About Us  |  About Cheetah®  |  Contact Us

Misuse of info employees were authorized to access did not ‘exceed authorized access’ under CFAA

By Joy P. Waltemath, J.D.

To hold otherwise would allow “employers, rather than Congress, to define the scope of criminal liability by operation of their employee computer-use policies.”

Although two sales reps allegedly accessed confidential company information from their company-issued computers and cell phones and then abruptly resigned, using the information in violation of company policy, their employer’s claims under the federal Computer Fraud and Abuse Act (CFAA) were properly dismissed. While their conduct “might violate company policy, state law, perhaps even another federal law,” because the employer conceded that the employees were authorized to access the information, its claim under the CFAA failed, ruled the Sixth Circuit, affirming dismissal of this federal claim (Royal Truck & Trailer Sales and Service, Inc. v. Kraft, September 9. 2020, Readler, C.).

According to the employer’s complaint, just before resigning the two sales reps emailed customer quotes and pricing information to their personal email accounts, and then deleted and reinstalled the operating system on one’s company-issued laptop and reset the other’s company-issued cell phone to factory settings, essentially making their data unrecoverable. Then they went to work for a competitor.

CFAA elements. To state its CFAA claim, the company had to plead that: (1) its two former employees intentionally accessed a computer; (2) the access was unauthorized or exceeded their authorized access; (3) through that access, the employees obtained information from a protected computer; and (4) the conduct caused loss during any one-year period aggregating at least $5,000 in value. At issue here specifically was whether the sales reps exceeded their authorized access when they sent their previous employer’s confidential information from their work devices to their personal email accounts, misusing the accessed information in violation of company policy.

“Exceeds authorized access.” The Act defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Carefully parsing the text, the appeals court reasoned that the statute means that “one who exceeds authorized access has permission to enter a computer for specific purposes, yet later obtains (or alters) information for which access has not been authorized.”

In other words, the statutory provisions are designed to punish those who “breach cyber barriers without permission” rather than those who “misuse the data they are authorized to obtain.” Looking at the damages and loss provisions of the Act confirmed to the court that the statute wasn’t intended to address the misuse of sensitive business information by an employee who has authorized access.

Sales reps had authorization. That statutory interpretation defeated the employer’s claim here, concluded the court. Since the two sales reps had authorization to access the information, their conduct did not exceed their authorized access under the statute. There was no reason to rely on the rule of leniency since the statutory language could be clearly ascertained; nor did the court find it necessary to consult the legislative history. Plus, the Supreme Court has agreed this term to hear Van Buren v. U.S., a criminal case that would give the High Court the opportunity to resolve the meaning of CFAA’s “exceeds authorized access” language.

Circuit split. Mindful of the circuit split that already existed, the Sixth Circuit nonetheless agreed with the approach of the Second Fourth, and Ninth Circuits that have held that “one who is authorized to access a computer does not exceed her authorized access by violating an employer’s restrictions on the use of information once it is validly accessed.” But it noted that its decision conflicted with the First, Fifth, Seventh, Eighth, and Eleventh Circuits, all of which “have more broadly interpreted ‘exceeds authorized access.’”

Who defines what is criminal? The Sixth Circuit also noted its concern that the more broad interpretation, which allows liability for misuse of information that an employee is entitled to access, effectively allows “employers, rather than Congress, to define the scope of criminal liability by operation of their employee computer-use policies,” which the CFAA does not mention. “We should be hesitant to impose federal sanctions for conduct as pedestrian as checking one’s private social media account on a work phone,” suggested the court.

Deleted data. In principle, deleting data, as the employer also argued here (as opposed to misusing authorized information), might more likely be encompassed within “exceeding authorized access,” remarked the appeals court, but the complaint still failed to allege that the sales reps “thereby” obtained information from a protected computer, which is required under CFAA. Consequently, the court rejected this theory as well and affirmed dismissal of the federal claims.