When an employer discovers that a departing employee has misappropriated information using a computer, there may be a remedy under the Computer Fraud and Abuse Act (CFAA). In many cases, employees who misappropriate information using a computer expose themselves to potential civil and criminal liability under the CFAA.
The Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act gives employers a civil cause of action against an employee who “intentionally accesses a computer without authorization or exceeds authorized access” and obtains or misuses certain information obtained from the computer. 18 U.S.C. § 1030. While the CFAA defines the phrase “exceeds authorized access,” it does not define “with authorization” or “without authorization.” These terms have been interpreted differently by the various circuits, causing the reach of the CFAA to vary by jurisdiction.
Some federal Circuit Courts of Appeal construe the Computer Fraud and Abuse Act narrowly, holding that an employer must show that the employee had specifically exceeded express limitations on access. Other circuits construe the CFAA more expansively, holding that an employee’s authority to access information automatically terminates when the employee forms the intent to leave his employer and is therefore no longer a “loyal” agent.
In United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), the 11th Circuit aligned with the narrower approach, albeit in a manner that still results in a fairly broad interpretation of the CFAA. In Rodriguez, a TeleService representative of the Social Security Administration (SSA), was prosecuted under the CFAA for accessing personal records of 17 different individuals for non-business reasons. The defendant challenged his conviction, arguing that because he accessed only databases that he was authorized to use, he did not violate the statute. The Eleventh Circuit rejected his argument, noting the SSA had a policy which stated that employees may only access personal information in the course of assisting individuals with questions concerning their social security. Therefore, the defendant violated the CFAA by exceeding his authority to access the government computer by obtaining personal information for a nonbusiness reason.
The Eleventh Circuit had occasion to review its stance on the CFAA recently in Maye v. United States, 2019 WL 1858211 (April 25, 2019). In Maye, the defendant accessed the National Crime Information Center federal database to research and obtain information about his co-defendant’s lovers. Not surprisingly, he was only authorized to access this database for law enforcement purposes, and he had been trained accordingly. Because he was not authorized to access the database for this purpose, he was found to have violated the CFAA.
Maye’s habeas corpus challenges following his conviction were unsuccessful. After he had completed his period of incarceration, Maye filed another petition challenging his conviction. This time he argued that the underlying indictment did not state a claim for a violation of the CFAA. The district court rejected his argument, and he appealed to the 11th Circuit.
The 11th Circuit found that Maye’s petition was foreclosed by U.S. v. Rodriguez. Under the “prior precedent rule”, because the Rodriguez court was the first panel to interpret the definition of “exceeds authorized access” under the CFAA, all subsequent panels of the 11th Circuit are bound by Rodriguez unless the first panel’s holding is overruled by the 11th Circuit sitting en banc or by the Supreme Court. Applying Rodriguez, the 11th Circuit concluded that the indictment plainly stated a Computer Fraud and Abuse Act claim and that Maye was therefore not entitled to relief from his conviction.
While, like Rodriguez, Maye does not involve a departing employee that misappropriated information, the case is still a good reminder that, particularly within the 11th Circuit, when an employer discovers that a departing employee has misappropriated information using a computer, there may be a remedy under the CFAA.