How to Create and Enforce Effective Computer Usage Policies

Re-published with permission from White-Collar Crime Fighter,

The problem of departing employees stealing their ex-employers' electronically stored trade secrets has taken on near-epidemic proportions.

The good news: Under the latest amendments to the federal Computer Fraud and Abuse Act (CFAA), federal courts have jurisdiction to protect any computer that is connected to the Internet against "wrongful use."

And—recent court cases have further clarified the definition of employee abuse of company computers.

Result: The CFAA now serves as a clear legal guideline for employers to use in developing and implementing computer usage policies that greatly reduce the opportunity for trade secret abuse.

Key: The CFAA prohibits an "insider", i.e. an employee, from "exceeding" his or her computer usage authorization. In other words—employees who abuse their computer usage rights are not correct in assuming that because they are insiders, they are immune from claims that they exceeded their usage authorization.

Recent case: Mr. X, an employee of Shurgard Storage Centers, left his employer to join Safeguard Self Storage—a competitor. Upon his departure, Mr. X sent E-mail messages reportedly containing Shurgard trade secrets.

Court: The CFAA was "intended to control interstate computer crimes, and since the advent of the Internet, almost all computer use has become interstate in nature." Shurgard's computers were therefore clearly protected under the terms of the CFAA.

Problem: Mr. X's alleged violation of CFAA by exceeding his authorization to use Shurgard's computers was not easy to prove because Mr. X had no formal contract with Shurgard describing the terms of his authorization.


To avoid potential legal hassles concerning their employees' unauthorized use of computers, employers should consider establishing an explicit computer systems usage policy that contains a section titled "Conditions to Authorization."

Purpose: To specify explicit conditions under which employees are authorized to use the computer system, and to stipulate that if a condition is violated by an employee, the employee's authorization is automatically revoked.

The policy can be implemented via a written agreement, although it is usually easier to establish a computer systems-based procedure, where the employee is required to assent to the terms and conditions of use as a prerequisite for signing onto the computer system the first time. Additional recommended policy provisions...

  1. A provision that allows the policy to be updated from time to time, and to have the updates become effective for any employee when that employee continues to use the computer system after the updates are published.

    Effective: An E-mail to all employees, directing them to view the new policies on the company intranet. That allows you to prove, if necessary, that every employee had adequate notice about updates.

  2. A requirement that each user undergo a "re-initiation" of his or her account from time to time, thereby implementing an automated procedure requiring all users to periodically re-assent to the updated terms and conditions of computer system use.

    These methods have proven effective with so-called "click-wrap" licenses involving on-line sales—where customers are asked to read an on-line sales contract and click to accept it. Similar contracts are equally applicable in the workplace context.

  3. A disclaimer, stating that the list of explicit conditions of use is not meant to displace or supersede any implicit conditions that are otherwise recognized by law.

    Important: An employee might argue, in later litigation, that his or her employer's express identification of specific conditions was meant to represent an exhaustive listing.

  4. A provision stating that a violation of a condition also constitutes grounds for dismissal (although this result may be implied even without an explicit statement).

    Critical: If your policy already specifies that such a violation automatically revokes the employee's authorization, then any further use by the employee of the computer system after the automatic revocation is likely to constitute a violation of at least one section of the CFAA.

    Reason: Under the CFAA, a person who intentionally accesses a computer without authorization and thereby obtains information from a protected computer violates the Act if the conduct involves an interstate or foreign communication.

    Result: You can base a disciplinary action, or even a dismissal, on employee conduct that violates a federal criminal statute.

  5. Examples of unauthorized usage worth including in this provision...
    • Any use of the system for playing games or for visiting Web sites in a "Disapproved" category. (Consider making a list titled "Disapproved" and simply adding categories of sites to that list as your imagination dictates, such as game-playing sites, explicit sex sites, etc).
    • Visiting Web sites of a competitor, for the purpose of investigating employment with that company.
    • Any use of the system to send any company information to another party-except when it is necessary or appropriate for the advancement of the company's business interests.
    • Any granting of permission by an employee for a non-employee to use the system.


If a condition is violated, your policy should clearly state that you may have powerful grounds for dismissal of the guilty employee, based on the employee's violation of a federal criminal.

White-Collar Crime Fighter source: Edmund B. (Pete) Burke, Attorney at Law, Seven Piedmont Center, Suite 300, Atlanta, Georgia 30305, Mr. Burke is a specialist in negotiating complex software, hardware and information technology agreements and practices in many areas of intellectual property and high-technology law.

You may like these other stories...

For the first time in the five-year history of’s rankings of the top 50 accounting firms to work for in North America, a firm has held the top spot as best accounting employer for two consecutive years....
With tomorrow being Tax Day, you might see some procrastinators at your office filling out forms, printing out paperwork, or getting last-minute tax advice from their accountant so they can meet the IRS’s filing...
You can read volumes on how to manage an accounting practice. But if you want the quick version, just read the following four points. Everything else is just commentary.  (These points come out of the 1997 book, The...

Upcoming CPE Webinars

Apr 22
Is everyone at your organization meeting your client service expectations? Let client service expert, Kristen Rampe, CPA help you establish a reputation of top-tier service in every facet of your firm during this one hour webinar.
Apr 24
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
Apr 25
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.
Apr 30
During the second session of a four-part series on Individual Leadership, the focus will be on time management- a critical success factor for effective leadership. Each person has 24 hours of time to spend each day; the key is making wise investments and knowing what investments yield the greatest return.