Sen. Amy Klobuchar has introduced a new bill, the “Cloud Computing Act of 2012” (S.3569), that purports to “improve the enforcement of criminal and civil law with respect to cloud computing.”
The Cloud Computing Act seeks to amend 18 USC 1030 by purporting:
- It is a separate offense to have unauthorized access (including exceeding the authorized access) to a cloud computing account, or even conspiring to have unauthorized access.
- Defining “cloud computing account” as “information stored on a cloud computing service that requires a password or similar information to access and is attributable to an individual”
- Defining “cloud computing service” as a service that “enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by the provider of the service.”
- The losses are (1) the value of the loss of use, information, or aggregated loss to 1 or more persons; or (2) the product obtained by multiplying the number of cloud computing accounts accessed by $500.”
As a reminder, 18 USC 1030, a person who acts or conspires to act in violation of the Act is to be
- (1) fined or imprisoned for not more than 10 years or both, when the conviction does not occur after another offense under the section; or
- (2) fined or imprisoned for not more than 20 years or both, when the conviction occurs after another offense
The problems with this proposed bill are alarming due to the vagueness of the definitions. In employment, I can see this Act (if it goes through) being used against employees.
For example, say if your authorized access is limited to “work” use. If an employee uses the computer network to go to a social network, how would this pan out? The employee, in this case, uses a password to get into the network of the employer.
Or say that authorized access is limited to using email for work purposes only. What if the employee sends a personal email or an email to an attorney using the work email? The email account is, after all, protected by a password and it is in the alleged protected network of the employer.
Or say that authorized access is limited to accessing the email at work. Yet, the employee and other employees, and say even management, use their smartphones to keep up with work.
I can see potential issues in employment law, where the situation does not arise out of the purported intent of the Act. None of these cases involve a person getting into a network or service to steal information. None of these cases involve a disgruntled employee accessing information they are not supposed to have access to.
It is my guess that if the Act gets through, there will be a need for a lot of updates on employee policies, manuals, and trainings.