How to Create and Enforce Effective Computer Usage Policies

Re-published with permission from White-Collar Crime Fighter,

The problem of departing employees stealing their ex-employers' electronically stored trade secrets has taken on near-epidemic proportions.

The good news: Under the latest amendments to the federal Computer Fraud and Abuse Act (CFAA), federal courts have jurisdiction to protect any computer that is connected to the Internet against "wrongful use."

And—recent court cases have further clarified the definition of employee abuse of company computers.

Result: The CFAA now serves as a clear legal guideline for employers to use in developing and implementing computer usage policies that greatly reduce the opportunity for trade secret abuse.

Key: The CFAA prohibits an "insider", i.e. an employee, from "exceeding" his or her computer usage authorization. In other words—employees who abuse their computer usage rights are not correct in assuming that because they are insiders, they are immune from claims that they exceeded their usage authorization.

Recent case: Mr. X, an employee of Shurgard Storage Centers, left his employer to join Safeguard Self Storage—a competitor. Upon his departure, Mr. X sent E-mail messages reportedly containing Shurgard trade secrets.

Court: The CFAA was "intended to control interstate computer crimes, and since the advent of the Internet, almost all computer use has become interstate in nature." Shurgard's computers were therefore clearly protected under the terms of the CFAA.

Problem: Mr. X's alleged violation of CFAA by exceeding his authorization to use Shurgard's computers was not easy to prove because Mr. X had no formal contract with Shurgard describing the terms of his authorization.


To avoid potential legal hassles concerning their employees' unauthorized use of computers, employers should consider establishing an explicit computer systems usage policy that contains a section titled "Conditions to Authorization."

Purpose: To specify explicit conditions under which employees are authorized to use the computer system, and to stipulate that if a condition is violated by an employee, the employee's authorization is automatically revoked.

The policy can be implemented via a written agreement, although it is usually easier to establish a computer systems-based procedure, where the employee is required to assent to the terms and conditions of use as a prerequisite for signing onto the computer system the first time. Additional recommended policy provisions...

  1. A provision that allows the policy to be updated from time to time, and to have the updates become effective for any employee when that employee continues to use the computer system after the updates are published.

    Effective: An E-mail to all employees, directing them to view the new policies on the company intranet. That allows you to prove, if necessary, that every employee had adequate notice about updates.

  2. A requirement that each user undergo a "re-initiation" of his or her account from time to time, thereby implementing an automated procedure requiring all users to periodically re-assent to the updated terms and conditions of computer system use.

    These methods have proven effective with so-called "click-wrap" licenses involving on-line sales—where customers are asked to read an on-line sales contract and click to accept it. Similar contracts are equally applicable in the workplace context.

  3. A disclaimer, stating that the list of explicit conditions of use is not meant to displace or supersede any implicit conditions that are otherwise recognized by law.

    Important: An employee might argue, in later litigation, that his or her employer's express identification of specific conditions was meant to represent an exhaustive listing.

  4. A provision stating that a violation of a condition also constitutes grounds for dismissal (although this result may be implied even without an explicit statement).

    Critical: If your policy already specifies that such a violation automatically revokes the employee's authorization, then any further use by the employee of the computer system after the automatic revocation is likely to constitute a violation of at least one section of the CFAA.

    Reason: Under the CFAA, a person who intentionally accesses a computer without authorization and thereby obtains information from a protected computer violates the Act if the conduct involves an interstate or foreign communication.

    Result: You can base a disciplinary action, or even a dismissal, on employee conduct that violates a federal criminal statute.

  5. Examples of unauthorized usage worth including in this provision...
    • Any use of the system for playing games or for visiting Web sites in a "Disapproved" category. (Consider making a list titled "Disapproved" and simply adding categories of sites to that list as your imagination dictates, such as game-playing sites, explicit sex sites, etc).
    • Visiting Web sites of a competitor, for the purpose of investigating employment with that company.
    • Any use of the system to send any company information to another party-except when it is necessary or appropriate for the advancement of the company's business interests.
    • Any granting of permission by an employee for a non-employee to use the system.


If a condition is violated, your policy should clearly state that you may have powerful grounds for dismissal of the guilty employee, based on the employee's violation of a federal criminal.

White-Collar Crime Fighter source: Edmund B. (Pete) Burke, Attorney at Law, Seven Piedmont Center, Suite 300, Atlanta, Georgia 30305, Mr. Burke is a specialist in negotiating complex software, hardware and information technology agreements and practices in many areas of intellectual property and high-technology law.

You may like these other stories...

The issue of international assignees was, for a long time, limited to a small number of companies – meaning only those that operated on an international scale. But in recent years, global expansion has shifted into...
Steve Jobs. Sergey Brin. Mark Zuckerberg. Each of these individuals, and their companies, are celebrated as changing the face of the technology. They all followed a similar path to success: excelling at one thing and...
Read more articles by Sally Glick here.While reading a recent article titled, "Bondage to Busyness," by Alan Morinis, I was struck by his reminder regarding how stressed and pressured we all are today. Our...

Already a member? log in here.

Upcoming CPE Webinars

Sep 24
In this jam-packed presentation Excel expert David Ringstrom, CPA will give you a crash-course in creating spreadsheet-based dashboards. A dashboard condenses large amounts of data into a compact space, yet enables the end user to easily drill down into details when warranted.
Sep 30
This webcast will include discussions of important issues in SSARS No. 19 and the current status of proposed changes by the Accounting and Review Services Committee in these statements.
Oct 21
Kristen Rampe will share how to speak and write more effectively by understanding your own and your audience's communication style.
Oct 23
Amber Setter will show the value of leadership assessments as tools for individual and organizational leadership development initiatives.