In United States v. Eddings, the United States Court of Appeals, Third Circuit, considered the question of when an employee’s authorization to access an employer’s accounts ends.

The appellant, Frances Eddings (“Eddings”), and her friend, Jude Denis (“Denis”), downloaded documents from Denis’ former employer, the Prostate Cancer Foundation (PCF). Denis had taken a position with PCA to assist with a fundraiser.  For purposes of planning, PCF installed a link on Denis’ computer that enabled access to a Board Member’s email account without her need for the password. Shortly after her hire, Denis realized the position was temporary and on August 21, 2014, resigned. Following her resignation, she requested PCF compensate her for her time and expenses incurred.  PCF ceased communications with Denis and refused to meet her demands.

In an attempt to negotiate payment, Denis and Eddings downloaded internal PCF documents, which Denis still had access to through the link previously installed on her computer.  They then threatened to release the documents if Denis was not paid lost wages and Eddings provided a 25% fee. On October 1, 2014, PCF locked Denis out of the account and subsequently reported her threats to the FBI.

For her part in the scheme, Eddings was convicted as an accomplice and conspirator to criminal fraud under the Computer Fraud and Abuse Act (“CFA”) which prohibits accessing a computer “without authorization.” Eddings appealed the conviction, claiming neither she nor Denis accessed the account after permission had been revoked in October. The government claimed any access after the resignation date was “without authorization,” in violation of the CFA.

The Court found that PCF did not condition Denis’s access to the accounts on continued  employment or expressly provide that resignation triggered an end to access. It further found that there was no evidence PCF took any action to rescind Denis’ access prior to locking her out in October. As there was no affirmative revocation either by virtue of a contract linking access to employment or explicitly withdrawing permission, Denis’s and Eddings’s access of the account was not done “without authorization.”  The Court held that when an employer grants an employee authorization to access employer accounts, that authorization remains in effect until it is affirmatively rescinded by the employer.  As a result, Eddings’s conviction was overturned.

While this case focused on alleged criminal conduct, it is a cautionary tale to employers to not be dumb.  When ending employment relationships, even those that seem innocuous or short-lived, employers must take affirmative steps to rescind any authorizations granting access to employer records, and take steps to keep employees from accessing their systems. If you or your organization need assistance navigating employee exits, contact Wiley Reber law for legal advice that works.