Why employers shouldn't rely too heavily on the Computer Fraud and Abuse Act to enforce violations of computer use policies
September 1, 2013
Employee Relations Law Journal
The Computer Fraud and Abuse Act (CFAA), (1) was enacted by Congress in 1986 as a vehicle to deter computer hackers by both handing out tough criminal penalties and establishing a civil remedy for computer-related offenses. The CFAA has been amended and fine-tuned on several occasions, including the most recent amendments in 2008. Over the past several years, employers have latched on to the CFAA, not only for the stated legislative purpose of deterring third parties from unauthorized access of computer systems, but more routinely to enforce computer use policies against rogue or departing employees.
This article examines a sampling of the myriad decisions brought by employers against employees under the CFAA and provides suggestions to employers about when to deploy the CFAA in litigation against an employee and when to utilize other arrows in the employment law quiver to achieve the employer's desired objective.
The crux of the CFAA prohibits individuals, either inside or outside of a company, from accessing computers without authorization or by exceeding access previously authorized. (2) Federal courts diverge in the interpretation of "without authorization" as well as under what circumstance computer users "exceed authorized access," especially in cases where the alleged perpetrator is an employee or former employee and the access in question occurred at the workplace or via the employer's computer network. The U.S. Supreme Court has not yet addressed the issue of whether the CFAA applies to employees who violate computer use policies established by their employers, but the split in the federal circuits may trigger a decision by the high court in the near future.
Last year, the Fourth and Ninth Circuits held that the CFAA does not apply to employees who violate computer use policies by taking data from the company computers. These decisions were in sharp contrast to the existing case law in other circuit courts of appeals that permitted the application of the CFAA to cases involving violations of computer use policies by employees. In U.S. v. Nosal, (3) a former employee solicited two current employees to download confidential information from the company's computers so that Nosal could start a competing business. The Ninth Circuit reviewed the legislative history of the CFAA and held that Congress intended to punish third-party hackers, not to criminalize employees who violate computer use policies, finding that such an expansive misappropriation statute would have far reaching implications that "would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime." (4) The court noted that employees violate computer use policies daily by checking Facebook, shopping online, or watching sports highlights, and reasoned that this workplace conduct should not rise to penalties under the CFAA. (5)
In a second appellate decision of 2012, the Fourth Circuit followed the path of the Ninth Circuit and narrowly construed the CFAA against the employer. (6) In WEC Carolina, a former employee downloaded confidential company information at the direction of his new employer, a competitor of the plaintiff, and allegedly utilized the confidential information to garner new business. (7) Despite the employer's known economic damages, the Fourth Circuit dismissed the CFAA claims, finding that the employee did not access the computer "without authorization" or "exceeding authorization" as interpreted by the court. (8)
Although the Fourth and Ninth Circuits have chosen to construe the definition of "without authorization" or "exceeds authorization" narrowly, a number of federal circuit courts have previously taken an entirely different position with regard to claims brought by employers against employees. The Seventh Circuit held that an employee who violates his duty of loyalty terminates his agency relationship (i.e., the authority the employee had to access company data on the company computer). (9) In Citrin, an employee downloaded a secure-erasure program which deleted the employer's files and rendered them unrecoverable. (10) The Seventh Circuit held that the employee violated the CFAA because the employee lost any permission he had to utilize the computer system when he breached his duty of loyalty to the employer by deleting company property from the laptop computer around the time of his resignation. (11)
The Eleventh Circuit upheld a criminal conviction under the CFAA of a former employee of the Social Security Administration (SSA) who accessed personal information of friends and their relatives for non-business reasons in violation of the SSA's policies even though the employee did not utilize the information for criminal or fraudulent purposes. (12) The Eighth Circuit also upheld a criminal conviction under the CFAA in U.S. v. Teague (13) of an employee of a government contractor who pried into President Obama's student loan records without a necessary business purpose. Despite the rulings from the Seventh, Eighth, and Eleventh Circuits, other cases at the federal trial court level create murkier waters for employers looking to apply a duty of loyalty or business purpose analysis to breaches of computer use policies by employees.
In a recent Middle District of Florida decision, an employer who had been sued by an employee for wrongful termination for pregnancy discrimination filed a counterclaim against the employee for violations of the CFAA stemming from the employee's personal use of Facebook and Internet browsing in violation of the company's computer use policy. (14) The court dismissed the counterclaim holding that "the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the Internet instead of working." (15) In another Middle District of Florida decision, a CFAA claim was rejected by the court when an employee accessed customer information and deleted files from his laptop following his resignation from the company where the employer could not demonstrate that the employee obtained confidential company information from the laptop. (16) While the Barney decision was published prior to the Eleventh Circuit's decision in Rodriguez, it is unclear whether the Barney court would have applied different reasoning because both Middle District judges seemingly drew a distinction between violations of workplace policy and misappropriation of computer data.
Until there is resolution from Congress or the Supreme Court on the definition and application of "without authorization" and "exceeds authorization," should employers pursue CFAA claims against employees? The answer depends on the facts and circumstances of each particular case but there are a few things that every employer should know and consider implementing now before a CFAA issue arises in their business:
1. Institute, update, and enforce computer use policies;
2. Re-examine which employees have access to confidential or trade secret information and limit the access to necessary employees;
3. Create and follow policies for return of company property (such as laptop computers, tablets, and cell phones) in the event of a termination or resignation of an employee; and
4. Consider whether nondisclosure agreements or other restrictive covenants may be necessary to protect your business in the event that a valued employee leaves your company.
While the CFAA can be a powerful tool for employers to protect against the unauthorized access and use of protected company data that could result in loss of the company's confidential business information or damages to the company's computer network, employers should not rely too heavily on the CFAA. Instead, employers should follow the four steps outlined above to make it more likely they will avoid future litigation.
Melody B. Lynch, a senior associate in the Orlando office of Lowndes, Drosdick, Doster, Kantor & Reed, P.A., divides her work among the firm's Labor and Employment, Commercial Litigation, and eDiscovery and Privacy practices. She can be reached at firstname.lastname@example.org.