An employee's use of a work computer “without authorization” for purposes of the Computer Fraud and Abuse Act [18 U.S.C. Section 1030(a)] depends on the employer's
policies and definitions of acceptable use, not the employee's state of mind, the U.S. Court of Appeals for the Ninth Circuit held Sept. 15 (LVRC Holdings LLC v. Brekka, 9th Cir., No. 07-17116, 9/15/09) (opinion available at
http://tinyurl.com/n362nz).
The court held: "Because Brekka was authorized to use LVRC’s computers while he was employed at LVRC, he did not access a computer “without authorization” in violation of § 1030(a)(2) or § 1030(a)(4) when he emailed documents to himself and to his wife prior to leaving LVRC. Nor did emailing the documents “exceed authorized access,” because Brekka was entitled to obtain the documents. Further, LVRC failed to establish the existence of a genuine issue of material fact as to whether Brekka accessed the LVRC website without authorization after he left the company."
Moral: Have good employee policies regarding email practices and authorizations!
Labels: CFAA hacking employee policies