The Computer Fraud and Abuse Act (CFAA) was enacted primarily as a criminal statute to prosecute hackers. Increasingly, employers are trying to use the CFAA to recover damages against employees who use or access the employer’s computers to misappropriate confidential and proprietary information. CFAA claims now routinely accompany claims against employees for misappropriation of trade secrets and conversion. The law, however, is unsettled on how the CFAA should be interpreted in the context of employee use of employer computers/data.
The CFAA generally provides that “[w]hoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . shall be punished.” 18 U.S.C. § 1030(a)(4).
In the 9th Circuit Court of Appeal’s most recent decision on the CFAA, the Court held that the phrase “exceeds authorized access” does not extend to violations of use restrictions, such as an employer’s corporate policies governing the use of information. U.S. v. Nosal, www.ca9.uscourts.gov/datastore/opinions. Subsequently, a California District Court found that while Nosal clearly precluded applying the CFAA to violating restrictions on use, it did not preclude applying the CFAA to rules regarding access, for example where an employee was authorized to access a specific file and the employee exceeded that authority by accessing different files or additional files. Weingand v. Harland Financial Solutions, Case No. C-11-3109 EMC. And, in early August, another California District Court found that an employer could state a claim under the CFAA where an employee exceeded his authorized access by continuing to access information stored on company computers and servers after the employee’s resignation. Hat World, Inc. v. Kelly, Case No. S-12-0159.
To further complicate matters, the 9th Circuit’s holding in Nosal conflicts with the holdings from other Circuit courts across the United States, leaving it to the U.S. Supreme Court to resolve the conflict and decide how to apply the CFAA. www.circuitsplits.com. Until then, employers should continue to maintain clear policies regarding use of confidential information and protection of trade secrets, and to set clear boundaries on employee access to data.