So, can the Computer Fraud and Abuse Act be used as the basis for a lawsuit against an employee who had permission to access the computer system and company documents, but not to use the computer system for the improper purpose of benefitting a new employer? According to the U. S. Court of Appeals for the Fourth Circuit, the answer is “no.”
On July 31, the court entered the fray over the scope of the CFAA. The case (here) involved a worker who downloaded confidential information from his employer’s computer system, then resigned and used that information to compete with the company on behalf of his new employer. The former employer sued under the CFAA, alleging that the employee’s unauthorized “use” of its computers violated the statute’s prohibitions against accessing information “without authorization” and “exceeding authorized access.” The trial court dismissed the lawsuit, reasoning that the CFAA does not prohibit such conduct.
To the dismay of the business community, the Fourth Circuit affirmed the dismissal, narrowly interpreting the terms “without authorization” and “exceeds authorized access” as applying only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access. In this case, the employee was authorized to access the computer system and to copy the files in question at the time he did so. Thus, the court concluded, there was no violation of the CFAA.
In opting for a narrow construction of the statute, the court sided with the notoriously pro-employee Ninth Circuit, in contrast to the more expansive view held by the majority of the other appellate circuits. Because the courts of appeals are split on the issue, it will be up to the Supreme Court to end the debate by deciding if and when an employee’s improper use and access of confidential and proprietary information is unlawful. Until then, whether an employer can rely on the statute as a basis for legal action against departing employees who misappropriate confidential computer records depends on where in the United States the misconduct occurred. Thus, businesses should consider methods to limit unauthorized access to and use of computer records in the first place and also should be particularly mindful of any state laws that might be applicable.