While it is far from settled, the trend under the Federal Computer Fraud and Abuse Act continues towards narrowing the application of the CFAA in the context of the employer/employee relationship.
Specifically, a federal district court in Colorado concluded that the federal computer fraud statute was not violated by departing employees and contractors who, during their employment, used login credentials to download and disclose their employer’s proprietary information. Cloudpath Networks, Inc. v. SecureW2 B.V. 1-13-16.
The Cloudpath case highlighted a central issue in CFAA claims brought against former employees. That issue comes down to whether information acquired during authorized computer access but is later used for an unauthorized purpose is covered by the CFAA’s “exceeds authorized access” provision (§ 1030(a)).
There is, however, a legal split among the federal districts as to how “exceeds authorized access” should be construed concerning the employer/employee relationship. This split was succinctly described by the Cloudpath Court as follows:
“Exceeds authorized access” is a defined term. It means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” … One collection of circuits holds that it extends to an employee/agent who use his or her access for purposes contrary to the employer/principal’s interests … the other side of the circuit split, which holds that “exceeds authorized access” only applies to an employee/agent who uses otherwise-permitted computer access to obtain data that the employer/principal has declared off-limits to that employee/agent.
Here the Cloudpath Court ultimately sided with the defendants and agreed with the Second, Fourth, and Ninth Circuit courts. These courts have adopted the narrower interpretation and held the CFAA doesn’t cover misuse of information. In other words, liability under the CFAA is not concerned with the improper use of valuable information so long as the initial act of accessing the employer’s network was authorized.
The Take Away
The CFAA provides civil and criminal liability for accessing a protected computer without authorization or in a manner that exceeds authorized access. In light of the stiff civil and criminal penalties, one of my consistent criticisms of courts applying the CFAA to former employees is that a broad application of criminal law is primarily determined by the employer, i.e., whether employee access is authorized depends on the employer’s decision to allow or terminate access.
As the Cloudpath Court noted, this poses the risk that an employer may manufacture liability by promulgating a computer policy such as “Employees are authorized to use company computers solely to the extent they do so for company purposes?” Any employee who does otherwise is accessing a computer “without authorization.”
Understanding the CFAA’s application and limitations is critical for companies to protect their intellectual property and competitive interests. It is also essential for employees to understand the significant penalties – criminal and civil – if a CFAA case is successful.
For more information about the Computer Fraud and Abuse Act, as well as litigating claims under the CFAA, contact attorney Jason Shinn. On behalf of businesses and individuals, Mr. Shinn has brought and defended against CFAA and related trade secret misappropriation issues.