A Pennsylvania federal magistrate judge has tossed an employer’s claims under the Computer Fraud and Abuse Act (CFAA), holding that the CFAA does not extend to punish employees for the misuse of information that was accessed with permission. The recent ruling follows the Fourth and Ninth Circuits, and district courts in the Third Circuit, in endorsing a narrow view of the CFAA, making it more difficult for employers in those jurisdictions seeking to state a claim under the CFAA against disloyal former employees. Consequently, employers should review the levels of computer system access granted to employees, as well as the scope of information that may be accessed at different levels.
In Carnegie Strategic Design Engineers v. Cloherty, et al., engineering firm Carnegie sued five former employees who it claimed had departed with confidential business information accessed through the company’s secure computer network, and then used that information when they went to work for a competitor. Carnegie valued the information at $10 million. The complaint included claims for violations of the CFAA, conversion, and misappropriation of trade secrets, but Carnegie dropped the latter two claims.
To state a claim for civil liability under the CFAA, an employer must show that the defendant accessed a protected computer without authorization or by exceeding authorized access. The CFAA defines the phrase “exceeds authorized access,” but not the word “authorization.” “Exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to so obtain or alter.”
Courts have been left to freely interpret the word “authorization,” resulting in a circuit split on that word’s meaning. The Courts of Appeals for the Fourth and Ninth Circuits have applied a narrow interpretation of the CFAA, holding that access to a work computer system results in authorization—and invalidates a CFAA claim—regardless of the employee’s intent or any company policies restricting the use of information. The First, Fifth, Seventh, and Eleventh Circuits have adopted a broad view of the CFAA, wherein an employee’s misuse of information accessed permissibly revokes prior authorization, allowing a CFAA claim to proceed.
Carnegie pointed to the Third Circuit’s 2011 decision in United States v. Tolliver, in which the Third Circuit upheld the criminal conviction of a former bank employee accused of using authorized means to access customer financial information on the bank’s computer system, but then misusing that information as part of a fraudulent check-cashing scheme. Judge Cynthia Reed Eddy, however, found the Tolliver holding inapplicable. “The Court had no occasion and did not address the [meaning of the term ‘authorizaton’],” she stated. Judge Eddy concluded that a narrow interpretation of “authorization” is consistent with Congress’ intent to create an anti-hacker statute and the term’s interpretation by other district courts in the Third Circuit. The Tolliver court’s failure to address the circuit split, she reasoned, was evidence that it had not analyzed the meaning of “authorization.”
Carnegie’s narrow interpretation of the CFAA limits its reach in situations where confidential business information was validly accessed. An employee’s breach of a contract or policy—such as a confidentiality agreement or computer-use policy—does not revoke the employee’s authorized access, regardless of intent or detriment to the employer. The CFAA does, however, extend to situations where an employee is granted access to a computer system but then finds a way to hack into information beyond the bounds of the employee’s authorization.
The Carnegie holding addresses only contract-based restrictions on use of information, and does not address such restrictions on access to information; thus, employers also may wish to revisit their contracts with employees and employment policies to assess whether added access restrictions may keep CFAA claims afloat. Ballard Spahr will be monitoring this issue to see how the Third Circuit may respond.