Was a Crime Committed?

Computerworld - The Global Crossing Holdings Ltd. case highlights the fine balance between an individual's right to privacy and the extent to which others may be able to legally disseminate any information to which they obtain access, legal experts said.

A disgruntled former IT employee at the financially troubled networking giant has allegedly been posting the names, Social Security numbers and birth dates of nearly 7,000 of the company's employees on his Web site.

According to a Global Crossing attorney, authorities have been unable to stop the alleged perpetrator, though the company is pursuing "all civil and criminal avenues," with both the local police and the FBI involved.

All attempts at serving the individual with an injunction have failed because no one knows where he is, said the attorney, who requested anonymity.

Another obstacle is that it may be almost impossible to prove that the former worker stole the information. He claims that he's simply posting something that had been given to him, the attorney said. "We don't have the smoking gun. ... He says he didn't steal it," the attorney said, adding that wile it's not a crime in itself to post employee information on the Web, it may be possible to file charges of aiding and abetting identity theft by releasing such information.

Even though it might be possible to track down the alleged perpetrator by asking Internet service providers and phone companies to hand over relevant information, authorities would most likely need to show that he had committed some "actionable" offense before getting the necessary subpoenas, said David Loundy, an associate professor at The John Marshall Law School in Chicago.

That would mean showing that he had broken state or federal statutes relating to the aiding and abetting of identity theft, Loundy said. Even where identity theft may have occurred, it may not always be easy to show that it was this specific site that led to the theft.

That's because Social Security numbers are widely used both as identifiers and passwords for Web site access, said Stephen Keating executive director of the Privacy Foundation in Denver.

As a result, one of the legal avenues that Global Crossing is pursuing is the possibility that a proprietary information agreement was violated, the attorney said.

The incident highlights the danger both of underestimating internal security threats and of failing to have an incident response plan in place in case something does happen, said Michael Rasmussen, an analyst at Cambridge, Mass.-based Giga Information Group Inc.

"Most companies are not paying enough attentionto it, though there is lots of data to show how real the threat [of insider attacks] is," Rasmussen said.

Read more about security in Computerworld's Security Knowledge Center.