A recent article in the Wall Street Journal, As Criminal Laws Proliferate, More Ensnared (Gary Fields and John Emshwiller), details the increasing number of federal criminal statutes and federal prosecutions – a threefold increase over the last 30 years. The article attributes – in part – this upward spiral to the criminalization of issues generally considered more appropriate for civil lawsuits.
The Computer Fraud & Abuse Act
The Computer Fraud and Abuse Act (“CFAA”), discussed in the preceding article, is a prime example of a criminal statute increasingly applied to civil matters and especially to matters arising in the context of the employment relationship.
In fact, a federal judge in dismissing CFAA claims against a former employee for excessive internet/facebook use, echoed concerns similar to those raised in the WSJ’s article:
The CFAA is a criminal statute originally designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to “access and control high technology processes vital to our everyday lives ….
Despite the original “design” of the CFAA as a primarily criminal statute, now anyone “who suffers damage or loss … may maintain a civil action … to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C. § 1030(g). The CFAA lacks a “specific intent” requirement, which simply means that a violation does not require a person to intend to wrongfully access and cause damage. Instead, criminal and civil liability are essentially based upon accessing or obtaining information from a protected computer without authorization.
But “access without authorization” has become such an elastic concept that the statute has been applied to a number of common employment scenarios:
- Protecting company information from disgruntled employees;
- Against an employee accessing the employer’s computer for a purpose adverse to the employer’s interests, such as preparation to compete against the employer or leave for a competitor; and
- An employee accessing the employer’s computer in excess of the express limitations (i.e., a computer use policy) violates the employer’s access restrictions, which may include the use of the computer or of the information contained in that computer; and
- Misappropriating confidential customer data residing or otherwise stored on a computer.
Reasonable people can certainly debate the appropriateness of applying a federal criminal computer hacking statute to employment related disputes. But the bottom line is that a computer engineer who decides to copy some interesting source code “just in case” he needs it at his next job, or the budding entrepreneur who downloads a customer database in preparation to start a competing business, or any number of situations where an employee accesses an employer’s computer “without authorization” may form the foundation for imposing liability under the CFAA.