exorcism

1) Employment Contract: non-competition provisions; confidentiality

2) Identification of proprietary information

Forensic Response

When the senior employee leaves:• Isolate his hard drive

- without doing anything to the computer, obtain a bit stream image: ensure it is in same condition when he left- chain of custody

• Monitor his email- start monitoring as soon as employee is given or gives notice

• Change passwords- ensure he is locked out of the system

Security Demon 2: The Love Tryst

• Two co-workers have an affair and exchange graphic emails

• Boeing

Legal Issues

1) Breach of code of conduct?

2) Breach of usage policy?

Legal Issues continued

3) Lost productivity:

Some estimate that as much as 25 to 40% of the time that employees spend on the Internet at work is for personal use. An Ipsos Reid survey found that in Canada, 800 million working hours are wasted each year because employees are using the Internet at work for personal reasons.

Legal Issues continued: lost productivity

“What makes productivity loss the most dangerous is the huge cost. Just 20 minutes a day of personal surfing or e-mailing can cost a company with 100 employees over $8,000 per week. (That's at $50 per hour per employee.) And that's not factoring in compounding effects. Merely the time it takes to open spam e-mails can take a huge toll in human performance to say nothing of what spam does to the network.” – surfcontrol.com

Legal Issues continued: lost productivity

“Far more frightening than even the loss of productivity and revenue from Internet misuse is the liability placed upon the corporation. In fact, about 70% of all Web traffic to Internet pornography sites occurs between 9 a.m. and 5 p.m., according to SexTracker, a porn industry consultancy. The transfer and/or display of sexually explicit or inappropriate content has been known to create a hostile work environment for employees and has resulted in embarrassing and expensive lawsuits.” – searchsap.com

Legal Issues continued

4) Some examples of case law on the access of employees’ private accounts

a) Westcoast Energy Inc v. Communications, Energy and Paperworkers’ Union of Canada, Local 686B, (1998) 84 L.A.C. (4th) 185

• An employee was terminated and filed a grievance.• He had sent several anonymous sexually harassing

e-mails to a female co-worker from work, but using a private email account.

• The company was able to trace the e-mails back to the employee’s computer at work.

• The termination was revoked and substituted with a long suspension. The arbitrator took into account the fact that the employee had worked for the company for 24 years, had no previous discipline record, and would have to deal with the shame and loss of credibility he brought upon himself.

Legal Issues continued

b) Camosun College v. C.U.P.E., [1999] B.C.C.A.A.A. No. 490

• In this case, an employee sent a lengthy e-mail to a “chat group” on the College’s network slashing the competence and integrity of the faculty in his department.

• He had been disciplined before for making similar false accusations.

• The arbitrator concluded that there is no confidentiality in an e-mail message sent over the employer’s system and upheld the employee’s dismissal.

Legal Exorcism

1) Email Policy- Make appropriate email use clear OR- Disable ability to use personal email account/ block emails with certain keywords- Ensure employees know that employer has access to everything done on work computer- Monitor email use for compliance with policy- Maintain awareness of policy

2) Reasonable Expectation of Privacy- must remove this, good to make it explicit

Forensic Response

• What can the technology experts do?

Security Demon 3: The Hacker

• The classic hacker accesses the system and is able to lock out other users, manipulate or steal data, and/ or corrupt files

• Far less control over this security demon

Legal Issues

1) No contractual relationship – can’t create policies to bind them

2) Criminal Code of Canada s. 342.1, Unauthorized Use of Computer:

- Related offences include Mischief in Relation to Data (s. 430(1.1)) and Theft of Telecommunications (s.326.(1))

Legal Issues continued: Criminal Code of Canada

• RCMP statistics report that 120 files were opened in 1997 and 269 files were opened in 2000 related to the criminal code offences of "unauthorized use of computer" and "mischief in relation to data".

• extreme circumstances• go to police with strong case – gather

evidence

Legal Exorcism

1) Determine IP address behind the hacking- sometimes policy not to disclose eg Telus

2) Obtain court order (requires evidence)

3) Once identified, apply for an injunction to restrain hacker from stealing

4) Anton Pillar

Forensic Response

What can you do to catch a hacker?