The Computer Fraud and Abuse Act (the “CFAA”) imposes criminal penalties when a “protected computer” is accessed “without authorization.” Because the CFAA applies to any computer used in foreign or interstate commerce, computer systems used by most businesses are protected by the law. As a result, the CFAA’s ban on unauthorized access is frequently cited in cases against hackers and other unauthorized third parties that intrude on a company’s information systems. The statute has other purposes, however, such as prohibiting authorized users from “exceeding authorized access.” Since the CFAA provides for civil enforcement of these prohibitions, the statute also can be useful to employers that want to recover against employees who have abused their access rights to misappropriate company information. Historically, courts have been reluctant to advance CFAA claims by employers, expressing concern at the prospect of holding employees civilly or criminally liable for their use of computer systems. In order to preserve a CFAA claim, employers must understand and appreciate the nuances of courts’ interpretations of this statute and apply that knowledge to their acceptable use policies and employment agreements. In this Alert, we review some recent cases bearing on this issue, and present a list of practical tips to help preserve a CFAA claim.

A recent decision by the U.S. Court of Appeals for the Ninth Circuit, United States v. Nosal, provides helpful reasoning on the supportability of CFAA claims. In Nosal, the court held that a company’s former employees could be held criminally liable under the CFAA for exceeding authorized access to the company’s computer system when he engaged some of the company’s current employees to help him set up a rival business. The employees he recruited downloaded and sent to him the company’s valuable proprietary information from its password-protected database prior to leaving their jobs. The employees had signed employment agreements with the company prohibiting them from disclosing such information to third parties or using it for any purposes other than legitimate business purposes. In addition, the company had a written computer use policy that prohibited employees from accessing its computer system and disclosing information in the system to outside parties or making any use of the information other than for legitimate business purposes. This policy was made clear to employees when they were hired and was reiterated each time they logged on to the company’s computer system.