How to Create and Enforce Effective Computer Usage Policies
Re-published with permission from White-Collar Crime Fighter, www.wccfighter.com.
The problem of departing employees stealing their ex-employers' electronically stored trade secrets has taken on near-epidemic proportions.
The good news: Under the latest amendments to the federal Computer Fraud and Abuse Act (CFAA), federal courts have jurisdiction to protect any computer that is connected to the Internet against "wrongful use."
And—recent court cases have further clarified the definition of employee abuse of company computers.
Result: The CFAA now serves as a clear legal guideline for employers to use in developing and implementing computer usage policies that greatly reduce the opportunity for trade secret abuse.
Key: The CFAA prohibits an "insider", i.e. an employee, from "exceeding" his or her computer usage authorization. In other words—employees who abuse their computer usage rights are not correct in assuming that because they are insiders, they are immune from claims that they exceeded their usage authorization.
Recent case: Mr. X, an employee of Shurgard Storage Centers, left his employer to join Safeguard Self Storage—a competitor. Upon his departure, Mr. X sent E-mail messages reportedly containing Shurgard trade secrets.
Court: The CFAA was "intended to control interstate computer crimes, and since the advent of the Internet, almost all computer use has become interstate in nature." Shurgard's computers were therefore clearly protected under the terms of the CFAA.
Problem: Mr. X's alleged violation of CFAA by exceeding his authorization to use Shurgard's computers was not easy to prove because Mr. X had no formal contract with Shurgard describing the terms of his authorization.
To avoid potential legal hassles concerning their employees' unauthorized use of computers, employers should consider establishing an explicit computer systems usage policy that contains a section titled "Conditions to Authorization."
Purpose: To specify explicit conditions under which employees are authorized to use the computer system, and to stipulate that if a condition is violated by an employee, the employee's authorization is automatically revoked.
The policy can be implemented via a written agreement, although it is usually easier to establish a computer systems-based procedure, where the employee is required to assent to the terms and conditions of use as a prerequisite for signing onto the computer system the first time. Additional recommended policy provisions...
- A provision that allows the policy to be updated from time to time, and to have the updates become effective for any employee when that employee continues to use the computer system after the updates are published.
Effective: An E-mail to all employees, directing them to view the new policies on the company intranet. That allows you to prove, if necessary, that every employee had adequate notice about updates.
- A requirement that each user undergo a "re-initiation" of his or her account from time to time, thereby implementing an automated procedure requiring all users to periodically re-assent to the updated terms and conditions of computer system use.
These methods have proven effective with so-called "click-wrap" licenses involving on-line sales—where customers are asked to read an on-line sales contract and click to accept it. Similar contracts are equally applicable in the workplace context.
- A disclaimer, stating that the list of explicit conditions of use is not meant to displace or supersede any implicit conditions that are otherwise recognized by law.
Important: An employee might argue, in later litigation, that his or her employer's express identification of specific conditions was meant to represent an exhaustive listing.
- A provision stating that a violation of a condition also constitutes grounds for dismissal (although this result may be implied even without an explicit statement).
Critical: If your policy already specifies that such a violation automatically revokes the employee's authorization, then any further use by the employee of the computer system after the automatic revocation is likely to constitute a violation of at least one section of the CFAA.
Reason: Under the CFAA, a person who intentionally accesses a computer without authorization and thereby obtains information from a protected computer violates the Act if the conduct involves an interstate or foreign communication.
Result: You can base a disciplinary action, or even a dismissal, on employee conduct that violates a federal criminal statute.
- Examples of unauthorized usage worth including in this provision...
- Any use of the system for playing games or for visiting Web sites in a "Disapproved" category. (Consider making a list titled "Disapproved" and simply adding categories of sites to that list as your imagination dictates, such as game-playing sites, explicit sex sites, etc).
- Visiting Web sites of a competitor, for the purpose of investigating employment with that company.
- Any use of the system to send any company information to another party-except when it is necessary or appropriate for the advancement of the company's business interests.
- Any granting of permission by an employee for a non-employee to use the system.
If a condition is violated, your policy should clearly state that you may have powerful grounds for dismissal of the guilty employee, based on the employee's violation of a federal criminal.
White-Collar Crime Fighter source: Edmund B. (Pete) Burke, Attorney at Law, Seven Piedmont Center, Suite 300, Atlanta, Georgia 30305, firstname.lastname@example.org. Mr. Burke is a specialist in negotiating complex software, hardware and information technology agreements and practices in many areas of intellectual property and high-technology law.