Shortly before he left the employment of a residential treatment center for addicted persons, an employee e-mailed some of his employer’s documents to his and his wife’s personal e-mail accounts. The employee operated two consulting businesses of his own concerning addiction rehabilitation services. The employer’s documents, including its financial statement and the names of past and current patients at the center, could have been useful to those businesses.
When the employer discovered that the documents had been e-mailed, it sued the then-former employee under the federal Computer Fraud and Abuse Act (CFAA). The CFAA provides civil (and criminal) remedies for knowingly accessing a protected computer without authorization or for exceeding authorized access. A federal appellate court ruled in favor of the employee.
The language in the CFAA prohibiting the accessing of a computer without authorization means that the person has not received permission to use the computer for any purpose (such as when a hacker accesses a computer without permission), or when a computer owner, such as the employer, has rescinded permission and the defendant uses the computer anyway. Neither scenario describes what happened in the case before the court.
The employee, so long as he remained employed, had permission to access and use the company’s computers. There was no written employment agreement or set of guidelines for employees that might have prohibited or restricted employees of the company from e-mailing the company’s documents to personal computers. If keeping in-house documents in-house was a priority for the company, it would have been wise to incorporate appropriate restrictions on computer access and use by employees into an agreement or personnel policy.