Preserving a CFAA Claim When Employees Misappropriate Data


The Computer Fraud and Abuse Act (the “CFAA”) imposes criminal penalties when a “protected computer” is accessed “without authorization.” Because the CFAA applies to any computer used in foreign or interstate commerce, computer systems used by most businesses are protected by the law. As a result, the CFAA’s ban on unauthorized access is frequently cited in cases against hackers and other unauthorized third parties that intrude on a company’s information systems. The statute has other purposes, however, such as prohibiting authorized users from “exceeding authorized access.” Since the CFAA provides for civil enforcement of these prohibitions, the statute also can be useful to employers that want to recover against employees who have abused their access rights to misappropriate company information. Historically, courts have been reluctant to advance CFAA claims by employers, expressing concern at the prospect of holding employees civilly or criminally liable for their use of computer systems. In order to preserve a CFAA claim, employers must understand and appreciate the nuances of courts’ interpretations of this statute and apply that knowledge to their acceptable use policies and employment agreements. In this Alert, we review some recent cases bearing on this issue, and present a list of practical tips to help preserve a CFAA claim.

A recent decision by the U.S. Court of Appeals for the Ninth Circuit, United States v. Nosal, provides helpful reasoning on the supportability of CFAA claims. In Nosal, the court held that a company’s former employees could be held criminally liable under the CFAA for exceeding authorized access to the company’s computer system when he engaged some of the company’s current employees to help him set up a rival business. The employees he recruited downloaded and sent to him the company’s valuable proprietary information from its password-protected database prior to leaving their jobs. The employees had signed employment agreements with the company prohibiting them from disclosing such information to third parties or using it for any purposes other than legitimate business purposes. In addition, the company had a written computer use policy that prohibited employees from accessing its computer system and disclosing information in the system to outside parties or making any use of the information other than for legitimate business purposes. This policy was made clear to employees when they were hired and was reiterated each time they logged on to the company’s computer system.

Please see full article below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.