IMPORTANT POINT #1: YOUR BUSINESS MUST HAVE A COMPUTER USE POLICY IN PLACE
Computer Use Policies (or Acceptable Use Policies, as they are often referred to) are must haves for today’s businesses. Such policies are a foundational component in how a business creates a culture of security with its workforce by establishing expectations on what are and are not permissible ways to use and safeguard the businesses’ digital assets, as well as third parties’ information that it may be holding.
The Securities and Exchange Commission (SEC) emphasized the importance of this when it found that R.T. Jones Capital Equities Management violated the “safeguards rule” of the Securities Act of 1933: “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” See SEC v. R.T. Jones shows the SEC has a role in regulating cybersecurity A fair reading of this case indicates that the SEC expects companies to have in place both computer use policies and a data breach incident response plan. [BEYOND THE SCOPE OF THIS POST, HOWEVER, YOUR BUSINESS SHOULD HAVE AN INCIDENT RESPONSE PLAN IN PLACE ALSO]
IMPORTANT POINT #2: THE COMPUTER USE POLICY IS CRITICAL IN SETTING LIMITS ON AUTHORIZATION AND USE OF YOUR COMPANY’S DIGITAL ASSETS FOR UNAUTHORIZED ACCESS LAWS
Computer Use Policies are critical for establishing limitations on other peoples’ authorization for accessing and using your businesses’ computer system and the data that resides thereon. They also establish objectively verifiable evidence that such individuals had been informed of the limits on their authorization. These points are critical should these “privileged users” later exceed the limits of their authorization and misuse their access to steal data, disclose data, or otherwise cause harm to the business, and the business wish to pursue them under the state or federal unauthorized access laws.
The Computer Fraud and Abuse Act (CFAA)
The federal Computer Fraud and Abuse Act is well-known for the Circuit Split on the access issue, however, in the Fifth Circuit (and First, Eighth, and Eleventh) follows the Intended-Use Theory of access. Under the Intended-Use Theory, when an “insider” / “privileged user” is given authorization to access a computer, but is also given clear and objective restrictions on how she can use that access, by violating those use restrictions, she exceeds authorized access in violation of the CFAA. Computer use policies are perfect for establishing such restrictions. See Employment Agreement Restrictions Determined Whether Employees Exceeded Authorized Access Under Computer Fraud and Abuse Act
Texas’ Breach of Computer Security (BCS) / Harmful Access by Computer Act (HACA)
The Texas unauthorized access law is called Breach of Computer Security (BCS), which is a criminal law that has a civil cause of action in Chapter 143 of the Texas Civil Practice and Remedies Code, titled the Harmful Access by Computer Act (HACA). The BCS / HACA specifically addresses misuse by insiders / privileged users. The law prohibits “knowingly accessing a computer, computer network, or computer system without the effective consent of the owner” and states that “Consent is not effective if . . . used for a purpose other than that for which the consent was given.” As a belt and suspenders against insider misuse, the law goes on to state that it is violated if the access is “in violation of . . . a clear and conspicuous prohibition by the owner of the computer, computer network, or computer system; 0r a contractual agreement to which the person has expressly agreed.” See Texas Broadens Unauthorized Access of Computer Law to Specifically Address Insider Misuse
IMPORTANT POINT #3: THE COMPUTER USE POLICY MUST COMPLY WITH THE NLRB’S PURPLE COMMUNICATIONS CASE
Here is the tricky part about writing Computer Use Policies.
In the old days, we used to just write the policies to say something to the effect of, “Company is the exclusive owner of the Computer System and all data residing on the Computer System. Company grants You limited authorization to access and use the Computer System solely for legitimate Company business purposes and any access or use of the Computer System, by You, that is not for legitimate Company business purposes is unauthorized and prohibited.” (NOTE: I’m writing this from memory, just to make a point, this wasn’t exactly how it was written).
In December 2014, the National Labor Relations Board found that it was illegal for businesses to have such prohibitive “you can’t use it for any other purposes” language in their policies. Specifically, in Purple Communications, Inc., 361 NLRB No. 126 (Dec. 11, 2014) (.pdf of decision), the NLRB found that employees who are given access to a businesses’ email system have a right to use that email system on non-work time to engage in “protected activity” and any policy that prohibits such conduct is illegal.
So, your business must have a computer use policy. That policy should set limits on authorization to access and use the computer system for proper purposes. However, it must be written in a way that does not prohibit employees from using the email system for protected activity during non-work time. Got it?
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.