My colleagues over at the Employment Matters blog report on an
interesting decision drawing attention to the need for clear and explicit policies regarding “acceptable use” of computers and company information and the absolute necessity to terminate access once an employee or contractor is terminated.
Particularly in light of the upcoming Massachusetts data security regulations, permitting employees (contract or otherwise) to email unencrypted documents containing personal information of customers/clients/employees outside of the organization to be stored on a home computer (similarly unencrypted, one can presume) will be a violation of 201 CMR 17.00 if that list contains “Personal Information” of Massachusetts residents, and failing to have procedures as part of your information security plan that terminates access to such information for former employees will also be a violation. Similarly, because a health care provider and protected health information is involved here, this action would be in violation of the new HHS guidelines for the handling of PHI and, finally, because the defendant was no longer authorized to have the information, it was likely a reportable breach under HIPAA and many state laws.
For all that the incident is, it seems that the Ninth Circuit does not find that it was a violation of the federal Computer Fraud and Abuse Act.