Three recent court decisions make it important for companies to begin the new year with a thorough review of their computer-use policies with a focus on two issues: ensuring that employees have no expectation of privacy in using the company computer systems and delineating the scope of the employee's permissible access to the company computers. This article will discuss these three decisions and their implications for creating effective corporate computer policies that protect the company against theft of its data.
Additional Information
A case decided last week, U.S. v. John, by the Fifth Circuit Court of Appeals re-enforces the need for companies to update their corporate computer policies. That case affirmed the criminal conviction of a Citigroup account manager, Dimetriace Eva-Lavon, for violations of the federal Computer Fraud and Abuse Act for accessing customer account information contained in Citigroup’s internal computer system. John provided that Citigroup customer information to her half-brother who used it to incur fraudulent charges on four different customer accounts.
On appeal John argued that as a Citigroup employee, she was authorized to access the company computers for customer account information and that her mental state or motive in accessing the customer account information cannot be the basis for a violation of the Computer Fraud and Abuse Act. The Computer Fraud and Abuse Act, a criminal statute with civil remedies, outlaws the theft of data from a computer when the perpetrator is not authorized to access the computer or exceeds authorized access. She argued “that the statute does not prohibit unlawful use of material that she was authorized to access through authorized use of a computer. The statute only prohibits using authorized access to obtain information that she is not entitled to obtain.”
The court rejected John’s argument based, in part, on Citigroup’s corporate computer policies that “prohibited misuse of the company's internal computer systems and confidential customer information.” The court pointed out that John was aware of these policies and attended corporate training programs where these policy were reiterated. By virtue of her violation of Citigroup’s computer policies, the court held that the jury could have properly found that John exceeded her authorized access to Citigroup’s computer because she “was not authorized to access that information for any and all purposes but for limited purposes.” She was certainly “not authorized to access data or information in furtherance of a criminally fraudulent scheme.” The John case is another good reason why a company should review its employee computer policies.
Download case here.