TAKEAWAY: Businesses (and anyone else) that allow others to access to their computers should have contractual agreements with those persons that clearly specify the restrictions on their authorization to access and use the computers and data.
This is the lesson of United States v. Cave, 2013 WL 3766550 (D. Neb. July 16, 2013), a case in which the court found that a memorandum of understanding that restricted the defendant’s access to a database as being only for professional use in his job also set the limits of authorized access for purposes of the Computer Fraud and Abuse Act. This is an example of the Intended Use Theory of access under the CFAA that was also followed by Custom Hardware Engineering & Consulting, Inc. v. Dowell, 2013 WL 252945 (E.D. Mo. Jan. 23, 2013), which I blogged about here: Employment Agreement Restrictions Determined Whether Employees Exceeded Authorized Access Under Computer Fraud and Abuse Act (I also explain the Trilogy of Access Theories in this post: Intended Use Theory, Strict Access Theory, and Agency Theory).
While the Ninth and Fourth Circuits have received a lot of recent attention for adhering to the Strict Access Theory, the majority of circuit courts that have ruled on this issue still follow the Intended-Use Theory, including the First, Third, Fifth, Eighth, and Eleventh Circuits. With the Intended-Use Theory, it is very important to have some form of contractual or other objectively verifiable restrictions on the authorization to access the computer and data to demonstrate to the court that there were restrictions in place and the defendant had actual notice of those restrictions.
Interesting stuff. I can see some real legal nightmares for the “legacy platform” companies I’ve worked for, where the access restrictions are rather lax for supporting the batch runs overnight. Yes, it makes for quick resolution of problems, but oh, the legal potholes!