Could it possibly be equally as unlawful to lie about your age as it is to download trade secrets from your employer's computer?  Some say that both may constitute a violation of the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and therefore the statute must be amended.

In recent years, the number of prosecutions under the CFAA has increased.   These cases have been watched closely by many employers because the CFAA is not just a criminal statute.  Rather, provided certain conditions are met, the civil provisions of the CFAA create a private right of action against those who wrongfully access, or exceed their authorized access, to a protected computer (as defined by the CFAA to include computers used in interstate or foreign commerce or communication).

There has been a split of opinions among federal courts about what it means to "exceed authorized access."  For instance, the Eleventh Circuit concluded not too long ago that an employee "exceeded authorized access" under the CFAA by accessing information on a computer in a manner contrary to an employer's written policies.  Rejecting this analysis, the U.S. district court for the Southern District of New York stated that it would be wrong to "expand the reach of the CFAA to any employee who accesses a company's computer system in a manner that is adverse to her employer's interests. This would convert an ordinary violation of the duty of loyalty or of a confidentiality agreement into a federal offense."

While the courts continue to differ in their view, the debate recently shifted to the halls of Congress.  In testimony before the House Committee on the Judiciary, GWU Law Professor, Orin Kerr, offered some extreme examples with the hope that it would spur Congress to narrow the definition of "authorized access."  Professor Kerr explained: "It is common for computers and computer services to be governed by Terms of Use or Terms of Service that are written extraordinarily broadly....The Terms of Use of the popular Internet dating site says that “You will not provide inaccurate, misleading or false information any other Member....If a user writes in his profile that he goes to the gym every day – but in truth he goes only once a month – he has violated's Terms of Use.  Similarly, a man who claims to be 5 foot 10 inches tall, but is only 5 foot 9 inches tall, has violated the Terms.  So has a woman who claims to 32 years old but really is 33 years old."  (A copy of Professor Kerr's written testimony is available in pdf format below.)

Providing a different view was Richard W. Downing, Deputy Chief Computer Crime and Intellectual Property Section Criminal Division of the Department of Justice.  Downing noted, "Some have argued that the definition of “exceeds authorized access” in the CFAA should be restricted to disallow prosecutions based upon a violation of contractual agreements with an employer or service provider.  We appreciate this view, but we are concerned that that restricting the statute in this way would make it difficult or impossible to deter and address serious insider threats through prosecution."  Downing continued, "Employers should be able to set and communicate access restrictions to employees and contractors with the confidence that the law will protect them when their employees or contractors exceed these restrictions to access data for a wrongful purpose."  (A copy of Mr. Downing's written testimony is available in pdf format below.)

Whether the CFAA will be amended remains an open question.  For now, the courts will likely continue to grapple with the extent to which Congress originally intended the statute to apply to alleged faithless employees.

Kerr Testimony.pdf (131.59 kb)

Downing Testimony.pdf (61.39 kb)