On December 3, the Second Circuit Court of Appeals became the most recent entrant into the circuit conflict on the question of when and under what circumstances an employee’s use of a computer to gain access to unauthorized information constitutes a violation of the Computer Fraud and Abuse Act. Over a dissent, the Court held that an employee cannot be convicted of violating the CFAA when he uses a database, to which he has been granted access, in a manner that is prohibited by company policy. With the Second Circuit joining the Fourth and Ninth Circuits in the minority on the issue, the answer continues to turn on the jurisdiction in which the suit was brought. Employers should take note because the decision reinforces the need to consider carefully whether and how to limit employee access to sensitive company information within its network—e.g., by use of written policy or technical access restrictions—and how those protections will play out in court if an employee takes company information for use in future employment.
The CFAA is the primary tool used by federal prosecutors against criminal hackers. However, it also gives private plaintiffs the right to bring a civil action for compensatory damages and injunctive relief against individuals who cause damage or loss in connection with a violation of the CFAA. 18 U.S.C. § 1030(g). Specifically, the CFAA creates liability for “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2). In the civil context, the statute is frequently implicated when employees—particularly, departing employees—access company computers for non-company purposes, including to gather information to help a new or prospective employer. Because employees generally have some access to their employer’s computer systems, employers bringing suit under the CFAA must typically rely on the “exceeds authorized access” prong of the statute to make out a claim—a harder showing to make than proving one accessed a computer without any authorization.
Exceeding Unauthorized Access
In Valle, the Second Circuit was confronted with the principal question that has divided the federal courts in these cases: Does an employee “exceed authorized access” when, in the course of utilizing his computer (as he is permitted to do for his job), the employee accesses information for unauthorized purposes? Valle was a New York City police officer who was convicted under the CFAA for accessing a law enforcement database. He had been granted access to the database, but was accused of accessing it for personal use—namely, searching for individuals that were the subject of his online chats concerning violent fantasies—which was prohibited by department policy.
The Second Circuit in Valle held that to “exceed authorized access,” an employee must truly trespass or hack into areas of a computer system he or she was not authorized to access at all (e.g., a particular drive or database). It, thus, limited application to instances in which an individual accesses a computer or information on a computer without permission. By contrast, the First, Third, Fifth, and Eleventh Circuits concluded that an employer’s grant of authority to an employee to access information for a particular purpose does not confer upon the employee authority to access that information for an alternative, unapproved purpose. Therefore, the employee “exceeds authorized access” when he violates the employer’s policy for accessing computer-stored information.
Key Takeaways for Employers
The potential applicability of the CFAA to employee conduct is of interest to employers for three main reasons. First, the CFAA captures a broader range of conduct than does a traditional trade secrets claim; it doesn’t require a showing that the accessed information rises to the level of a trade secret. Second, for employers seeking to avail themselves of the federal judicial system, the CFAA is one of the few independent causes of action an employer can utilize to pursue a federal cause of action relating to such theft. Third, the CFAA allows for criminal enforcement, compensatory damages, and injunctive relief.
These decisions, thus, have important implications for how companies grant/limit employee access to key data and information. Given that many companies operate nationwide, they should keep in mind the Second Circuit’s (as well as the Fourth and Ninth Circuits’) narrower interpretation of the CFAA, and implement strong technical access restrictions as part of their identity access management program and use of privileged identity management software (PIMS) to limit access to company sensitive information, not just written policy limitations. These strategies are not only best practices from a security perspective—they will increase the protection of information within the network—but they will also give employers better footing if a CFAA action proves necessary.