A federal court in Louisiana recently wrestled with the question posed in the headline, and answered yes. But that may not be not the final answer. It's a question the United States Supreme Court may ultimately need to resolve. And the answer will have a direct impact on the application of a federal statute.
The statute in question is the Computer Fraud and Abuse Act (CFAA). The CFAA makes it a crime for anyone to access a computer without authorization or in excess of authorization. It also provides a private civil cause of action to the victim.
On its face, the statute seems to prohibit good old fashion “hacking.” That is, when some computer genius sitting in his basement figures out how to tap into some company’s computer system and steal personally identifiable information, the law comes into play. But in cases from all over the country, courts have considered a less obvious scenario – an employee who is authorized to access his company’s computer system downloads proprietary information just before taking a job with a competitor. Not exactly the basement dwelling hacker, but could this qualify as a violation?
Well, maybe. The Louisiana federal court faced this question when a company called Associate Pump & Supply filed suit against former salesman Kevin Dupre. According to the suit, while still employed by APS, Dupre started a competing company and downloaded confidential information for use in the new business. For good measure, Dupre also allegedly deleted other APS files. APS included a count for a CFAA violation based on this conduct.
Dupre argued that the CFAA didn’t apply because he was authorized to access the computer while employed by APS. The fact he misused the data had no bearing on his authorization to obtain it in the first place. That’s not an unreasonable position, and a number of courts have ruled that way.
But the court hearing Dupre’s case is not one of them. It found that Dupre violated company policies protecting the confidential information he accessed, and he allegedly misused the protected information in violation of those policies and his confidentiality agreement with APS. That was enough to make his access unauthorized.
The Louisiana federal court is part of the Fifth Appellate Circuit. It cited to precedent from that circuit supporting its ruling. Other circuits, however, have taken a more narrow view of the term “authorized.” And when there is a split in the circuits, the United States Supreme Court has the jurisdiction to settle the issue once and for all.
I suspect that will happen eventually. But until then, employers who want to reserve the right to sue a disloyal employee under the CFAA should take a look at their confidentiality policies and define “authorized access” in a way that renders access “unauthorized” if the intended use of the data is improper.