One of the more bizarre stories of recent years is that of Gilberto Valle, a former New York City Police Department officer accused of being a member of an Internet sex fetish community and conspiring to kidnap, torture, cook, rape, murder, and eat various women. Valle, whom the tabloids predictably dubbed the “Cannibal Cop,” was in the news again last week when the Second Circuit ruled that he was wrongfully convicted of federal computer fraud under the Computer Fraud and Abuse Act for using his job-related access rights to restricted law enforcement databases in order to find personal information about potential victims.
Valle’s use of his police credentials to search these databases (unsurprisingly) violated NYPD rules and he was arrested, charged with and convicted of violating the CFAA, among other things. Last week, the Second Circuit threw out Valle’s conviction, concluding that his actions didn’t violate the statute’s prohibition on “exceeding authorized access” to a protected computer.
In reaching this conclusion, the Second Circuit agreed with the Fourth and Ninth Circuits that violations of computer use policies do not give rise to a cause of action under the CFAA. (The First, Fifth, Seventh, and Eleventh Circuits have essentially adopted the argument that the prosecution made against Valle – that he violated the statute because his authorization to the databases was limited to law enforcement purposes.) In other words, the Second Circuit held that exceeding authorized access in violation of the CFAA means accessing information on a computer without having authorization – not using authorized access rights for an unauthorized purpose.
Why do you care? Although Valle’s conviction was criminal, in the civil context, employers frequently claim that departing employees have accessed computer systems to obtain proprietary information to use in a new job and often bring claims against them under the CFAA. Thus, this interpretation of the statute and the continuing split regarding its scope could be relevant the next time an employee leaves with a handful (or more) of your data.