The Supreme Court Narrows the Computer Fraud & Abuse Act: What This Means for Employers

After an employee leaves to work for a competitor or starts a competing business, an employer will sometimes find out that this individual used the last days of computer access to download or email to him or herself confidential information from the employer’s network. Indeed, this former employee may have even deleted files, changed passwords to key accounts, or engaged in any number of actions that send the employer scrambling to protect itself. In such scenarios, employers have several options when it comes to pursuing a claim against this former employee, including a claim in federal court under the Computer Fraud and Abuse Act (“CFAA”).

The CFAA criminalizes various fraudulent or damaging activities related to the use of computers. It also allows for civil suits when such fraudulent or damaging activities cause $5,000 or more in damages. One avenue for bringing a claim under the CFAA is by asserting that the offending party “exceed[ed] authorized access” on a computer. Until recently, federal courts were divided on what it meant to “exceed authorized access.” Some held that an individual “exceeds authorized access” when he or she accesses folders, accounts, and other information on a computer that was “off-limits” to the individual. Other federal courts embraced a broader interpretation of the CFAA, finding that a person violates this statute when he or she accesses information on a computer for an improper purpose, even though he or she technically has permission to access those files. Under the latter interpretation, employers had the option of arguing that an employee “exceeds authorized access” when he or she gathers computer files to compete or engage in disloyal acts.

Recently, the Supreme Court stepped in to resolve the matter, and it adopted the narrow view. In Van Buren v. United States, the Court ruled that a person does not violate the CFAA by obtaining information he or she can generally access even if he or she is using that information for an unauthorized purpose. The case involved a police officer who took money from an associate to use a police database—which the officer could use in the course of his work—to check whether a third party was an undercover officer. Unbeknownst the officer, his associate was an undercover cop. The officer was convicted under the CFAA for “exceed[ing] authorized access” in his use of the police database for an improper purpose. The Supreme Court reversed his conviction, finding that his conduct did not violate the CFAA because he was generally authorized to access the police database. Although Van Buren is a criminal case, its holding is equally applicable to civil CFAA cases.

What is the takeaway for employers? To be clear, Van Buren does not prevent an employer from bringing various tort and trade secret claims against a disloyal employee who misappropriates confidential information—but it does limit the employer’s ability to bring such a claim under the CFAA. To preserve such a claim and to prevent the unauthorized access of information by employees, employers should review the security of particularly sensitive information on their computers and networks. Companies should consider password-protecting specific materials on a computer network, providing access only to employees who have a business need for it, narrowing the number of employees who have such access, and revising employment policies to make clear the information or areas of a network to which an individual does not have access.

As a final note, though the Supreme Court narrowed the meaning of “exceed[ing] authorized access,” the CFAA also allows for claims where an individual may have caused damage to a computer. Damage is broadly defined under the CFAA and may include deleting files, wiping devices, and even changing login information. Implementing the measures suggested above should help employers avoid this scenario; however, if a former employee inflicts such damage, an employer can likely rely on the CFAA to bring a claim.