The Reach of the Computer Fraud and Abuse Act Remains Unresolved

Posted on

The Computer Fraud and Abuse Act (the “CFAA”) has become an increasingly important avenue for employers to bring claims against rogue employees who engage in computer misconduct before they end their employment.  While the CFAA was originally passed as a federal criminal statute in 1984 to target hackers, the statute was amended in 1994 to provide private citizens with a civil cause of action.

In the employment context, the CFAA gives employers a cause of action against an employee who “intentionally accesses a computer without authorization or exceeds authorized access” and obtains or misuses certain of the information obtained from the computer.  18 U.S.C. § 1030.  The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer the accessor is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). The CFAA, however, does not define “with authorization” or “without authorization.”  As a result, those terms have been interpreted differently amongst the various circuits, causing the reach of the CFAA to vary by jurisdiction.

The effect of these various interpretations is most clearly seen in the context of an employee engaging in computer misconduct while still employed.  For example, a handful of courts analyze the meaning of “without authorization” through an agency lens.  Under this analysis, the CFAA applies when an employee is granted access to the employer’s computer systems, but then uses that access for a purpose that is inconsistent with the employer’s interest.  See, e.g., International Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).  Stated otherwise, if the employee accesses his employer’s computers to download information to use when he joins a competitor, he is acting contrary to his agency with his current employer and he may be found to be in violation of the CFAA.

Other courts, however, have taken a narrower approach.  Under this approach, when an employee’s access to an employer’s computer systems has not yet been terminated, then the employee is not acting “without authorization.”  Thus, no matter what the employee’s intent is in accessing the computer systems, so long as that employee has permission to access the company’s computers, then he is not violating the CFAA.  In effect, this approach has led many courts to hold that the CFAA does not apply when the employee engages in computer misconduct while still employed.  See, e.g., LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009).

Even in jurisdictions adopting this narrower approach, employers may still be able to bring a CFAA claim against former employees in situations where an employee “exceeds his authorized access.”  Specifically, if an employer has company policies or contracts in place limiting an employee’s authorization to access the company’s computer systems, and the employee violates such policies or contractual obligations, the employee’s conduct may constitute a violation of the CFAA.  See, e.g., U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).  Although even in this context, there is disagreement amongst courts as to whether a violation of a company’s policy relating to an employee’s use of a computer (as opposed to an employee’s access) can give rise to a CFAAclaim.

In light of these varying interpretations, the issue regarding the reach of the CFAA is ripe for Supreme Court review.  In fact, in a recent case, a South Carolina company petitioned for a writ of certiorari, framing the relevant question as “whether the CFAA applies to employees who violate employer-imposed computer access and data use restrictions to steal company data.”  See WEC Carolina Energy Solutions LLC v. Miller, No. 12-518, 2012 WL 5353899 (Oct. 24, 2012) (Petition for Writ of Certiorari to U.S. Supreme Court).  However, in early January, the hope for a Supreme Court ruling on the circuit split was dashed, when the parties mutually dismissed the case.  Thus, the reach of the CFAA remains unresolved.

Employers should be aware of the potential implications of the unsettled law surrounding the CFAA.  More specifically, employers should review their computer policies and employment agreements, as well as the scope of employees’ access to computer systems.  The relevant policies and contracts should be revised, with an eye on the rules governing when the CFAA applies, to provide employers with the most potential protection against employees’ computer misconduct.