The Computer Fraud & Abuse Act ("CFAA"), 18 U.S. § 1030, is a criminal statute that allows an employer to assert civil claims if an employee accesses a computer without authorization or in excess of authorization, and then takes specific forbidden action, ranging from obtaining information to damaging a computer or computer data. See 18 U.S.C. § 1030(a)(1)-(7) (2004). The CFAA can be a valuable weapon in protecting trade secrets, particularly if it would be tactically advantageous to commence the action in federal court.
In LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) ("Brekka"), the U.S. Court of Appeals for the Ninth Circuit held that an employee who emailed several business documents to his and his wife's personnel accounts while employed by LVRC Holdings did not access a computer "without authorization" and, therefore, did not violate the CFAA because he was permitted to use the computer. In United States of America v. Nosal, 642 F.3d 781, 783-85 (9th Cir. 2011) ("Nosal"), the district court, relying on Brekka, held that, because the conspirators had authority to obtain information from the database for a legitimate business purpose of their employer, they did not exceed their authorized access by doing so, even if they acted with fraudulent intent. The Ninth Circuit reversed and distinguished Brekka on the grounds that, in Brekka, the employer did not affirmatively place limitations on the employee's permission to use the computer. Nosal, 642 F.3d at 786-88. In Nosal, however, the employer had instituted computer access restrictions. The Ninth Circuit found that, because of those restrictions, the employee had knowledge of the limitations the employer has placed on the use of the computer and, therefore, the employee's use exceeded "authorized access" and violated the CFAA. Id. This holding is consistent with decisions rendered by other circuits. See United States v. John, 597 F.3d 263 (6th Cir. 2010); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583-584 (1st Cir. 2001); and United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010).
In light of these decisions, employers that wish to invoke the CFAA should implement written policies that clearly communicate to employees the purposes for which company computers can be used.