Court: Breaking company policies isn’t hacking

law

A decision handed down by an appeals court finds employees can’t be charged under an anti-hacking law for breaking workplace policies. The case that led to that decision? The so-called “Cannibal Cop.” 

In U.S. v. Gilberto Valle, the government looked at the case of a police officer who participated in fetish role-playing website chat rooms that concerned cannibalism. Due to the nature of his participation, Valle was charged with violations of the Computer Fraud and Abuse Act (CFAA) for conspiracy to kidnap and using the police department’s database for non-job-related purposes.

While a lower court found Valle guilty of using the database in violation of the CFAA, the appeals court overturned that ruling. Why?

Law didn’t apply

CFAA is a very old law, first passed in 1984. It’s been updated periodically since, but not significantly.

And it uses some very strange legalize terms about “exceeding authorized access” and “intentional access.” But what it boils down to is once someone has been given permission to access a computer for most any reason, it’s very difficult to charge them with any hacking crime.

In this case, the police officer was fired for violating the company’s usage policy. But he was still authorized to use the database as part of his job, so his policy violations didn’t amount to actual hacking.

In other cases, that has meant employees who access old accounts after they’ve been fired or quit their jobs are immune from hacking laws.

Should your policies change?

It’s important to note these cases involve criminal prosecution. So they don’t necessarily affect employment decisions.

Employees who violate your policies can and should still be disciplined appropriately, up to and including termination. (But make sure your policies are clear to avoid legal difficulties that could result.)

But companies should be aware that when it comes to criminal prosecution of policy violations, the courts don’t seem willing to help.

Your best bets in order to make sure policy violations don’t become an issue:

  1. Revoke access immediately. This keeps former employees from getting away with data theft or unauthorized access to company information. Make informing IT of personnel moves a part of any off-boarding process, and check regularly to be sure no one still has access to files or applications that they shouldn’t have.
  2. Deal with policy violations consistently. Make sure every instance of a policy violation is handled the same way (although the degree of punishment or action taken may need to be adjusted based on the severity). And always be sure to treat similar policy violations the same way to avoid charges of discrimination or unfair treatment.