This week the 11th Circuit upheld the Computer Fraud and Abuse Act (“CFAA”) conviction and one -year prison sentence of a former Social Security Administration (“SSA”) employee who accessed the agency’s computer for non-business reasons. U.S. v. Rodriguez, 2010 WL 5253231 (11th Cir. Dec. 27, 2010). This case is significant for two reasons.

First, the court refused to adopt the 9th Circuit’s decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), the poster child for not applying the CFAA to miscreant employees who steal their employer’s data. A critical element to prove a theft of data under the CFAA is that the defendant accessed the computer without authorization or exceeded authorized access. Brekka stands for the proposition that since an employee is permitted as part of his job to access the company computer, an employee cannot be found to have violated the CFAA. Rodriguez is the second of the Circuit Courts (in addition to the 5th Circuit) expressly to reject Brekka on an issue that ultimately will be decided by the U.S. Supreme Court.

Second, this case serves as a roadmap for employers who want to ensure that an employee who steals its data can be criminally or civilly prosecuted under the CFAA. While the CFAA is primarily the federal computer crime statute, it provides for civil remedies for anyone injured by a violation of the statute. Title 18, U.S.C. § 1030(g). Rodriguez illustrates the proactive steps a company can take to make it more likely that it can take advantage of the CFAA’s criminal and civil remedies.