The Computer Fraud and Abuse Act (“CFAA”), enacted in 1984 was the first federal law to address computer crime. It originated as a criminal statute and initially was directed only to important federal interest computer crimes. As information technology and applications increased exponentially over the next two decades, so did the scope of the CFAA. It now contains a private right of action, section 1030(g) and it covers any “protected” computer which is one used in or affecting interstate or foreign commerce or communications, thus making any computer with internet access a subject of the statute’s protection. Unlike the economic espionage act, 18 U.S.C. §§ 1831-39 (2006), the CFAA, while providing for a private right of action, was not enacted with trade secret protection in mind. It is an anti-hacking statute.
With increasing numbers of employees using computers at work, employers have turned to the CFAA in situations where disloyal employees have pilfered company information from the employer’s computer system. The CFAA penalizes “access” or intrusions to a computer system in which information is stored. The CFAA forbids conduct by anyone, “who knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, ….” The statute defines “exceeds authorized access” to mean “access a computer with authorization and to use such access to obtain or alter information in a computer that the accessor is not entitled to so obtain or alter. (18 U.S.C. §1030(e)(6).) The CFAA does not, however, define “unauthorized access.”
Plaintiff companies often allege that defendants violated the CFAA, when a competitor acquired confidential or proprietary in formation indirectly, through a disloyal employee who used his or her authorized access to the plaintiff company’s computer systems or network to collect information (or delete and )alter it. Circuit Courts of Appeal are split over whether and when the CFAA applies in this situation. The split in authority concerns the interpretation of the terms “without authorization” and “exceeds authorized access.”
As of this writing many, if not most, circuit courts that have construed the “authorization” language of section 1030(g) have adopted an expansive view of the statutory language, and held that an employee who is authorized to use his employer’s computer systems and networks and been granted access to proprietary information immediately breaches his duty of loyalty to the employer (and thereby is “unauthorized”) if he or she uses the information so accessed against his employer’s economic interest. These courts hold that such conduct supports a claim under the CFAA.
In September 2009, the Ninth Circuit Court of Appeals expressed a different view. In LVRSC Holdings, LLC v. Brekka (9th Cir. 2009) 581 F.3d 1127, the Court held that if an employer gave an employee permission to access its computers and databases in conjunction with the employee’s work duties, then the employee’s subsequent use of the information obtained through that authorized access, is not “unauthorized” and misuse of the information against the interest of the employer is not a CFAA violation. District Courts in other circuits have recently begun to adopt this interpretation of the CFAA. These cases reflect the view that “authorization” does not turn on an employee’s intentions in obtaining the employer’s information but instead on whether access to the information was granted. (See Océ North America, Inc. v. MCS Services, Inc., 2010 Westlaw 3703277 at *4 (D. Maryland, Sept. 16, 2010) [holding that while an employee remained employed by the company, he had authorization to use computers and computer software and that “copying software onto his own laptop may have been a violation of his employment agreement, but that does not constitute a violation of the CFAA”].) In Cvent, Inc. v. Event Bright, Inc., 2010 Westlaw 3732183 (E.D. Virginia, September 15, 2010), the Court noted that a “mere allegation that a defendant used the information [which it had been given authority to access] in an inappropriate way, did not state a claim for relief [under the CFAA].”
Adding to this confusion are recent events in United States v. Nosai, in April of this year, in Nosai, the ninth circuit held that employees did “exceed authorized access” under the CFAA when they used employer issued accounts to obtain information from their employer’s computer system for benefit of a competitor. On October 27th however, the Ninth Circuit ordered an en banc rehearing of the Nosai case, and ordered that District Courts in the Circuit not rely on the Nosai decision pending the rehearing. Stay tuned.