The Computer Fraud and Abuse Act: A Legal Overview

“Ultimately, the proper interpretation of the scope of the CFAA may have to be decided by the U.S. Supreme Court…” – Patton Boggs

Thanks to a recent decision in the Ninth Circuit, the ever-evolving Computer Fraud and Abuse Act (CFAA) is back in the spotlight. The latest changes notwithstanding, what exactly is the CFAA? What does it cover? Who does it protect? What should corporate leaders know about it as they manage the fine balance between employees, technology, and proprietary data in the workplace? Culled from legal updates on JD Supra:

1984: Unauthorized Access and Use of Computers

“The Computer Fraud and Abuse Act was passed by Congress in 1984 to address the unauthorized access and use of computers and computer networks. Although the CFAA is primarily a criminal statute, the 1994 amendment to the CFAA allowed individuals and companies to bring a private civil suit against a person who accessed a protected computer ‘without authorization’ or while ‘exceed[ing] authorized access.’ Increasingly, employers have used the CFAA to bring suit against former employees or agents (‘insiders’) who have absconded with company data…” (The Computer Fraud and Abuse Act: ‘Authorization’ in Flux and the Ninth Circuit Dilemma by Lewis and Roca LLP)

“The CFAA is primarily a criminal statute intended to deter computer hackers, though it permits civil actions by private parties damaged as a result of a violations (assuming they incur sufficient injury).  It generally prohibits intentionally or knowingly accessing a computer without authorization or exceeding authorized access in a variety of contexts, including those involving government computers, attempts to defraud to obtain something of value, and/or causing damage or loss to the computer or its data.” (En Banc 9th Circuit Decision Narrowly Construes Federal Computer Fraud and Abuse Act’s Prohibition on Conduct that “Exceeds Authorized Access” by Davis Wright Tremaine)

2001-2010: A Drastic Increase in Scope

“In the past ten years, the CFAA has moved from obscurity into the limelight as Congressional amendments drastically increased its scope. The watershed began in late 2001, when Congress, as part of the USA Patriot Act, adopted a definition of ‘loss’ in the CFAA that made it easier for private litigants to meet the $5,000 threshold for damage or loss. In 2007, Congress expanded a crucial liability provision to criminalize ‘intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information.’ This section imposes liability on anyone who accesses a computer without authorization or who exceeds authorization, even if the person commits no further wrongdoing. Since 2002, complaints alleging a cause of action under the CFAA have increased nearly 600% percent…” (The Rise of the Computer Fraud and Abuse Case by Fenwick & West LLP)

CFAA in Workplace Data Protection

Fenwick & West again, writing before the recent Ninth Circuit decision: “First, [the CFAA] confers federal jurisdiction over commercial torts that are usually pleaded only as state law actions, such as trade secret misappropriation, breach of contract, and intentional interference with prospective economic advantage. Second, there are fewer elements to prove under the CFAA than related state law claims; it is often necessary only to show a defendant accessed a computer and that the plaintiff suffered damage or loss in excess of $5,000.”

“[W]hether an employee will be found liable under the CFAA often turns on whether the employee was authorized to access the computer in the first place. As an employee’s authorization must necessarily come from the employer, a carefully tailored computer use policy can provide employers with a powerful tool to deter and prosecute acts of theft and misappropriation. Employers that lack such policies have not faired as well in CFAA actions as courts are unwilling to hold the employee liable under the CFAA without evidence that the employee was on notice that access was unauthorized…” (The Computer Fraud and Abuse Act (CFAA) – The Benefits of a Computer Use Policy That Restricts Employee Access by Bryan Cave)

“One open question is whether the CFAA imposes liability on employees who have permission to access computerized information but use the permitted access for an improper purpose? The federal courts are currently split on the issue…”(The Computer Fraud And Abuse Act Subject To Different Interpretations by Patton Boggs)

Enter: The Ninth Circuit Decision in United States v. Nosal

“In an opinion with significant implications for trade secret law, employee mobility, privacy, and Internet users broadly, the Ninth Circuit Court of Appeals on April 10 issued its decision in United States v. Nosal. Writing for the en banc court, Chief Judge Alex Kozinski addressed the proper scope of the federal Computer Fraud and Abuse Act’s (CFAA’s) prohibition against using a computer in a way that ‘exceeds authorized access.’ Building on its prior case law, the court held that while the CFAA forbids unauthorized access to information, it does not prohibit the misuse of information initially obtained through authorized access.” (Ninth Circuit Holds That Computer Fraud and Abuse Act Does Not Apply to Use of Information Obtained through Authorized Access by Wilson Sonsini)

“In this case, Nosal left his employer and then convinced some of his former coworkers to join him in starting a competing business. These coworkers, who were still working for the employer at the time, accessed confidential company information and sent it to Nosal, flouting the employer’s policy. The government charged Nosal criminally on various grounds, “including trade secret theft, mail fraud, conspiracy and violations of the CFAA.” The Ninth Circuit held that the CFAA-based charges had to be dismissed because the coworkers did have authorization to access the confidential information that they accessed—though those employees exceeded their authority in accessing the information for purposes of competing with their employer. The government was still free to pursue the non-CFAA counts of the indictment (which included mail fraud and theft of trade secrets).

…The court said that the CFAA should be interpreted narrowly and that it criminalizes unauthorized access to computerized information (“hacking”), but not unauthorized use when the user legitimately has access (as employees have access to their employer’s information). The Ninth Circuit explained that when Congress enacted the CFAA, it was seeking to criminalize hacking, not all misappropriation of computerized information.” (Former Employee Cannot Be Charged Criminally For Violating Company Computer Policy by Proskauer)

Davis Wright Tremaine again: “The court’s decision, authored by Judge Kozinski, explains that this narrow construction is preferable because it prevents CFAA liability for, for example, employees using their work computers in violation of their employers’ acceptable use polices, and/or web-surfers using a website in ways that may violate its terms of use/service, which the court noted few ever read, and even fewer understand in enough detail to avoid unwitting liability.”

So where does this leave employers and employees?

A fine question. As we noted in an earlier blog roundup on Small Business Support, using the CFAA to combat employee data theft just got harder. That post includes a growing index of law firm commentary on the recent US v. Nosal decision, with more added as it comes in.

One point that seems a theme throughout most legal writing on this topic: take your workplace data authorization policies very seriously. As one tool among others to combat data theft and employee privacy breaches, the CFAA scope just narrowed considerably. However, real risk mitigation begins with careful planning and policies in advance of any employee violations.

Read additional labor and employment law firm updates on JD Supra, narrowed by the topics of technology and criminal law>>

Additional CFAA updates of interest: