Fourth Circuit Decision Deepens Split of Authority on Federal Computer Fraud and Abuse Act's Prohibition on Conduct that "Exceeds Authorized Access"


[author: Ronnie London]

The U.S. Court of Appeals for the 4th Circuit has issued a ruling in WEC Carolina Energy Solutions v. Miller, holding that the federal Computer Fraud and Abuse Act (“CFAA”) prohibition on exceeding “authorized access” to a computer covers only the scope of access allowed and exceeded, not subsequent use of any information obtained by way of such access. In doing so, the 4th Circuit echoed the recent 9th Circuit en banc decision in U.S. v. Nosal adopting a similarly narrow construction of the statute, as described in our post here. As noted, the Nosal decision departed from broader interpretations of “exceeds authorized access” adopted by the 5th, 7th, and 11th Circuits, and the 4th Circuit’s WEC decision now makes that split even more attractive for possible Supreme Court review.

The CFAA is primarily a criminal statute intended to deter computer hackers, though it permits civil actions by private parties damaged as a result of a violation (assuming they incur sufficient injury). It generally prohibits intentionally or knowingly accessing a computer without authorization or exceeding authorized access in a variety of contexts, including those involving government computers, attempts to defraud to obtain something of value, and/or causing damage or loss to the computer or its data.

In WEC, the company alleged former employee Miller, and/or his assistant, either of their own volition or at the behest of a WEC competitor that Miller later joined, downloaded confidential WEC documents, which were then emailed to Miller’s personal e-mail address. WEC also alleged Miller and his assistant downloaded confidential information to a personal computer. Soon after leaving WEC, Miller reportedly used the downloaded information to make a presentation on behalf of WEC’s competitor to a potential WEC customer.

Largely following the en banc 9th Circuit decision in Nosal, the 4th Circuit held that violations by Miller (and/or his assistant) of WEC’s policies on access to and use of company confidential information could not form the basis of CFAA liability. Like the 9th Circuit, the WEC court “reject[ed] any interpretation that grounds CFAA liability on a cessation-of-agency theory.” Such liability, the 4th Circuit agreed, could too broadly impose liability for any employee use of company computers that veered outside his employer’s permissible use policy. As the court noted: “Although an employer might choose to rescind an employee's authorization for violating a use policy, we do not think Congress intended an immediate end to the agency relationship and, moreover, the imposition of criminal penalties for such a frolic.”

The 4th Circuit also noted that because its analysis involved the CFAA, a statute that has both civil and criminal applications, “special attention” was warranted as any interpretation would apply uniformly in both contexts. The court thus followed the canon of strict construction of criminal statutes, i.e., the “rule of lenity” under which, to provide fair warning of what a law intends if a certain line is crossed, interpretations not “clearly warranted” by its text are avoided. Ultimately, in the same manner as the 9th Circuit, the court in WEC refused to make the CFAA a vehicle for employers hoping to rein in rogue employees, especially given other legal remedies that exist; otherwise it would transform a statute meant to target hackers into a means for imposing liability on workers who access computers in bad faith or disregard use policies.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.