Here’s another insider threat example to know and to discuss with your legal counsel and HR folks. It highlights the need for information security and privacy policies, shows how information security and privacy must work with multiple areas on an ongoing basis, and demonstrates the sanctions that can be brought against those who break them.
On October 11 the U.S. Court of Appeals for the Ninth Circuit ruled that Steven William Sutcliffe, who posted personally identifiable information (PII) about over 1000 of his former co-workers, including “personal information, including payroll information, social security numbers, birth dates, and residential addresses, with some of this information hyperlinked to an article about identity theft” on his Web site and in addition to posting and making threats to injure or kill others was subject to federal subject-matter jurisdiction for the interstate transfer of that information.
In the appeal, the defendant, Sutcliffe, tried to argue that he was “selectively prosecuted” because an unidentified individual had sent Sutcliffe a threatening email in response to his posting of all the information and was not prosecuted. However, the court ruled that the unidentified individual was not in a similar situation because the single e-mail was responding to the defendant’s illegal and threatening postings.
This case was first tried and judged in 2004. At that time the Central District of California indicated they believed it was the first conviction under federal statute 18 U.S.C. ¬ß10-28(A)(7), the “Identity Theft and Assumption Deterrence Act of 1998” which, among other things, prohibits online posting of Social Security numbers with the intent to aid and abet identity theft.
An excerpt from the court documents providing the background and details of the case is fascinating as well as disturbing and chilling:
” Defendant, a computer technician, was hired by Global Crossing Development Company in August 2001. Shortly thereafter, however, his employment was terminated because he refused to provide the Human Resources Department with his social security number, Global Crossing discovered that he had failed to disclose past criminal convictions on his job application, and he threatened the director of Human Resources. After his termination, Defendant began picketing outside the Global Crossing building with a sign referring to a website he had created. On this website, Defendant displayed Global Crossing employees’ personal information, including payroll information, social security numbers, birth dates, and residential addresses, with some of this information hyperlinked to an article about identity theft.
When Global Crossing’s manager of policy enforcement was informed of the website, he began periodically archiving copies of the website. These copies were turned over to the FBI, which also archived screen-shots of the website on three occasions. As they visited the website, Global Crossing officials and the FBI saw increasing amounts of personal information posted online. Specifically, the number of Global Crossing employees whose social security numbers were displayed online increased from approximately fifteen on October 24, 2001, to well over a thousand on December 3, 2001.
Global Crossing obtained a temporary restraining order against Defendant in October 2001. A process server drove to Defendant’s California residence to serve the order on him in a vehicle bearing South Dakota license plates. As she was leaving his residence after serving the papers on him, she observed Defendant writing something on a piece of paper.
That night, she saw that her name and the vehicle’s license plate number had been posted on the website. During subsequent visits to the website, she read several statements addressed to her. On October 24, 2001, one week after she served the order on Defendant, a page on the website stated:
Do you really think I am just some computer geek? You are not even close!
If you don’t like seeing your license plate on this website, here is some advice next time you attempt to stake-out my home, get a rental-car! . . .
By the way, I was planning on taking a trip to South Dakota real soon to visit Mt. Rushmore, maybe we can “hook-up.” Then maybe we could talk about this sudden rage and anger you have about seeing your license plate number published on this site? You think seeing that number is bad . . . trust us when we say [it] can get much, much, worse.
To close, [Process Server], if you call this house again and threaten me, or my family, or ever appear near me, or my family, I will personally send you back to the hell from where you came.
On January 31, 2002, a page on the website read:
[Process Server], have you ever been stabbed with a knife? I have. A real big one, punctured my lung.
. . . Anyhow, the reason I am telling you this is to let you know I understand you were just doing your job, just like I was just trying to do my job.
Just as that man was doing his job, which at the time was to try to kill me. As I forgave him, I can forgive you. This does not mean however I want to see or meet this man again.
I really don’t take kindly to people threatening me or lying to the courts that they served me with a T.R.O. . . .
Our paths are now crossed and we are forever joined . . . to deal with that I am going to make you a one time offer. If I never see or hear from or of you again, I will forget you . . . . However, if I do ever hear your name mentioned against me ever again I will personally add you to my domain list. I think you understand the issues now enough to understand what this means. If I ever see you near my family again, and I know how to stalk too, I will kill you. That’s my offer.
Now, go in the peace and lie about me no more.”
Defendant also used the website to express his dissatisfaction with Global Crossing’s former assistant general counsel. On March 17, 2002, the website included a page stating that it was “Dead-icated” to this attorney. (E.R. at 100.) This page was accompanied by a sound file of frightening music and a voice stating: “Welcome to my domain. This is all far from over.” (E.R. at 100; G.E.R. at 295.) A link on this page led to a page displaying personal information about the attorney, including her home address, home phone number, social security number, signature, and date of birth. This page was linked to a detailed map showing the location of her home. Another link on the page opened a file displaying a photograph of her with her young daughter, while a voiceover stated: “I can outrun you. I can outthink you. I can outphilosophize you, and I’m going to outlast you.” The voiceover came from Cape Fear, a film in which an ex-convict stalks and attempts to kill an attorney and his daughter.
Another individual specifically targeted on the website was the then-chairman of Global Crossing. Defendant posted the chairman’s personal information, including his social security number and home address, on the website in February 2002. Defendant also posted a message telling him, “Keep your dogs @ bay . . . I’m now armed.”
Judge Monroe G. McKay ruled that under United States v. Trotter, “as both the means to engage in commerce and the method by which transactions occur, the Internet is an instrumentality and channel of interstate commerce.”
The Ninth Circuit in response to Sutcliffe’s appeal said the following evidence provided sufficient grounds to exercise federal jurisdiction over the defendant because he transferred information interstate via his Web site:
* Sutcliffe was living in California at the time he posted the messages to his website
* Sutcliffe posted threats and Social Security numbers on the site after he moved to Nebraska
* The website information was uploaded to multiple servers located in Louisiana, North Carolina, and Virginia
Pretty scary stuff, eh? It really shows how information security and privacy policies go beyond compliance and truly are necessary for mitigating many types of risks. It also highlights the insider threat.
But be sure to note the reasons why this case turned into one under federal jurisdiction. Think about how easily this occurs with the Internet.
A few of the lessons learned…
* Organizations need to do background checks on individuals they are hiring, contracting or otherwise giving systems and PII access to before they hire them, and regularly following hire, as allowed by law.
* Organizations need to document and communicate their information security and privacy policies and procedures to ensure their personnel know and understand what responsibilities they have to protect information, along with how to spot red flags in the behavior of co-workers and report such suspicious behavior to the appropriate position.
* Information security and privacy areas need to work closely with the Human Resources, Safety, Physical Security and Legal areas to create procedures to address the insider threat and to ensure all the links between the areas are thoroughly considered.
* Effective controls must be established to ensure personnel have access to only the information they need to perform their job responsibilities, and no more.
* Effective exit procedures must be established to ensure personnel who leave the company, under any conditions, do not take sensitive information such as PII with them.
* Technology controls should be established to log access authorized personnel have to sensitive data, such as PII, and the logs should be reviewed by an independent area, such as internal audit or information security, to identify inappropriate access and stop it as soon as possible to lessen the potential for bad things to happen…to not only the company, but also to prevent bad things from happening to personnel and customers.
Tags: awareness and training, cybercrime, data protection law, Global Crossing, identity theft, Information Security, insider threat, IT compliance, policies and procedures, privacy, privacy law, risk management, security law, security training, Steven William Sutcliffe