|November 21, 2011|
Previously published on November 20, 2011
Could it possibly be equally as unlawful to lie about your age as it is to download trade secrets from your employer's computer? Some say that both may constitute a violation of the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and therefore the statute must be amended.
In recent years, the number of prosecutions under the CFAA has increased. These cases have been watched closely by many employers because the CFAA is not just a criminal statute. Rather, provided certain conditions are met, the civil provisions of the CFAA create a private right of action against those who wrongfully access, or exceed their authorized access, to a protected computer (as defined by the CFAA to include computers used in interstate or foreign commerce or communication).
There has been a split of opinions among federal courts about what it means to "exceed authorized access." For instance, the Eleventh Circuit concluded not too long ago that an employee "exceeded authorized access" under the CFAA by accessing information on a computer in a manner contrary to an employer's written policies. Rejecting this analysis, the U.S. district court for the Southern District of New York stated that it would be wrong to "expand the reach of the CFAA to any employee who accesses a company's computer system in a manner that is adverse to her employer's interests. This would convert an ordinary violation of the duty of loyalty or of a confidentiality agreement into a federal offense."
Providing a different view was Richard W. Downing, Deputy Chief Computer Crime and Intellectual Property Section Criminal Division of the Department of Justice. Downing noted, "Some have argued that the definition of “exceeds authorized access” in the CFAA should be restricted to disallow prosecutions based upon a violation of contractual agreements with an employer or service provider. We appreciate this view, but we are concerned that that restricting the statute in this way would make it difficult or impossible to deter and address serious insider threats through prosecution." Downing continued, "Employers should be able to set and communicate access restrictions to employees and contractors with the confidence that the law will protect them when their employees or contractors exceed these restrictions to access data for a wrongful purpose." (A copy of Mr. Downing's written testimony is available in pdf format below.)
Whether the CFAA will be amended remains an open question. For now, the courts will likely continue to grapple with the extent to which Congress originally intended the statute to apply to alleged faithless employees.