Vacated CFAA conviction spotlights offboarding, delegated email risks, and authorization revocation
Third Circuit says resignation does not end system authorization, vacating a CFAA conviction and urging HR to explicitly revoke access and tighten offboarding.
On December 9, 2025, the U.S. Court of Appeals for the Third Circuit vacated the Computer Fraud and Abuse Act (CFAA) conviction of Frances M. Eddings, making clear that an employee’s or contractor’s resignation does not, by itself, end their authorization to access company systems. The Court held that authorization turns on employer permission: once granted, it ends only when the employer rescinds it, or if a contract or policy expressly ties authorization to employment. The Court remanded with instructions to enter a judgment of acquittal.
The dispute arose from a 2014 fundraiser project for the Prostate Cancer Foundation (PCF). Contractor Jude Denis was given the ability to read, write, and send emails on behalf of PCF board member Neil Rodin through a link installed on her personal computer. After several days, the relationship deteriorated. On August 21, Denis emailed that she could not accept continued work and submitted an invoice for her time and expenses. PCF did not pay and ceased communication.
Denis still had access to Rodin’s email. Beginning September 22, she read emails, downloaded internal PCF documents, and sent them to her friend, Eddings. Eddings then emailed PCF’s CEO, threatening to release thousands of PCF documents unless PCF paid Denis $150,000 and paid Eddings a 25% fee. On October 1, PCF remotely disabled the link on Denis’s computer and reported Denis and Eddings to the FBI.
A grand jury indicted both in September 2019 on four CFAA counts, with Eddings charged as a co-conspirator and accomplice. At their April 2022 joint trial, the government argued that Denis’s August 21 resignation ended her authorization, making later access “without authorization.” The jury convicted both. Denis died shortly afterward. Eddings received 18 months’ probation, including six months of home confinement, and moved for acquittal and a new trial.
The Third Circuit held the government did not prove that Denis’s post-resignation access was “without authorization.” The record showed no contract linking authorization to employment and no step by PCF to rescind permission before October 1, when it disabled the link. The Court emphasized that only the employer can grant or rescind authorization; resignation is the employee’s act and does not, by itself, terminate authorization. It also concluded a jury instruction was erroneous or confusing because it told jurors they could decide whether cessation of employment rescinds authorization, allowing conviction without any finding that PCF withdrew permission. A brief prosecutorial remark about extortion was deemed harmless given the judge’s curative instruction.
For HR leaders, the message is practical. Offboarding is not automatic under the CFAA. If a worker resigns, authorization does not evaporate unless the employer takes an affirmative step to withdraw it or has clearly tied authorization to employment in a contract or policy. The Court did not require technical shutdown to revoke authorization, though PCF’s eventual deactivation on October 1 ended access. Clear, timely revocation and coordinated IT actions remain essential, especially for delegated or shared accounts – such as executive email access – that can linger beyond a worker’s departure.
The ruling does not decide every scenario. It does not resolve what happens when a worker is terminated, nor does it address situations where an employer handbook or policy – properly noticed – expressly links authorization to employment. But it does underscore that, absent those measures, employers must act to rescind permission.
