The Fourth Circuit recently held that the Consumer Fraud and Abuse Act’s (“CFAA”) prohibitions against unauthorized access or access in excess of authorization were not violated by an employee when the employee used his valid access to employer's computer network to download confidential business information that he later used while working for a competitor.
Prior to his departure from his former employer, the defendant downloaded proprietary information from the plaintiff's network which he allegedly used to win a contract for business. The plaintiff filed a civil lawsuit against defendant, alleging, among other things, that he violated the CFAA when he downloaded its proprietary information. Specifically, the plaintiff alleged that its policy prohibited employees from downloading confidential and proprietary information to a personal computer.
In dismissing the CFAA claim, the trial court held, and the Fourth Circuit affirmed, that this policy only regulated the use of company information, not accessing that information. Accordingly, a violation of the policy would not support liability under the CFAA's authorized access provisions. The court ruled that the CFAA prohibits unauthorized acts of obtaining and altering information from a protected computer, not using without authority lawfully accessed information. Because the employee in this case was permitted to have access to the information at the time he downloaded it, his later use of that information for a subsequent employer did not violate the CFAA.
By its holding, the court agreed with the Ninth Circuit. However, the court rejected the Seventh Circuit’s reading of the CFAA that an employee loses lawful authority to access an employer's computer network if the access violates the employee's fiduciary duty of loyalty to the employer. The Fifth and Eleventh Circuit have similarly held that employees will exceed authorized access under the CFAA whenever they go beyond their authorized access.
While this decision may have limited Fourth Circuit employers’ ability to seek legal action against departing employees under the CFAA, employers in other jurisdictions, as highlighted above, must still consider what remedies may be available under the CFAA.