Is an Acceptable Use Policy legally required for US businesses?

While no single federal statute universally mandates an Acceptable Use Policy (AUP) for all US businesses, various federal and state laws create strong practical and legal incentives to have one. The Computer Fraud and Abuse Act (18 U.S.C. § 1030) prohibits unauthorized access to computer systems — a written AUP helps establish the boundary of authorized access so that violations can be prosecuted. The Electronic Communications Privacy Act (18 U.S.C. §§ 2510-2523) governs employer monitoring of electronic communications; a clear AUP with employee consent provisions helps employers monitor systems lawfully. Organizations subject to HIPAA must implement policies governing workforce access to electronic protected health information. PCI DSS requires policies restricting access to cardholder data systems. State data protection laws — including the California Consumer Privacy Act and state breach notification statutes — make written policies on data handling effectively mandatory. For employers, an AUP that employees sign is essential for enforcing disciplinary action for misuse, defending against wrongful termination claims, and demonstrating reasonable cybersecurity practices. Courts have upheld employers' right to monitor company systems when employees have been given clear notice through an AUP.

What should an Acceptable Use Policy cover for employee computer and internet use?

A complete Acceptable Use Policy for employee computer and internet use should address the following areas. First, the scope of systems covered — company computers, mobile devices, servers, cloud services, email systems, and any personal devices used to access company networks (BYOD). Second, permitted uses — business-related activities that employees are authorized to perform, and whether limited personal use is tolerated. Third, prohibited conduct — a specific list of forbidden activities such as accessing unauthorized systems, downloading unlicensed software, visiting prohibited website categories, sending harassing communications, sharing confidential information, circumventing security controls, or using company systems for personal business or illegal activity. Fourth, monitoring and privacy — a clear statement that the company reserves the right to monitor all activity on company systems, that employees have no expectation of privacy on company equipment, and the scope of monitoring actually performed. Fifth, data handling — rules about storing, transmitting, and deleting sensitive information, including requirements to use encryption and avoid transferring data to personal accounts. Sixth, social media — rules about representing the company online and discussing confidential matters. Seventh, consequences — the disciplinary actions, up to and including termination and criminal referral, for policy violations.

Can an employer legally monitor employees' computer and internet use?

Yes, employers in the United States have broad legal authority to monitor employees' use of company-owned computers, networks, and communication systems, provided they give adequate notice. The Electronic Communications Privacy Act (ECPA) prohibits interception of electronic communications but includes an exception for systems providers — employers who own and operate the systems. Courts have consistently held that employees have no reasonable expectation of privacy when using employer-owned equipment and networks, particularly when the employer's AUP or IT policy has notified employees that monitoring may occur. Key requirements for lawful monitoring include: (1) providing clear written notice in an AUP or employee handbook that systems are monitored; (2) obtaining employee acknowledgment of the policy (a signed receipt or e-acknowledgment); and (3) limiting monitoring to legitimate business purposes. Monitoring of personal email accounts accessed on company systems is more legally complex and may require additional consent. Some states — including California, Connecticut, Delaware, and New York — have statutes imposing additional notice requirements for employer electronic monitoring. Employers should consult counsel about state-specific requirements before implementing monitoring programs.

How should violations of an Acceptable Use Policy be handled?

Violations of an Acceptable Use Policy should be handled consistently, proportionately, and in accordance with the organization's disciplinary procedures. Minor first-time violations — such as occasional personal internet use — may warrant a verbal warning and counseling. More serious violations — such as downloading unauthorized software, circumventing security controls, or excessive personal use — typically warrant written warnings, suspension of system privileges, or formal disciplinary action. Severe violations — including accessing prohibited content, sharing confidential data externally, hacking, harassment, or any criminal conduct — may justify immediate termination and referral to law enforcement. For the disciplinary process to be legally defensible, several conditions must be met: the AUP must have been communicated clearly and the employee must have acknowledged receipt; the investigation must be conducted thoroughly and consistently; similarly situated employees must be treated consistently to avoid discrimination claims; and documentation of the investigation and disciplinary decision must be maintained. In the employment context, at-will employees can generally be terminated for AUP violations without cause, but consistency and documentation protect against wrongful termination claims.

Does an Acceptable Use Policy need to be updated regularly?

Yes. Technology, cybersecurity threats, legal requirements, and business practices evolve rapidly, and an Acceptable Use Policy should be reviewed and updated at least annually to remain effective and legally compliant. Specific triggers for policy updates include: adoption of new technologies or systems (cloud storage, AI tools, new communication platforms); changes in applicable law (new state privacy statutes, updated federal cybersecurity frameworks, changes to data breach notification requirements); significant security incidents that exposed gaps in the existing policy; organizational changes such as mergers, acquisitions, or shifts to remote or hybrid work; and updates to related policies such as the privacy policy, data classification policy, or remote work policy. When the AUP is updated, all employees should be notified, provided with the revised policy, and required to sign a new acknowledgment. Failure to keep the policy current can weaken its enforceability — a policy that does not address cloud services, social media, or AI tools may be silent on some of the most significant security and compliance risks facing modern organizations.

Acceptable Use Policy

[Organization Name]

Effective Date: [Effective Date]

1. INTRODUCTION AND PURPOSE

This Acceptable Use Policy ("Policy") establishes the rules governing the use of technology systems, networks, and digital resources owned, operated, or managed by [Organization Name] ("Organization"), located at [Organization Address]. This Policy is designed to protect the Organization's technology assets, ensure compliance with applicable law, maintain productivity, and safeguard the Organization's data and reputation.

This Policy is governed by the laws of the State of [Governing State] and applicable federal law, including the Computer Fraud and Abuse Act (18 U.S.C. § 1030), the Electronic Communications Privacy Act (18 U.S.C. §§ 2510-2523), and applicable state data protection and employment statutes.

2. SCOPE

This Policy applies to: [Covered Users].

This Policy covers the following systems and resources: [Covered Systems].

3. PERMITTED USES

Organization systems and resources are provided primarily for business purposes. Authorized uses include: [Permitted Uses].

Personal Use: [Personal Use Policy]. Any personal use must not interfere with work duties, consume significant network bandwidth, or violate any provision of this Policy.

4. PROHIBITED CONDUCT

The following activities are strictly prohibited on Organization systems and resources:

a) Accessing, transmitting, or storing any content that is illegal, obscene, harassing, defamatory, or discriminatory under applicable law;

b) Accessing computer systems, accounts, or data without authorization, or attempting to circumvent security controls;

c) Installing unauthorized software, applications, or browser extensions on Organization systems;

d) Sharing confidential, proprietary, or personally identifiable information with unauthorized parties;

e) Using Organization systems for personal commercial activity, solicitation, or political campaigning;

f) Transmitting unsolicited bulk electronic communications (spam) using Organization systems;

g) Violating any third-party intellectual property rights, including downloading or sharing unlicensed software, music, or media;

h) Engaging in any activity that constitutes a violation of applicable federal, state, or local law;

i) [Additional Prohibited Activities].

5. MONITORING AND NO EXPECTATION OF PRIVACY

Users have NO expectation of privacy when using Organization systems. The Organization reserves the right to monitor, access, review, copy, and disclose any communications, files, or other content created, stored, transmitted, or received on Organization systems, including: [Monitoring Scope].

By using Organization systems, users expressly consent to such monitoring. Monitoring may occur at any time, with or without notice, and without further consent.

6. DATA SECURITY REQUIREMENTS

All users must comply with the following data security requirements when accessing or handling Organization data.

Data Classification: The Organization classifies data into the following categories: [Data Classification Levels]. Users must handle each category of data in accordance with the Organization's data handling procedures.

Passwords: Users must create and maintain strong passwords meeting the following requirements: [Password Requirements]. Passwords must not be shared with any other person.

Users must report any suspected security incident, unauthorized access, or data breach to [Policy Administrator] immediately upon discovery.

7. VIOLATIONS AND DISCIPLINARY CONSEQUENCES

Violations of this Policy may result in disciplinary action up to and including: [Disciplinary Actions]. The severity of the disciplinary response will be determined by the nature and seriousness of the violation, the user's prior conduct, and applicable law. Nothing in this Policy limits the Organization's right to pursue civil or criminal remedies available under applicable law.

8. POLICY ADMINISTRATION AND UPDATES

This Policy is administered by [Policy Administrator]. Questions regarding this Policy should be directed to the Policy Administrator. This Policy will be reviewed [Review Frequency]. The Organization reserves the right to modify, update, or replace this Policy at any time. Continued use of Organization systems after notification of Policy updates constitutes acceptance of the revised Policy.

9. ACKNOWLEDGMENT

By signing below, the user acknowledges that they have read, understood, and agree to comply with this Acceptable Use Policy. The user understands that violations may result in disciplinary action, including termination.

Organization: [Organization Name]

Effective Date: [Effective Date]

Authorized Representative

________________

Signature

User / Employee

________________

Signature

Maintained by Vladislav Sergienko, Founder·Template last modified: 2026-06-23·Report an error

What Is a Acceptable Use Policy?

An Acceptable Use Policy in the United States establishes the obligations and procedures governing the conduct it regulates.

The AUP is the primary instrument through which employers in the United States establish and enforce electronic workplace rules. Federal law provides the framework: the Electronic Communications Privacy Act (18 U.S.C. §§ 2510–2523) governs the interception and monitoring of electronic communications, but the statute's provider exception permits employers to monitor communications on systems they own and operate, provided employees have notice of monitoring. A signed AUP acknowledging consent to monitoring satisfies this notice requirement and negates employees' reasonable expectations of privacy on company-owned systems under the Fourth Amendment's private-employer analogue.

Across regulated industries, specific federal agencies and frameworks impose AUP-equivalent obligations that make this document effectively mandatory. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), codified at 42 U.S.C. § 1320d, requires covered entities to implement policies restricting workforce access to electronic protected health information (ePHI), with the HIPAA Security Rule (45 C.F.R. Part 164) specifying that workforce use and access controls must be documented. The Payment Card Industry Data Security Standard (PCI DSS), administered by the PCI Security Standards Council, requires documented policies restricting access to cardholder data environments. Organizations subject to the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801–6809) must implement safeguards programs that address employee access to nonpublic personal financial information.

At the state level, the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) and state data breach notification statutes across all 50 states create additional incentives for documented IT governance. Delaware's Computer Security Breach Notification Law, New York's SHIELD Act (General Business Law § 899-aa), and Illinois' Personal Information Protection Act each impose obligations on businesses to maintain reasonable security procedures, which courts and regulators frequently interpret to require documented policies like AUPs.

An AUP differs from related documents in scope and function. A Privacy Policy governs how the organization handles personal data of customers and third parties, while an AUP governs internal employee conduct. A Terms of Service agreement governs external users' interaction with the organization's public-facing products. A Data Classification Policy addresses how data is categorized and handled by sensitivity level, while the AUP addresses the channels and systems through which employees access and transmit all categories of data. A BYOD Policy is a specialized subset of AUP principles applied specifically to employee-owned devices.

Organizations of all sizes in the United States benefit from a written AUP. For small businesses, an AUP creates the contractual basis for disciplinary action against employees who misuse IT resources — without it, terminating an at-will employee for internet misuse can still generate wrongful termination disputes. For enterprises and government contractors, AUPs are components of mandatory security programs under frameworks including NIST SP 800-53, CMMC (Cybersecurity Maturity Model Certification), and FedRAMP.

When Do You Need a Acceptable Use Policy?

An Acceptable Use Policy is needed by every US organization that provides employees, contractors, volunteers, or any other users with access to company-owned or company-managed information technology resources. The document becomes specifically critical in a number of scenarios.

When onboarding new employees, the AUP establishes from the first day the rules governing use of company computers, email, and networks. Requiring signature at onboarding creates an employment record that the employee acknowledged the policy, which supports termination decisions and legal defenses if the employee later misuses IT resources.

When the organization deploys remote work or hybrid work arrangements, an AUP becomes essential because employees access company systems from home networks, personal routers, and personal devices. Without policy language specifically addressing remote access requirements — VPN use, home router security, prohibition on using public Wi-Fi without encryption — the organization loses control of corporate data outside the office perimeter.

When employees have access to sensitive data subject to regulatory protection — HIPAA-protected health information in a medical practice, payment card data in a retail business, student records under FERPA (20 U.S.C. § 1232g) in an educational institution, or classified export-controlled technical data subject to the Export Administration Regulations (15 C.F.R. Parts 730–774) — a documented AUP provides evidence of the organization's reasonable security procedures, a key factor in regulatory enforcement and civil litigation.

Following a data breach or security incident, a signed AUP enables the organization to demonstrate to the FTC, state attorneys general, and plaintiff's counsel that the organization had documented security policies and employee training, which can reduce liability and penalties under state breach notification statutes and FTC enforcement actions under Section 5 of the FTC Act (15 U.S.C. § 45).

When an employee is terminated for IT policy violations, the AUP provides the documentary basis for the termination and protects against claims of discriminatory or pretextual discharge. California, New York, Massachusetts, and other states with strong employee protections require employers to demonstrate that discipline was applied consistently with written policies.

Organizations contracting with federal agencies or defense contractors under the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 must implement security requirements from NIST SP 800-171, which includes system use notification (a functional equivalent of an AUP) as control 3.13.9.

What to Include in Your Acceptable Use Policy

A well-drafted Acceptable Use Policy for a United States organization should contain the following key provisions to be legally effective and practically enforceable.

The scope and applicability clause defines precisely which systems and users are covered. The policy should enumerate all covered resources — desktops, laptops, servers, mobile devices issued by the employer, cloud applications (Microsoft 365, Google Workspace, Salesforce), email systems, VPN connections, and any personal devices enrolled in the organization's mobile device management (MDM) system under a BYOD arrangement. The policy should apply to all employees, contractors, consultants, temporary workers, and any other persons with access to the covered systems.

The authorized use definition sets out what users may do on the systems. Many organizations permit limited incidental personal use of internet access during non-work periods. Any such permission must be expressly stated, because if personal use is permitted, users may argue a greater expectation of privacy in their personal activities. The authorized use section should also identify specific business applications and data systems users are permitted to access, reflecting the principle of least-privilege access required by NIST SP 800-53 control AC-6.

The prohibited conduct section is the policy's operational core. Prohibited activities should specifically include: accessing or attempting to access computer systems, accounts, or data without authorization, which triggers liability under the Computer Fraud and Abuse Act (18 U.S.C. § 1030); installing unlicensed software, which creates copyright liability under the Copyright Act (17 U.S.C. § 101 et seq.) for the organization; accessing, downloading, or distributing obscene, harassing, or discriminatory content, which can create hostile work environment liability under Title VII of the Civil Rights Act (42 U.S.C. § 2000e); transmitting confidential information to unauthorized external recipients; circumventing security controls, firewalls, or content filters; and using organizational systems for personal commercial activity, cryptocurrency mining, or any illegal purpose.

The monitoring and privacy notice is legally required for the policy to be effective. The notice must state that the organization reserves the right to monitor, record, inspect, and disclose any communications or activity on its systems, that users have no expectation of privacy on company-owned equipment or networks, and the specific types of monitoring the organization conducts (email scanning, web activity logging, keystroke logging, screen capture). Under the Electronic Communications Privacy Act (18 U.S.C. § 2511(2)(a)(i)), consent to monitoring can be established through policy acknowledgment. Several states — Connecticut (Conn. Gen. Stat. § 31-48d), New York (N.Y. Lab. Law § 740), and Delaware (Del. Code tit. 19 § 705) — impose specific electronic monitoring notice requirements beyond the federal baseline.

The data handling and classification provisions should address how employees must treat confidential company information, customer data, and regulated data categories. Requirements should include: using only approved cloud storage and file-sharing services; encrypting data in transit when transmitting sensitive information; not storing regulated data (HIPAA ePHI, PCI cardholder data) on personal devices; and following the organization's document retention and destruction schedules.

The social media and public communications clause addresses what employees may and may not post publicly about the organization. The policy should prohibit disclosing confidential business information, trade secrets, and non-public financial information on social media, while acknowledging employees' rights under Section 7 of the National Labor Relations Act (29 U.S.C. § 157) to engage in protected concerted activity about working conditions.

The disciplinary consequences section must specify the range of disciplinary actions available — verbal warning, written warning, suspension of system access, termination of employment, and criminal referral — and clarify that violations may result in any of these outcomes depending on severity. The section should state that the organization will investigate suspected violations and that findings may be reported to law enforcement.

The forms-legal.com Acceptable Use Policy template covers all eight mandatory sections — scope, authorized use, prohibited conduct, monitoring notice, data handling, social media, disciplinary consequences, and acknowledgment — aligned with NIST SP 800-53 control PL-4 and CFAA compliance requirements.

The acknowledgment and signature block requires each user to sign and date the policy, confirming they have received, read, and understood it. Electronic acknowledgments (e-signature or checkbox acknowledgment through an HR system) are legally equivalent to handwritten signatures under the Electronic Signatures in Global and National Commerce Act (E-Sign Act, 15 U.S.C. § 7001) and the Uniform Electronic Transactions Act (UETA), enacted in 49 states.

Sources & Citations

Statutory citations link to official government sources.

18 U.S.C. §§ 2510US – Cornell LII
42 U.S.C. § 1320dUS – Cornell LII
15 U.S.C. §§ 6801US – Cornell LII
20 U.S.C. § 1232gUS – Cornell LII
15 U.S.C. § 45US – Cornell LII
18 U.S.C. § 1030US – Cornell LII
17 U.S.C. § 101US – Cornell LII
42 U.S.C. § 2000eUS – Cornell LII
18 U.S.C. § 2511US – Cornell LII
29 U.S.C. § 157US – Cornell LII
15 U.S.C. § 7001US – Cornell LII
Health Insurance Portability and Accountability Act of 1996US – Cornell LII
HIPAAUS – Cornell LII
Title VII of the Civil Rights ActUS – Cornell LII
California Consumer Privacy ActCA (US) official
Cal. Civ. Code § 1798.100CA (US) official

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). Acceptable Use Policy (United States) [Legal document template]. Forms Legal. https://forms-legal.com/usa/business/policies/acceptable-use-policy

MLA

"Acceptable Use Policy (United States)." Forms Legal, 2026, https://forms-legal.com/usa/business/policies/acceptable-use-policy.

BibTeX

@misc{formslegal-acceptable-use-policy,
  author       = {{Forms Legal}},
  title        = {Acceptable Use Policy (United States)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/usa/business/policies/acceptable-use-policy}},
  note         = {Free legal document template. Based on Computer Fraud and Abuse Act (18 U.S.C. § 1030)}
}

Also available for these jurisdictions:

Frequently Asked Questions

Based on Computer Fraud and Abuse Act (18 U.S.C. § 1030) — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know