Circuit Split: How Does the CFAA Apply to Employment Cases?


[author: Cynthia Augello]

Imagine a disgruntled employee rummaging through your company’s confidential files and covertly stealing trade secrets to use as he builds a competing business. What recourse would you have against the rogue employee?

The Computer Fraud and Abuse Act (“CFAA”) provides a potential avenue for the company to seek redress against the siphoning of confidential information by mischievous employees. The CFAA was enacted in 1984 as a mechanism to combat the escalating problem of computer hacking. However, since its inception the CFAA has expanded to encompass a broad array of behavior. Under the CFAA an individual can be subject to criminal and civil liability for “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access.”[1]

However, what constitutes “authorization” remains unsettled and discrepancies in interpretation have resulted in a circuit split. The Fifth, Seventh, and Eleventh circuits have adopted a broad statutory interpretation finding that an employee acts “without authorization or in excess of his authority when the employee acquires an interest adverse to his employer or breaches a duty of loyalty owed to the employer.”[2] Conversely, narrower readings have been adopted by the Ninth and Fourth Circuit as well as district courts within the Second Circuit, finding that the CFAA applies only when the employee improperly accesses information. Therefore, misappropriation of information retrieved through authorized means would not trigger liability.[3]

Recently, in United States v. Nosal, the Ninth Circuit held that the term “exceeds authorized access” as used in the CFAA “is limited to violations of restrictions on access to information, and not restrictions on its use.”[4] The Fourth Circuit’s decision in WEC Carolina Energy Solutions, LLC v. Miller, also held that liability will not be imposed on an employee that accesses electronic information in a permissible manner and subsequently misuses that information.[5] Under this interpretation if our hypothetical employee retrieved the company’s confidential information through permissible means and later improperly used that information to the detriment of the company, the employee would nevertheless be free from liability. For instance, in United States v. Nosal the company’s proprietary information was transferred to David Nosal by an accomplice who had permission to access such information.[6] Although, Nosal used the information received to start a competing business, his accomplice’s authorized access allowed him to escape liability.[7] In reaching this conclusion the Court emphasized the rule of lenity; a method of statutory construction whereby penal laws are to be construed narrowly in order to provide adequate notice of violations. Specifically, the Court stated that if a company simply decided to alter their employee-use-policies “behavior that wasn’t criminal yesterday can become criminal today without any act of Congress, and without any notice whatsoever.” [8]

However, if Nosal had engaged in similar conduct under the jurisdiction of a circuit that employs a broad interpretation of the CFAA he would certainly find himself subject to a much different standard. Given that the information retrieved was used to start a competing business it clearly represented an interest that was adverse to his employer and under traditional agency principles such conduct would constitute a breach of loyalty. Once this duty of loyalty has been breached the employee is no longer acting with authorization. For instance, the Seventh Circuit held that once the duty of loyalty has been breached it “makes the accessing of computer files that had previously been authorized transform into unauthorized access under the CFAA.”[9] Additionally, the Fifth and Eleventh Circuits hold that unauthorized access occurs when an employee is aware of the companies terms-of-use policies but decides to violate such policies by using information in a prohibited manner.

Unfortunately, such divergent interpretation will likely remain the norm until the Supreme Court steps in to resolve the issue. However, the Justice Department decided not to seek certiorari in Nosal, so any guidance from the Supreme Court appears to be in the distant future.

[1] 18 USCS § 1030(a)(4)

[2] Different Strokes: Interpreting Computer Fraud and Abuse Act, New York Law Journal (Sept. 4, 2012) (internal quotation marks omitted).

[3] Id.

[4] United States v. Nosal, 676 F.3d. 854 (9th Cir. April 10, 2012) (emphasis in original).

[5] WEC Energy Solutions, LLC v. Miller, No. 0:10-CV-02775, CMC (4th Cir. July 26, 2012)

[6] Nosal, 676 F.3d at 864.

[7] Id.

[8] Id. at 862

[9] NCMIC Fin. Corp. v. Artino, 638 F. Supp. 2d 1042, 1060 (S.D. Iowa 2009).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cullen and Dykman LLP | Attorney Advertising

Written by:


Cullen and Dykman LLP on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.