The Computer Fraud and Abuse Act: Employer FAQs

August 25, 2011 by  Filed under: Management 

Did an outgoing worker copy client data files and use them for his or her new job? Has an employee accessed a company database to obtain a fellow employee’s home address? If a worker taps into business data without authorization or exceeding the authorization they have been granted, the Computer Fraud and Abuse Actmay give you recourse for legal action.

What is the Computer Fraud and Abuse Act?

Also called the CFAA, this federal law prohibits individuals from accessing computers without authorization or in a way that exceeds authorized access. The law was passed in 1986 and has been amended numerous times since.

Can employers use the CFAA to bring action against employees who access data without authorization?

Yes. In fact, a number of recent court decisions have supported employer use of the Computer Fraud and Abuse Act:

  • A Social Security Administration employee was accused of using SSA databases to access information about women he knew. For instance, he looked up data regarding his ex-wife’s earning history. The worker also used the databases to locate the address of a woman he was interested in so he could send her Valentine’s Day flowers. The man was convicted of 17 counts of violating the Computer Fraud and Abuse Act, and the the 11th Circuit Court of Appeals upheld the conviction.
  • An IT employee in a Michigan advertising firm accessed confidential information regarding the company’s CEO. When the worker shared the files with company management, allegedly to reveal the firm’s computer security weaknesses, she was fired and the police were notified. She was later convicted of Computer Fraud and Abuse Act violations and was ordered to pay the company restitution. The conviction was upheld on appeal.
  • The 9th Circuit Court of Appeals has ruled that “any person who obtains information from any computer connected to the Internet, in violation of [an] employer’s computer-use restrictions, is guilty of a federal crime.”

How can I protect my business from employees who steal data?

Do not take it for granted that workers know what they can and cannot do with information collected and maintained by the business. Take time to review and update the company’s computer and data use policy. Examples of what to include in a computer and data use policy might include guidelines that prohibit:

  • Obtaining access or hacking into systems the employee is not authorized to use;
  • Using another employee’s log-in or password to access information;
  • Breaching or monitoring computer or network security features.

The Computer Fraud and Abuse Actmay provide the recourse you need when an employee accesses company data without or exceeding authorization. Give the company the best chance of success in those cases by having a clear computer and data use policy in place and ensuring employees are aware of the policy.

Dianne Shaddock is the Founder of Easy Small Business HR, Employee Hiring and Managing Tips. Through the Employee Hiring and Managing Tips podcast, blog, and weekly ‘quick tips’ e-newsletters, Dianne offers expert advice on how to make better hiring decisions, manage difficult employees, develop employee policies, motivate staff, and so much more. No stuffy, corporate HR policy lingo; but straight forward, easy to understand and implement advice for businesses just like yours. Stay ahead of the curve and go to Easy Small Business for more tips on how to hire and manage your staff effectively.

Article Source:

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.

Prev Post:
Next Post: