|
Preserve Claims Under the Computer Fraud and Abuse Act by Specifying the Limits of Computer Authorization
 By
Kevin S. Murphy
A powerful federal law, the Computer Fraud and Abuse Act (“CFAA”), provides employers with a right to sue for damages when a person intentionally accesses a computer “without authorization” or “exceeds authorized access” and obtains information from the Company causing it damage. 18 U.S.C. § 1030(a)(2), (4), (5). Enacted in 1984 as a protection against outsiders hacking into the company's systems, it has become a vehicle by which an employer can seek redress against its own employees who use the company's computer systems to damage the company.
Courts construing the CFAA in cases brought against employees have sometimes reasoned that, at the moment the employee uses information in a way contrary to the employer's interest, she has essentially lost whatever authorization she had even to access the computer, and thus may have violated the CFAA.
However, a growing number of courts have decided that an employee who misuses such information does not violate the statute so long as she was authorized to access the computer in the first place. Under this interpretation, an employee who is authorized to access the Company's computers remains authorized even when he accesses them for a bad purpose, such as copying or transmitting the Company's information for the benefit of a new employer. Thus, because he remains authorized, he is not in violation of the CFAA.
At least one Court has found it important that the employer had no policy stating what actions an employee was authorized to take regarding computer systems. In that case, the issue was whether an employee could transmit information to his home computer from Company computers. The case implies that, had the employer spelled out the limits of the employee's authorized acts, the company might have had a CFAA claim when the employee exceeded those limits.
Thus, to be able to assert a claim under the CFAA, employers are advised to have a written policy in place which spells out and specifically limits the purposes for which the employee may use Company computers, and/or the information which the employee may access. Employers should make this policy as specific as possible in order to heighten the chances that it is enforced in later litigation and could do so in an offer letter or other agreement signed by the employee. If more specific language cannot be crafted, the employer may consider language in a policy or handbook which provides that, once an employee makes improper use of a Company's computer, he instantly loses all authorization to access Company systems. An example of simple policy language is set out below:
Sample Policy Language
The Company's computer systems are provided as tools for its business and all programs and information created, accessed, or stored using these systems are the property of the Company.
Employees are authorized to access the programs and data maintained on the Company's computers only for the purposes of fulfilling their duties to the Company. Employees are not authorized to access, copy or transmit any program or data for any purpose other than the Company's business.
Violators of this policy immediately lose all authorization to access Company systems and are subject to disciplinary action up to termination of employment and legal action.
If and when an employee decides to, or does, access or make any use of the Company's systems, in a manner or with a result contrary to the Company's interests, the employee immediately loses all authorization to access any such systems.
|
