A recent opinion from a Massachusetts based federal court illustrates that courts are still not totally sure how to apply the Computer Fraud and Abuse Act (CFAA). In this case, the uncertainty worked in favor of an employer who was trying to clamp down on some former employees.
Advanced Micro Devices (AMD) claimed that several employees took confidential AMD data with them when they left the company and headed for a competitor's greener pastures. AMD claimed that two provisions of the federal CFAA applied. First, Section 1030(a)(2)(C) makes it a crime for a person to, “intentionally [access] a computer without authorization or exceed authorized access and thereby [obtain] … information from any protected computer.” And Section 1030(a)(4) makes it a violation to knowingly and with intent to defraud access a computer without authorization, or by exceeding authorization, and ... obtain anything of value.” The CFAA also provides civil claims for such violations.
According to the CFAA, the phrase “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain ... information in the computer that the accessor is not entitled so to obtain.” But, to make things interesting, Congress didn’t bother to define the word “authorization,” or the phrase “without authorization.”
Federal appellate courts have taken two views of “authorization.” Some courts have interpreted the term strictly -- a person either has authority to access the data or not. What the person does with the data doesn’t really matter. Pretend your computer system is your house, and “access” means you gave your cleaning lady a key. These courts would say the cleaning lady was “authorized” to be in your house even if she robbed you blind while there.
Other courts have looked at “authorization” more broadly. These courts judge “authorized” by what the person did while in the site, even if the entrance was “authorized.” So back to the cleaning lady – if she breached her duty of loyalty by ripping you off, her entrance wasn’t authorized.
In this case, the court denied the former employees’ motion to dismiss, which means it seemingly adopted the broader view. But that may not be the case. The court simply noted that AMD had pleaded enough facts to allow it to move forward with the lawsuit.
But the court instructed AMD that it would need to gather evidence that one or more of the former employees used fraudulent or deceptive tactics to obtain confidential AMD information, or that they intentionally overcame a technological barrier to obtain it. That sounds like the court is leaning more toward the narrow view of “authorization,” but wanted to give AMD the chance to at least make the case.
There are state and common law remedies to deal with disloyal employees. So the CFAA is one of several bullets in an employer’s metaphorical holster. And until the U.S. Supreme Court clarifies the CFAA, employers such as AMD may as well use it.