They Certainly Do!
If a company has a policy or contractual agreement that places limitations on the permissible reasons for accessing the company computer or permissible uses for the data on that computer, it will usually be enforceable according to a majority of the federal courts of appeals that have addressed the issue.
What does this mean?
It means the company can authorize people to have only limited access to the computers for a specific intended use and can only use the data on those computers for the specified intended use. The person accessing the computer must comply with those restrictions. The restrictions can be set forth in a company policy that is promulgated so that everyone knows it; the the restrictions can be in an employment agreement; or, the restrictions can be set forth in any other type of contractual agreement between the company and the people it is authorizing to access its computers.
What can happen?
If the person violates the restrictions, he may be considered to have “exceeded authorized access” in violation of the federal Computer Fraud and Abuse Act (“CFAA”). A violation of the CFAA may, under certain circumstances, be prosecuted as a federal crime or give the company a basis to sue the person for a civil claim for which it may recover economic damages as well as get an injunction against the person who violated the restrictions.
What should you do?
If you are in charge of a company, business, or any other organization that has computers to which other people are authorized to access, you should have policies or contractual agreements that define and limit the authorization by clearly restricting the permissible limits and intended use of access to the computers and the data on the computers.
If you use or access computers that belong to others, for whatever reason, you should be aware of any policies, contracts (including the computer “click-through” type agreements), or other types of restrictions that the owner of the computer places on your use or access of the computer. Not only should you be aware of them, but you must understand them and appreciate what their limitations really are. Then, most important of all, you must abide by them for a failure to do so can lead to serious consequences for violating the CFAA.
If You Need Help Sleeping …
These general principles do not apply in all jurisdictions though this line of reasoning was recently adopted the Ninth Circuit Court of Appeals in the case United States v. Nosal. This brief summary is an over-generalization of the legal issues and analysis involved. If you are interested in reading a more thorough analysis or if you just need some help getting to sleep at night, please read my earlier post Bye Bye Brekka–Hello Nosal! Ninth Circuit Warms-up to Intended-Use Theory of “Access” Under the Computer Fraud and Abuse Act
- Bye Bye Brekka – Hello Nosal: Ninth Circuit Warms-up to Intended-Use Theory of “Access” Under the Computer Fraud and Abuse Act (shawnetuma.com)
- 9th Cir: Access of Computer in Violation of Employer’s Use Policy Violates Computer Fraud and Abuse Act — US v. Nosal (ericgoldman.org)
- Ninth Circuit Holds That Violating Any Employer Restriction on Computer Use “Exceeds Authorized Access” (Making It a Federal Crime) (volokh.com)
- Appeals Court: No Hacking Required to Be Prosecuted as a Hacker (wired.com)
- Fraudulent misuse of computer on job ruled a crime (sfgate.com)
- Court Rejects Argument That All First-Time Email Hacking Offenses Are Felonies (eff.org)