Information systems security has traditionally focused on preventing damage or disruption to computer systems and data by stopping people from doing things for which they are not authorised. However, not only do hackers continually find new ways to break into systems, many security mechanisms are powerless against misbehaviour by legitimate users who perform functions for which they are authorised — the "insider attack". Insider attacks can in many instances be more damaging than attacks from external hackers. The insider may have detailed knowledge of the firm’s computer systems, for example, knowing which information and systems are mission critical or having knowledge of the firm’s backup and security regimes. In addition, such attacks often have personal motivations, for example, where a disgruntled employee maliciously destroys data, whereas external attacks can at times be motivated by the challenge of cracking a system. While security systems may have limitations when dealing with insiders, these systems are not the only preventive tool. Effective laws to discourage potential attackers will also assist the prevention effort. In addition to prevention, whether through security measures or laws, many organisations will also develop plans for surviving and recovering from attacks. There are difficulties in our current laws in both of these areas. Firstly, while the recently introduced Crimes Amendment Bill is a first step toward adequate laws in the computer crime area, in our view there is still some way to go. While the offence of "unauthorised access to a computer" was deliberately left out on the introduction of the Crimes Amendment Bill in September pending further consultation, the legislation as introduced also raises issues of concern in relation to attacks by employees and other insiders. If a person damages, deletes, modifies or interferes with data or software, that person is only guilty of an offence if they have done so without authority. However, it is not hard to imagine a situation where serious damage to data is maliciously and intentionally carried out, but all within the bounds of authority. For example, a systems administrator may be authorised to create data backups and to password-protect the backups. The systems administrator may also be authorised to delete data, for example, when moving the data to a new storage location. These two steps could be combined to render the employer’s data inaccessible without the password, but being within the bounds of authority would not be a crime under the proposed new legislation. Secondly, regardless of whether an insider attack is a crime, an employer faces a number of pitfalls during the survival and recovery phase. Survival and recovery plans will often include systems for detecting whether attacks have occurred or are in progress, with the aim of limiting the damage at the earliest possible point. Where an employee is involved in the attack, the desirable step here is to immediately terminate all access to the employer’s computer network and data. The difficulty here is that removal of computing privileges may give rise to a personal grievance under the Employment Contracts Act. Employment law usually requires employers to undertake an investigation and consultation process before taking any form of disciplinary action. However, if the computer network is at risk, the employer will usually want to suspend privileges immediately, often before a full investigation of the events has been carried out. In some circumstances, removal of computing privileges can be regarded a constructive dismissal, exposing the employer to the risk of substantial claims from the employee concerned. Thirdly, even if the employer is able to suspend network privileges and contain the attack, if the employer wishes to investigate the event further there are additional difficulties. It has been held in a recent case that, where there is a possibility of criminal prosecution against an employee, an investigation by the employer for the purposes of disciplinary action under the Employment Contracts Act may be in breach of the Bill of Rights. An investigation aimed at identifying weaknesses in the computer system and preventing recurrences, rather than determining whether the employee should be dismissed, may also be subject to this limitation. Focusing on external "hackers" and "crackers", the bogeymen of computer security, has, in Techlaw’s view, resulted in our lawmakers paying insufficient attention to the dangers of insider attacks. Many of the issues arising can be addressed by proper management of internal permissions and authorities and the implementation of Acceptable Use Policies governing employees’ rights of access to computing resources. However, if these steps are not taken an employer is left with little more protection than trust and good faith in the honesty of their employees. Given that the Crimes Amendment Bill was not passed before the end of Parliament, let’s hope that the next government will have time to properly consider and consult on these issues. Averill Parkinson is a Senior Associate in Clendon Feeney’s technology law team. This article, together with further background comments and links to other web sites can be downloaded from www.clendons.co.nz. Send email to firstname.lastname@example.org.
- Free Whitepaper! Learn how to create an analytics environment that is governed, scalable and self-serve.
- Free Whitepaper! The 5 criteria to help you select the right analytics platform for your organization.
- Free Whitepaper! Learn how IT is evolving from producer to enabler, and fostering collaboration around analytics.