The Supreme Court of the United States (SCOTUS) has announced that its investigation to find the insider who leaked a draft opinion of the Dobbs v. Jackson Women\u2019s Health Org. decision to media outlet Politico has come up empty.In a nutshell, the court\u2019s insider risk management program, designed to protect the information the justices handle on a daily basis, failed\u2014and failed miserably. Frankly, based on the findings of the report, the court\u2019s insider risk management program\u2014if it existed\u2014was anemic at best.The investigation, detailed in a 23-page report released on January 19, indicates that the court\u2019s methodology was judged to be thorough by Michael Chertoff of the Chertoff Group, who was asked to review the marshal of the court\u2019s investigative results.Basic security protocols were not in placeChertoff\u2019s recommendations speak volumes about the state of affairs of the information security arena within SCOTUS and every CISO will recognize that what should have happened was basic blocking and tackling (or infosec 101):Restrict the distribution of hard copy versions of sensitive documents.Restrict email distribution for sensitive documents.Use information rights management (IRM) tools to better control how sensitive documents are used, edited, and shared.Limit the access to sensitive information on outside mobile devices.All investigations are limited to the available data. The marshal may well have been most thorough, but what was available seems to indicate an arcane and dated information-handling strategy was in place within the court. The court did not embrace the basic tenets of insider risk management by any stretch of the imagination.SCOTUS leak investigators used subjective criteriaThe report highlights that 97 employees were interviewed, all of whom denied providing the draft to Politico. The report goes on to explain that investigators had apparently divided the employees into cohorts based on an \u201cevaluation of statements and conduct of personnel who displayed attributes associated with insider-threat behavior\u2014violation of confidentiality rules, a disgruntled attitude, claimed stress, anger at the court\u2019s decision, etc.\u2014and weighed behavior and evidence that would tend to mitigate any adverse inferences. Investigators also carefully evaluated whether personnel may have had reason to disclose the court\u2019s draft decision for strategic reasons.\u201dThis is a long-winded way of saying that investigators employed subjective criteria and the content of personnel files (no doubt looking for prior reprimands) and considered whether an individual might hold opinions that did not align with the draft opinion to determine who may have been most likely to violate the trust of the court.Joyce Vance, former US attorney and co-host of the #SistersInLaw podcast, noted in a series of public Twitter posts that it appeared the investigation focused on people who had \u201canger at the court\u2019s decision.\u201d She contends that the investigation appeared \u201cvery one-sided\u201d and noted that the \u201ccourt could have explained what they did and didn\u2019t do, why they didn\u2019t use criminal investigators, given cyber issues and their list of possible criminal violations. Transparency wasn\u2019t the goal here.\u201dIn fairness, the report does reference that \u201cthe investigative team consists of seasoned attorneys and trained federal investigators with substantial experience conducting criminal, administrative, and cyber investigations,\u201d without further attribution. Interestingly, the report does not indicate if the 97 employees included the nine justices.Remote working clouded leak investigationHighlighted by the marshal is an issue that every CISO has had to address throughout the pandemic: a dispersed workforce, working from locations other than their principal place of employment\u2014in other words, working from home. This reduced the IT team\u2019s visibility. In addition, the interviews of employees revealed that several did not handle the document in accordance with existing IT policies and numerous copies were printed, though neither logged nor accounted for by any empirical methodologies as there was \u201cvery little logging capability at that time.\u201dAdditionally, the report indicates that some employees violated the \u201cneed to know\u201d principles and shared sensitive portions of the draft with their spouses.The investigation goes on to opine that it is \u201cunlikely that the public disclosure was caused by a hack of the court\u2019s IT system.\u201d The report continues that the investigation did not \u201cuncover any evidence that an employee with elevated IT access privileges accessed or moved the draft opinion.\u201d Furthermore, the investigators \u201cdid not find any logs or IT artifacts indicating that the draft opinion had been downloaded onto removable media, but it is impossible to rule out.\u201dThe takeaway for CISOs from SCOTUS leak investigationThe important takeaway for CISOs and their infosec and insider risk management teams lay within the conclusion provided in the Marshal\u2019s report: \u201cAssuming, however, that the opinion was intentionally provided to Politico by a court employee, that individual was evidently able to act without being detected by any of the court\u2019s IT systems. If it was a court employee or someone who had access to an employee\u2019s home, that person was able to act with impunity because of inadequate security with respect to the movement of hard copy documents from the court to home, the absence of mechanisms to track print jobs on court printers and copiers, and other gaps in security or policies.\u201dIt was not until the investigation was initiated that it was recognized there were gaping holes in the ability to discern what was happening within the network and with the sensitive data. The court did not know what they didn\u2019t know, and only because they were stung did they learn that they lacked the ability to reconstruct events. The court lost a draft opinion, the loss of which was overtaken by events when the decision was officially made and the ruling put forward. Companies with intellectual property to protect may not be so fortunate.The loss of intellectual property, the lifeblood of many a company may have significant deleterious effects on the sustainability of the entity. How many companies can withstand the loss of their \u201ccrown jewels\u201d and then find themselves competing on the global market at a future date against products following their own design? Not many.Best to invest upfront in the ability to monitor one\u2019s infrastructure so that in the event of need, one may reconstruct events and provide the empirical evidence desired.