As part of his cybersecurity and privacy initiatives, President Obama proposed new legislation in January that would strengthen the federal anti-hacking provisions of the Computer Fraud and Abuse Act (CFAA). In particular, the bill would create federal civil and criminal liability for employees who steal their employers’ trade secrets through the use of the employer’s computer systems. Importantly, the law would resolve a circuit split between the First, Fifth, Eighth, Seventh, and Eleventh Circuits, on the one hand, and the Ninth and Fourth Circuits, on the other.
The current Computer Fraud and Abuse Act imposes penalties against persons who “intentionally access a computer with authorization or exceed authorized access” in order to obtain certain protected information. Under the current law, the phase “exceeds authorized access” means using authorized access to a computer “to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” But, even with that definition, the circuits have been unable to agree on what it means to “exceed authorized access.”
On one side, the First, Fifth, Eighth and Eleventh Circuits determined that this phrase encompasses violations of computer use restrictions, such as those in website terms of service agreements and employment agreements and policies. In each of these cases, the court found the defendant guilty of unauthorized access for using information obtained via authorized access for unauthorized purposes. The Seventh Circuit similarly posited that acting against an employer’s interests breaches an employee’s duty of loyalty to the company and terminates his or her authority to access the information.
In contrast, the Ninth Circuit held en banc that the phrase “exceeds authorized access” only applies to restrictions on accessing information rather than to restrictions on using information legitimately accessed. Thus, the court found that employees, who downloaded confidential information from a company database that they were authorized to access, and who then disclosed the information to someone outside the company in violation of company policy, were not guilty of unauthorized access under the CFAA. The court reasoned that the purpose of the CFAA is to prevent hacking rather than the misappropriation of trade secrets. The Fourth Circuit followed the Ninth Circuit’s interpretation.
The White House proposal would undercut the Ninth Circuit’s reasoning by extending the statutory definition of “exceeds unauthorized access” to include using authorized access to a computer “for a purpose that the accesser knows is not authorized by the computer owner.” While broadening the meaning of the term “exceeds authorized access,” the White House proposal would also narrow the situations in which “exceeding authorized access” would be illegal. According to the proposal, access exceeding authorization would only be illegal under the proposed amendment if: (1) the value of the information obtained by the unauthorized access were greater than $5,000; (2) the information were obtained from a government computer; or (3) the access were done in furtherance of another felony