The Computer Fraud and Abuse Act (CFAA) criminalizes unauthorized access to a private computer system and allows for individuals suffering harm from such conduct to bring private civil actions for relief.1 Congress originally enacted the CFAA as an anti-hacking statute, targeting third-party individuals accessing private computer systems without authority. Because the CFAA originally targeted third-party offenders, the language is unclear as to whether it applies to an employee who has authorized access to a computer, but then exceeds the scope of the authorized access and engages in the misuse or misappropriation of confidential information. Courts have had trouble applying the ambiguous language of the CFAA. The Circuit Courts of Appeals have not provided clear guidance regarding the interpretation of two important terms used in the CFAA; namely, "authorization" and "exceeds authorized access."
A Narrow Interpretation of the Terms "Authorization" and "Exceeds Authorized Access"
The United States Court of Appeals for the Ninth Circuit recently settled on a narrow interpretation of the terms "authorization" and "exceeds authorized access" in an en banc decision.2 In United States v. Nosal, an employee left an executive search firm to start his own competing business. Before leaving, the defendant convinced several former colleagues still employed by the firm to download source lists and to transfer the confidential information to him. The employees had authorized access to the database, but the firm had a policy that prohibited: (1) using confidential information for nonbusiness purposes and (2) transferring the information to third parties. The government indicted the defendant with aiding and abetting the employees in accessing a protected computer "without authorization," or "[exceeding] authorized access" with the intent to defraud.3
The defendant filed a motion to dismiss the CFAA charges, arguing that the statute only applies to individuals who access a computer without authorization; the CFAA did not apply to individuals that have authority to access a computer but later misuse the information. The Ninth Circuit agreed with the defendant and rejected the Government's broader interpretation that "without authorization" could include unauthorized use of information.4 Focusing on the rule of lenity—the statutory rule of construction requiring that penal laws be construed strictly to give fair notice—the Ninth Circuit adopted a narrow construction to prevent "[making] criminals of large groups of people who would have little reason to suspect they [were] committing a crime."5 The court noted that a broad construction could make "minor dalliances" such as checking social media sites or instant messaging with friends at work, into a federal crime.6 The Ninth Circuit also explained that, if the broader interpretation of the CFAA applied (as adopted by other courts) a company's unilateral changing of its terms-of-use policies could mean that "behavior that wasn't criminal yesterday can become criminal today without any act of Congress, and without any notice whatsoever."7 The Ninth Circuit indicated that the courts which have adopted the broader interpretation of the CFAA described below looked only at the culpable conduct before them and failed to consider their broad interpretations' impact on millions of ordinary citizens.8
Judge Silverman's dissenting opinion created tension among the judges of the Ninth Circuit. Judge Kozinski's majority opinion refused to equate "exceeds authorized access" with the treatment of such terminology under trade secret law for a situation where information is lawfully accessed and sourced, but utilized for a prohibited purpose.9 Judge Kozinski explained that the CFAA "targets the unauthorized procurement or alteration of information, not its misuse or misappropriation."10 In contrast, in his dissenting opinion, Judge Silverman, reasoned that the treatment that attorneys are accustomed to applying in trade secret cases for the concept of exceeding authorized access should prevail.11
The United States Court of Appeals for the Fourth Circuit recently adopted a similar construction of the CFAA, holding that extending "without authorization" and "exceeds authorized access" to include the improper use of information validly accessed would impose liability beyond what Congress had intended.12 District courts in the Second, Fourth, Sixth, Eighth, and Tenth Circuits have also adopted similarly narrow interpretations of the CFAA.13
A Broad Interpretation of the Terms "Authorization" and "Exceeds Authorized Access"
The Fifth and Eleventh Circuits focused on an employer's terms–of-use policies, and the employee's knowledge of those policies. In United States v. John, an account manager at Citigroup had authority to access customer account information and provided her half-brother with confidential customer information to incur fraudulent charges.14 The Fifth Circuit held that the employee "[exceeded] authorized access" because she exceeded the purpose for which her access was given. The employee knew of the bank's policy prohibiting the misuse of confidential customer information, and she should have known that accessing the information to further a criminally fraudulent scheme was prohibited.15 Similarly, the Eleventh Circuit in United States v. Rodriguez held that a Social Security Administration employee exceeded his authorized access when he obtained people's personal information from the confidential database for nonbusiness reasons.16
The Seventh Circuit has taken an even broader interpretation. In the Seventh Circuit, the court applied agency theory to find that an employee did not have "authorization." In International Airport Centers, LLC v. Citrin, an employee decided to quit his current employer to start a competing business, in violation of his employment contract.17 Before leaving his job, he deleted files from his work laptop, including information that he decided to resign and develop a competing business. The defendant argued that he did not violate the CFAA when he destroyed the data because the employee policy allowed data deletion. The Seventh Circuit rejected this argument, stating that when the defendant decided to quit the company in violation of his employment contract, he had breached his duty of loyalty and was no longer authorized to access his laptop.18
Implications for Employers
Courts that follow the Citrin approach provide the broadest protection to employers. In jurisdictions following the duty of loyalty approach, employers should set up boundaries, whether through contracts or workplace policies, that will quickly trigger the termination of an agency relationship with their employees. The language used does not have to be overly specific or detailed since the important issue appears to be whether employees acted disloyally or with a wrongful purpose towards the employer. Such general considerations should, however, be carefully used in drafting one's contracts and policies.
Under the narrow interpretation of the Ninth and Fourth Circuits, employers should be careful in managing employee access to proprietary information. Technical and physical security measures are more important in these jurisdictions because the CFAA will not easily apply. Employers will need to rely on trade secret, breach of contract and certain employment law claims. Cases like Nosal highlight the importance of employers to maintain and enforce meaningful access restrictions for their employees. Employees should only have access to information on a need-to-know basis, and limitations should be set in geographical, departmental, and/or subject matter terms. Access to information should be expanded only if and when necessary for a business purpose, and appropriate steps should promptly be taken when necessary to revoke an employee's access to sensitive information.