About Us  |  About Cheetah®  |  Contact Us

CFAA claims are already uphill for employers and may disappear under reform legislation

August 2nd, 2013  |  Lorene Park

By Lorene D. Park, J.D.

The Computer Fraud and Abuse Act (CFAA) prohibits a person from knowingly and with intent to defraud accessing a protected computer without authorization, or exceeding authorized access in order to further the intended fraud or obtain anything of value. In the employment context, the typical CFAA claim involves an employer’s allegation that employees downloaded confidential information to personal devices or email accounts before leaving to join a competitor; in many cases breaching confidentiality agreements. The problem with such claims is that the CFAA does not define “without authorization.” Further, it defines “exceeds authorized access” but the parameters of “authorized access” are elusive. Courts disagree on how to interpret these terms but a clear majority is emerging that makes employer CFAA claims an uphill battle. Moreover, legislation was introduced in June that may foreclose most employment-related CFAA claims.

Conflicting interpretations

A federal district court in Massachusetts recently explained the conflicting interpretations of the term “exceeds authorized access” (Advanced Micro Devices, Inc v Feldstein, June 10, 2013). The narrow approach reflects a technological model; the scope of authorized access is defined by the barriers preventing it. If an employee was authorized to access a server, any data accessed was with authorization no matter how it was used. By contrast, the broad interpretation defines access in terms of agency and use. If an employee breaches a duty or contract, or acquires an interest adverse to the employer, authorization to access information on the employer’s computer ends. Finding that the broad interpretation pulls trivial contract violations into the realm of criminal penalties, the court adopted the narrow interpretation.

Majority view emerging

Adopting a similar view, a federal district court in Minnesota dismissed an oil recovery company’s CFAA claim against a former employee who downloaded its customer information, presumably to be shared with her inlaws’ newly formed company (Lube-Tech Liquid Recycling, Inc v Lee’s Oil Service, LLC, June 3, 2013). The employee had never accessed information that was off-limits, and, in fact, one of her main duties was to implement a software program to catalogue the customer list for the employer.

A federal district court in Pennsylvania also adopted the narrow approach to the definition of “exceeds authorized access,” dismissing CFAA claims against employees who started working for a competitor before resigning, during which time they downloaded thousands of documents to external devices (Dresser-Rand Co v Jones, July 23, 2013, Brody, A). Because the employees were authorized to access their work laptops and download files, they could not be liable even if they subsequently misused the documents to compete with the employer.

Most recent cases involving similar CFAA claims against employees and former employees meet the same fate and it appears that the narrow interpretation of the term “authorized access” may be the majority approach. Now for the kicker — this debate may become an academic exercise if Representative Zoe Lofgren (D-CA) has her way.

CFAA reform: Aaron’s Law

On June 20, 2013, Lofgren, along with Reps. James Sensenbrenner (R-Wis), Mike Doyle (D-Pa), Yvette Clarke (D-NY), and Jared Polis (D-Colo), introduced a CFAA reform bill, H.R. 2454, which essentially adopted the narrow interpretation of the terms “without authorization” and “exceeds authorized access” set forth by the Fourth Circuit in WEC Carolina Energy Solutions, LLC v Miller (July 26, 2012, Floyd, H). The appeals court held that employees who violated a use policy to download an employer’s confidential information could not be liable under the CFAA; such liability was limited to individuals who access computers without authorization or obtain or alter information beyond the bounds of their authorized access.

Under Aaron’s Law (named in honor of the late Internet innovator and activist Aaron Swartz), the term “exceeds authorized access” would be stricken and replaced by the term “access without authorization,” which would be defined as follows: “(A) to obtain information on a protected computer; (B) that the accesser lacks authorization to obtain; and (C) by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.”

As Lofgren’s summary of the measure explains, the “proposed changes make clear that the CFAA does not outlaw mere violations of terms of service, website notices, contracts, or employment agreements. The proposed definition of ‘access without authorization’ includes bypassing technological or physical measures via deception (as in the case with phishing or social engineering), and scenarios in which an authorized individual provides a means to circumvent to an unauthorized individual (i.e., sharing login credentials). Examples of technological or physical measures include password requirements, cryptography, or locked office doors.”

Companion legislation was introduced in the Senate by Ron Wyden (D-Ore), who explained that the reform is meant to clarify “a vague and outdated statute initially intended to protect government computers from malicious hacks but is now interpreted so broadly as to criminalize harmless and commonplace infractions.”

While the emerging majority view and the pending legislation may provide clarity for employers pursuing CFAA claims, this is cold comfort. Employers will largely be relegated to trade secret law, interference torts, and contract law when seeking redress for the harm caused by employees who take confidential information and use it to help a competitor.