The United State Supreme Court recently denied certiorari in Nosal v. United States, 16-1344, declining to weigh in on the scope of unauthorized access under the Computer Fraud and Abuse Act (“CFAA”). The Ninth Circuit held in Nosal that David Nosal violated the CFAA by using his past assistant’s password to access his former employer’s computer system after his access credentials were expressly revoked. (For Nosal case history see our past blog posts here and here.)
The CFAA has generated much debate among the courts regarding the scope of its application. Some forms of “unauthorized access” are obvious – e.g. a hacker breaking into a protected computer system resulting in data theft is clearly a CFAA violation and is the type of event the CFAA was originally designed to protect against. However, other circumstances, particularly in the employment context, can blur the lines of what is considered “unauthorized access” under the CFAA.
For example, in International Airport Centers, LLC v. Citrin, the Seventh Circuit held that where an employee accesses an employer’s computer or information to further interests adverse to the employer, the employee has violated his or her duty of loyalty and in turn “exceeds authorized access” under the CFAA. The First, Fifth and Eleventh Circuits have taken a similar expansive view that an employee violates the CFAA when he/she accesses the computer system in violation the employer’s data use policies. In U.S. v. John, the Fifth Circuit held that an employee violated the CFAA when she retrieved confidential customer account information she was authorized to access and transferred it to her half-brother for the purpose of committing a fraud. Under this expansive view, there is the potential for more ordinary forms of password-sharing could be prosecutable under the CFAA. For instance, an employee’s use of a colleague’s password that is out sick to access a presentation or print a document.
Conversely, other courts have taken a more narrow approach to CFAA application. The Fourth Circuit held in WEC Carolina Energy Solutions LLC v. Miller that an employee who allegedly downloaded proprietary information from an employer’s computer system for the benefit of his subsequent employer did not violate the CFAA. The Fourth Circuit emphasized that the CFAA is a criminal statute that should be construed narrowly and is meant to target hackers as opposed to “workers who access computers or information in bad faith, or disregard a use policy.”
In light of the conflicting jurisdictional interpretations of the CFAA, companies should review their policies and procedures to ensure access rights and limitations to their information and information systems are clearly defined and effectively communicated to their employees. Further, when faced with apparent unauthorized access to computer systems – especially if password sharing is involved – companies should conduct an analysis to determine if a potential CFAA violation has occurred.