In an unusual criminal case, the Second Circuit Court of Appeals recently weighed in on an important question at the intersection of employment law and data security.1 The decision will likely have implications wherever questions arise about unauthorized access and use of computerized data—from a disloyal employee who extracts trade secrets from an employer’s system in violation of an employment agreement, to a business that scrapes valuable information from a competitor’s website for competitive use in violation of the site’s use provisions.
The issue concerned the interpretation of the Computer Fraud and Abuse Act (“CFAA”), a statute that imposes both criminal and civil liability on any person who “exceeds authorized access” to a computer and obtains information from it. 18 U.S.C. § 1030. The federal courts have been divided on whether someone who is authorized to access particular information from a computer but does so for an impermissible purpose has violated the statute. The Second Circuit said no: if a person is authorized to access particular information from the computer, the fact that he or she did so in violation of the terms under which he or she was permitted access does not make the conduct unlawful under the CFAA.
The case involved Gilberto Valle, who has been dubbed by the press as the “Cannibal Cop.” Valle was a New York City police officer who participated in an Internet sex fetish community called Dark Fetish Network (“DFN”). According to the case opinion, Valle communicated with other DFN members about committing horrific acts of sexual violence, including kidnapping, raping, torturing, and cannibalizing various women. Using an NYPD computer program, he searched for information about a particular woman whom he had discussed kidnapping with another DFN member. Although he was permitted to use the computer program as part of his job, this particular search violated NYPD policy, which barred use of the program for purposes other than an officer’s official duties.
Based on this conduct, Valle was charged with violating the CFAA and with conspiracy to kidnap. A jury found Valle guilty on both charges. The trial judge granted Valle’s motion for a judgment of acquittal on the conspiracy charge but let stand the jury’s verdict of guilt on the CFAA charge.
Reviewing the statutory language, the legislative history, and the motivating policies behind the Act, the court found some support for both interpretations. However, because the CFAA is a statute that carries criminal penalties, the court applied the rule of lenity and resolved the uncertainty in the manner that favors the defendant. The court thus found that if a defendant was authorized to access information from a computer for any purpose, then the act of accessing it does not violate the CFAA, even if the defendant used the information for an improper purpose.
The court expressed concern that the prosecution’s reading of the statute would make the application of a criminal statute depend on “the vagaries of private policies that are lengthy, opaque, subject to change and seldom read.”2 The prosecution’s argument, the court noted, would make a criminal out of “any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer’s use policy.”3 Therefore, the court reversed the judgment of conviction as to the CFAA charge.4
The Importance of the Decision
The use of the CFAA to punish persons like Valle, who accessed a federal database to obtain information about an alleged intended kidnapping victim, or even disloyal employees who attempt to extract an employer’s trade secrets, may strike many as very different from the prospect of bringing this statute to bear on persons who merely use information available on publicly accessible websites in violation of the posted terms of service. The hypothetical prosecution of “millions” of Americans for the latter “offense” weighed on both the majority in Valle and in prior decisions of other courts that have adopted the narrower view of the reach of the CFAA.7 Thus, in order to avoid possible application of the CFAA to unintended and seemingly draconian circumstances, the court construed it as inapplicable to any instances where the defendant had actual access to the computerized information but used it for an unauthorized purpose, no matter how clear the prohibition or the user’s assent to such conditions on access.
The court’s decision in Valle further deepens an existing split among the federal courts of appeals.8 It was also accompanied by a vigorous dissent from one member of the three-judge panel. It is therefore a potential candidate for review by the en banc Second Circuit Court of Appeals or the United States Supreme Court. At present, however, the Valle decision likely removes a valuable weapon in a business’s arsenal against those who would misappropriate its data, while providing some comfort to users of publicly accessible websites that a violation of posted terms will not by itself lead to CFAA sanctions in the Second Circuit.
The CFAA was enacted in the 1980s, before there were personal computers with Internet access on virtually all desks (and certainly those of every employee), and, at a time when hacking and data breaches did not grab headlines on a weekly basis. Nonetheless, the security of proprietary data can be threatened not only by technical hacking but by all manner of unauthorized use. The statute is undoubtedly due for an overhaul so that Congress can speak with more precision to the types of conduct it intends to penalize, in light of current circumstances and shifts in the technological, legal, and regulatory landscape.
In the interim, decisions such as Valle serve as a reminder for businesses to ensure that other data security measures are in place to protect information that they intend to share with limited groups of users and for limited purposes. These measures include comprehensive confidentiality and computer use policies for employees, clear and enforceable website terms and conditions, placing data behind affirmative assent walls (requiring the user to click “I agree” to obtain access), and robust contracts with subscribers and customers. Implementation of these types of policies and practices increase the ability of businesses to pursue remedies for breach of contract (or, in the case of misuse of information by employees, for breach of the duty of loyalty) in cases where the CFAA might have been applied in the past.