Authorized Access

At the Black Hat conference in Las Vegas last week, a security researcher presented his research on using access rights available under the GDPR for identity theft purposes (slides available here; whitepaper available here).  Specifically, the researcher “attempted to steal as much information as possible” about his fiancé by submitting GDPR access requests

A recent decision from the Eleventh Circuit highlights an ongoing issue under the Computer Fraud and Abuse Act (“CFAA”): the significance of policy-based restrictions when determining whether a person accessed a protected computer “without authorization” or “exceeded authorized access.”

In United States v. Rodriguez [PDF], the Eleventh Circuit upheld the criminal conviction of a Social Security Administration (“SSA”) employee, who, as part of his job duties, had access to SSA databases containing sensitive information about individuals.  According to the Eleventh Circuit, Rodriguez exceeded his authorized access when he looked up personal acquaintances in the databases, in violation of agency policies that prohibited employees from obtaining database information without a business reason.Continue Reading Recent CFAA Cases Address Defendants’ Violations of Employer Policies