Check your employee handbook - what you might think is fraud and abuse may not be a federal case....

By Cynthia J. Larose

My colleagues over at the Employment Matters blog report on an
interesting decision drawing attention to the need for clear and explicit policies regarding "acceptable use" of computers and company information and the absolute necessity to terminate access once an employee or contractor is terminated.

Particularly in light of the upcoming Massachusetts data security regulations, permitting employees (contract or otherwise) to email unencrypted documents containing personal information of customers/clients/employees outside of the organization to be stored on a home computer (similarly unencrypted, one can presume) will be a violation of 201 CMR 17.00 if that list contains "Personal Information" of Massachusetts residents, and failing to have procedures as part of your information security plan that terminates access to such information for former employees will also be a violation. Similarly, because a health care provider and protected health information is involved here, this action would be in violation of the new HHS guidelines for the handling of PHI and, finally, because the defendant was no longer authorized to have the information, it was likely a reportable breach under HIPAA and many state laws.

For all that the incident is, it seems that the Ninth Circuit does not find that it was a violation of the federal Computer Fraud and Abuse Act.

Subscribe To Viewpoints

Published

Viewpoint Topics

Professionals

Author

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.