Back in August 2009, I noted the conviction of a former SSA employee, Roberto Rodriguez. At the time, I reported:
Roberto Rodriguez, 54, formerly of Fort Lauderdale, FL, was convicted by a jury on July 29, 2009 of seventeen counts of exceeding his authorized access to a government computer. Rodriguez is scheduled to be sentenced on October 9, 2009, before U.S. District Court Judge William J. Zloch.
[…]
It is not clear from the press release what Rodriguez’s motivation was in obtaining the individuals’ data and what, if anything, he did with it.
Thanks to a helpful site reader, I just learned that there had been an appeal of his conviction. The Eleventh Circuit Court of Appeals ruling on his appeal provides some additional detail as to Rodriguez’s motivation in accessing the personal information: he knew the people and was not using the information for any financial gain on his part. From the court’s December 27th opinion:
The main issue in this appeal is whether the prying by a former bureaucrat is criminal: that is, whether the defendant violated the Computer Fraud and Abuse Act, which prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any department or agency of the United States.” 18 U.S.C. § 1030(a)(2)(B). Roberto Rodriguez, a former employee of the Social Security Administration, appeals his conviction for violating the Act on the grounds that he did not exceed his authorized access to his former employer’s databases and that he did not use the information to further another crime or to gain financially. The Administration prohibits accessing information on its databases for nonbusiness reasons, and Rodriguez at trial admitted that he accessed information for nonbusiness reasons when he obtained personal identifying information, such as birth dates and home addresses, of 17 persons he knew or their relatives. Rodriguez also appeals his sentence of 12 months of imprisonment on the ground that it is unreasonable. Because the record establishes that Rodriguez exceeded his authorized access and the Act does not require proof that Rodriguez used the information to further another crime or to gain financially, we AFFIRM his conviction. We also conclude that Rodriguez’s sentence is reasonable.
I’ve uploaded a copy of the opinion, here. If you read it, you may be as amazed as I was to discover that Rodriguez had repeatedly refused to sign forms acknowledging the privacy policies and standards, and that even when he was notified that they had detected something unusual and would be investigating him, he continued to misuse his access to the database.
Why he was allowed to even keep his job when he refused to sign an agreement to adhere to privacy policies is puzzling, to say the least.
Over on PogoWasRight.org, I quote some of the opinion as to how Rodriguez misused the information he obtained. This was not just a case of curious snooping and serves as a powerful reminder of why we need to improve security to prevent employees accessing files they have no need to access for their work-related duties.