IP: Why companies need clear policies against giving computer access to non-employees
Companies should have a clearly stated, consistently enforced policy prohibiting authorized users from giving access to third parties for any reason whatsoever.
February 19, 2013 at 04:30 AM
7 minute read
The original version of this story was published on Law.com
In 1986, in recognition of the economic importance of protecting computers from unauthorized access, Congress passed the Computer Fraud and Abuse Act (CFAA). The CFAA imposes criminal liability on outsiders who access computers to steal information or to disrupt or destroy computer functionality. In 1994, the CFAA was amended to give computer owners the right to bring a civil action, which requires proof that a company has policies and practices that restrict access.
In general, there are three types of unauthorized access of concern to companies:
- A non-employee (a hacker) may trespass into the system.
- An employee may access a restricted zone or use information from a permissible zone in an impermissible manner, known as a “user exceeding authorization.”
- An unauthorized user may give access to an authorized user, known as a “permissive intrusion.”
Although a clear company policy restricting access is important with respect to each of these, it is especially significant with respect to the third—namely, a case of “permissive intrusion”—insofar as the absence of such a policy might prove fatal to a CFAA claim.
Examples of permissive intrusion are all too easy to imagine. For instance, an employee who is traveling may need information that is on the company server, but may be unable to access the server via the Internet from his location. In such a situation, the employee might call his wife and provide her with his password, asking her to log in to his account. Alternatively, a company might provide a network password to a vendor, allowing the vendor to obtain needed specifications. Although these uses seem perfectly innocent, problems could arise if this permissive access can harm the company. In that case, the company would have to prove that the access, though permissive, was not authorized within the meaning of the CFAA.
The situation is made all the more confusing because the CFAA does not provide a definition of the phrase “without authorization.” The 9th Circuit has held that “a person uses a computer 'without authorization' . . . when the person has not received permission to use the computer for any purpose . . . or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” Whether this definition also applies to the third type of unauthorized access—the “permissive intruders”—requires us to consider the law of agency.
Generally, an agency relationship exists when one person contracts to act on behalf of another. Thus, when an employee receives access to a computer to further the interests of his employer, the employee is an agent of the employer. The law of agency treats an act of an agent as “unauthorized” if it is beyond the express, implied or apparent authority of the agent. Thus, the company should set forth a clear policy regarding the authority of its employees to give access to company computers. Such a policy should be included in each employee's employment contract. Then, if an employee gives another person access to company computers in violation or in excess of what company policy allows, that employee would be regarded as acting outside of the scope of his agency. In that case, the element of “unauthorized access” of the CFAA would be satisfied, because access that an employee gives to an intruder outside of the scope of agency would render the authorization invalid under the general law of agency.
Although the CFAA and its interpretation pose a number of legal issues, this discussion underscores the importance of one simple rule: Companies should have a clearly stated, consistently enforced policy prohibiting authorized users from giving access to third parties for any reason whatsoever.
In 1986, in recognition of the economic importance of protecting computers from unauthorized access, Congress passed the Computer Fraud and Abuse Act (CFAA). The CFAA imposes criminal liability on outsiders who access computers to steal information or to disrupt or destroy computer functionality. In 1994, the CFAA was amended to give computer owners the right to bring a civil action, which requires proof that a company has policies and practices that restrict access.
In general, there are three types of unauthorized access of concern to companies:
- A non-employee (a hacker) may trespass into the system.
- An employee may access a restricted zone or use information from a permissible zone in an impermissible manner, known as a “user exceeding authorization.”
- An unauthorized user may give access to an authorized user, known as a “permissive intrusion.”
Although a clear company policy restricting access is important with respect to each of these, it is especially significant with respect to the third—namely, a case of “permissive intrusion”—insofar as the absence of such a policy might prove fatal to a CFAA claim.
Examples of permissive intrusion are all too easy to imagine. For instance, an employee who is traveling may need information that is on the company server, but may be unable to access the server via the Internet from his location. In such a situation, the employee might call his wife and provide her with his password, asking her to log in to his account. Alternatively, a company might provide a network password to a vendor, allowing the vendor to obtain needed specifications. Although these uses seem perfectly innocent, problems could arise if this permissive access can harm the company. In that case, the company would have to prove that the access, though permissive, was not authorized within the meaning of the CFAA.
The situation is made all the more confusing because the CFAA does not provide a definition of the phrase “without authorization.” The 9th Circuit has held that “a person uses a computer 'without authorization' . . . when the person has not received permission to use the computer for any purpose . . . or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” Whether this definition also applies to the third type of unauthorized access—the “permissive intruders”—requires us to consider the law of agency.
Generally, an agency relationship exists when one person contracts to act on behalf of another. Thus, when an employee receives access to a computer to further the interests of his employer, the employee is an agent of the employer. The law of agency treats an act of an agent as “unauthorized” if it is beyond the express, implied or apparent authority of the agent. Thus, the company should set forth a clear policy regarding the authority of its employees to give access to company computers. Such a policy should be included in each employee's employment contract. Then, if an employee gives another person access to company computers in violation or in excess of what company policy allows, that employee would be regarded as acting outside of the scope of his agency. In that case, the element of “unauthorized access” of the CFAA would be satisfied, because access that an employee gives to an intruder outside of the scope of agency would render the authorization invalid under the general law of agency.
Although the CFAA and its interpretation pose a number of legal issues, this discussion underscores the importance of one simple rule: Companies should have a clearly stated, consistently enforced policy prohibiting authorized users from giving access to third parties for any reason whatsoever.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Meta Hires Litigation Strategy Chief, Tapping King & Spalding Partner Who Was Senior DOJ Official in First Trump Term
What to Know About the New 'Overlapping Directorship' Antitrust Development
4 minute read
The Met Hires GC of Elite University as Next Legal Chief
Tesla, Musk Appeal Chancery Compensation Case to Delaware Supreme Court
2 minute readTrending Stories
- 16-48. It’s Comp Time Again: How To Crush Your Comp Memo
- 2'Religious Discrimination'?: 4th Circuit Revives Challenge to Employer Vaccine Mandate
- 3Fight Over Amicus-Funding Disclosure Surfaces in Google Play Appeal
- 4The Power of Student Prior Knowledge in Legal Education
- 5Chicago Cubs' IP Claim to Continue Against Wrigley View Rooftop, Judge Rules
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
