How Florida’s CADRA Law Provides a Remedy for Insider Threats

The risk of a data breach has never been higher as sophisticated criminals have the expertise, organization and financial backing to execute cyberattacks at will. No corporation or government agency is immune. These hackers look to steal company and customer data, hold it for ransom, or sell it to the highest bidder. Threats from insiders, including current and former employees, business partners and vendors, are particularly troublesome because most have some level of access to corporate networks.

Florida’s Computer Abuse and Data Recovery Act (CADRA) enables businesses to pursue a civil action for harm or loss that occurs when an unauthorized individual or group gains access to computer systems or data. In effect since October 1, 2015, CADRA is expected to serve as a national model for legislation that provides this legal remedy for dealing with such crimes.

Before CADRA, organizations relied upon Florida’s Computer Crimes Act, which has had limited effectiveness due to the vague meaning of data access “without authorization” and only allows for civil action if a person has already been convicted under the act. The Federal Computer Fraud and Abuse Act has similarly vague definitions surrounding authorization. Also, circuit courts of appeals have disagreed about whether a disloyal employee who has authorized access to data is breaking the federal law, regardless of whether that employee uses the data for financial gain.

CADRA protections are available to organizations that protect their computers with a technological access barrier (TAB), such as a password, security code, token, key fob or access device. A violation occurs when someone “knowingly and with intent to cause harm or loss” gains access to TAB-protected data, programs and systems without authorization. Florida businesses can now recover lost profits and costs, including attorneys’ fees, that are incurred as a result of a violation, as well as any financial gains made by the offending party.

Obviously, employees lose authorized access to the network as soon as they become former employees, whether by resignation or termination. However, they can email data to themselves or print information before they leave the company. CADRA enables employers to take legal action against employees who fail to return any data that may have been taken.

While CADRA was developed in large part to enable organizations to recover losses that result from insider threats, it also encourages a more proactive approach to data security and deterrence. Organizations can reduce the risk of malicious activity and ensuing litigation by implementing a formal data access policy that answers several key questions:

• What are the definitions of authorized and unauthorized access?
• When is authorized access revoked?
• What are the policies for accessing and handling company data?
• What disciplinary actions can be taken against employees who violate the policy?

In addition to putting TABs in place, organizations should explore the use of monitoring tools that are capable of tracking who is accessing data, what device is being used, and the movement of that data, especially when it leaves the network. Employees must also be trained on data access best practices and understand that access to company data is being closely monitored.

According to a recent Ponemon Institute study, nearly half of survey respondents said their organization dealt with a security breach within the preceding 24 months. Third-party and insider threats do the most damage. Florida businesses should make it a priority to understand the requirements and implications of CADRA, and become more proactive in controlling and monitoring access to sensitive data.