The Computer Fraud and Abuse Act (“CFAA”) may now give employers some teeth to enforce a well-crafted computer use policy. The CFAA punishes anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” 18 U.S.C. § 1030(a)(4). Although primarily a criminal statute, the CFAA also includes civil remedies and a private right of action and, therefore, has broad implications for employers who want to protect trade secrets and confidential data from unauthorized access and abuse.

In United States v. Nosal (April 28, 2011), the Ninth Circuit clarifies the reach of the CFAA in the employment context and provides some insight as to how employers may draft computer and data use policies to invoke the protections of the Act. Specifically, the Ninth Circuit held that employees not only violate the CFAA when they access a computer or database that they did not have authorization to access, but also where employees exceed authorized access by accessing information they were only entitled to access under limited circumstances.