The Computer Fraud and Abuse Act is primarily a criminal statute designed to combat hacking.
The CFAA does provide for civil remedies that should be carefully considered by employers and employees. When considering the CFAA's application in the employment law context, best practices include alerting corporate information technology departments of the necessary considerations to identify threats or theft, monitoring employees, advising employees on their obligations, and avoiding violations and potential liability. Employers should place a significant emphasis on awareness of the risks and potential ramifications of violating the CFAA.
The CFAA provides that "any person who suffers damage or loss … may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief." The CFAA holds an individual civilly liable when that individual "intentionally accesses a protected computer without authorization and as a result of such conduct causes damage and loss."
Employers should consider defining the permitted scope of access to corporate computer systems and databases, as well as specifying the definitions of "without authorization" and "exceeding authorization" in policies and procedures. While most employers routinely block network access once an employee leaves, special attention must be paid to information accessed, copied or deleted by the employee, and a detailed forensic analysis may be appropriate.
To bring a civil action under the CFAA, a plaintiff must show that the defendant: (1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that the employee (3) thereby obtained information (4) from any protected computer subject to interstate or foreign commerce and (5) there was a loss to one or more persons during any one-year period aggregating at least $5,000 in value.
To "exceed authorized access" means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled to obtain or alter."
This provision has been subject to different interpretations. Depending on the facts, federal courts in Florida are bound by United States v. Rodriguez, which provides an example of the U.S. Circuit Court of Appeals for the Eleventh Circuit's broad view of the abuse provision of the CFAA.
However, a number of circuit and district courts have adopted narrower views. Yet the potential for both civil and criminal liability under the CFAA can be staggering in Florida and in other circuits that have adopted the broad view.
In Rodriguez, the court imposed criminal liability on the defendant for activities not intended to harm a government employer. The defendant, a Social Security Administration employee, accessed the personal information of 17 people for nonbusiness reasons.
The Eleventh Circuit affirmed the defendant's conviction, holding that "Rodriguez exceeded his authorized access and violated the act when he obtained personal information for a nonbusiness reason."
The court created a harsh yet bright-line analysis for the application of the CFAA without any finding of animus toward the employer or intention to impact the employer's business. Thus, employers and employees should take note of the potential ramifications of possible CFAA violations.
However, there seems to be resistance to the holding in Rodriquez in other courts. For instance, in Power Equipment Maintenance v. Airco Power Services, the court noted that a narrow definition of unauthorized access or access exceeding authorization has been adopted in other cases. Specifically, the court recognized that the proper inquiry is whether an employer had at the time both authorized the employee to access a computer and authorized that employee to access specific information on that computer.
Based on Rodriguez, the plaintiff in Power Equipment argued that "since Rodriguez, district courts in the Eleventh Circuit have rejected the [defendant's] access/use distinction … and have instead held that current employees can exceed their authorized access … when they access their employers' computers for the purpose of stealing information." The court found, however, that plaintiff's position was unsupported in post-Rodriguez case law.
In Power Equipment, the court noted that decisions of some district courts found that acting contrary to a current employer's business interests can lead to violations of the CFAA. However, the court also acknowledged that other district courts have continued to find that simply accessing an employer's computer for nonbusiness reasons is insufficient to support a claim under the CFAA. The disagreement among district courts concerning the proper scope of the CFAA continues post-Rodriguez.
Until further rulings by the Eleventh Circuit or the U.S. Supreme Court, employers need to be vigilant about defining and policing the authorized scope of access and use of an employer's computers and computer data.
In the interim, such claims will remain a sword used by employers and an area where employees may be subject to defending claims that are very costly. Employers should consider being cautious in counseling employees on their potential liability and making sure employees are aware about the exposure to which they may be subjecting themselves.