The federal Computer Fraud and Abuse Act of 1986 (the CFAA) provides criminal and civil liability for individuals who obtain information, commit a fraud, or cause damage, where they have done so by accessing a computer or information on a computer without authorization, or have done so by exceeding his or her authorized access to a computer or such information. In a 2006 case, International Airport Centers, LLC v. Citrin, the Seventh Circuit held that where an employee accesses a computer or information thereon to further interests that are adverse to his or her employer, the employee violates his or her duty of loyalty, thereby terminating the employee’s agency relationship and losing any authority the employee had to access the computer or any information on it. The First, Fifth and Eleventh Circuits have similarly adopted a broad view and held that an employee violates the CFAA when he or she accesses a computer or information on a computer and violates the employer’s data use policies. This could include, for example, where an employer authorizes employees to utilize computers for any lawful purpose but not for unlawful purposes.
An employee would exceed permitted access if he or she used that access to misappropriate trade secrets. The Second, Third and Eighth Circuits have all interpreted CFAA in a similar manner, though they have yet to decide a case directly on the issue.
Earlier this year, in United States v. Nosal, the Ninth Circuit, sitting en banc, interpreted the CFAA terms “without authorization” and “exceeds authorized access” more narrowly, partly based on the “Rule of Lenity,” which favorsa narrow interpretation of criminal statutes. The decision further clarified the narrow construction of these terms set forth in a 2009 Ninth Circuit decision, limiting the CFAA to computer “hacking” situations where an individual accesses a computer or information on a computer without permission, and excluding from the CFAA’s reach situations where an individual violates only data use restrictions. Under the Nosal view, an employee would not be violating the CFAA if the employee used his or her permitted access to misappropriate trade secrets. Several district courts have since adopted the Nosal view.
In a July 2012 decision, WEC Carolina Energy Solutions LLC v. Miller, the Fourth Circuit became the first federal appeals court to join the view of the Ninth Circuit in Nosal. In Miller, the defendant, while working for the plaintiff, allegedly downloaded proprietary information for the benefit of his subsequent employer. The Fourth Circuit stated that the CFAA is a criminal statute that must be construed narrowly and is meant to target hackers, not “workers who access computers or information in bad faith, or disregard a use policy.” This circuit split is ripe for a determination by the Supreme Court.