|September 13, 2012|
Previously published on September 10, 2012
On July 26, 2012, the Fourth Circuit Court of Appeals weighed in on the debate about the meaning of the phrases “exceeds authorized access” and “without authorization” as used in the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. See WEC Carolina Energy Solutions, LLC v. Miller, No. 0:10-CV-02775, CMC (4th Cir. July 26, 2012). Joining the Ninth and Second Circuits in narrowly construing the statute, the Fourth Circuit held that the CFAA cannot be used to impose liability on an employee who is given lawful access to company information but later misuses that information (in violation of the employer’s computer use policies). Judge Floyd delivered the opinion of the Court, which ruled that the CFAA may be used to impose civil liability on employees either who are not permitted to access certain information but do so anyway, or who go “beyond the bounds” of their authorized access; however, the Court expressly found that the CFAA’s prohibitions do not impose liability on an employee who has permission to access electronic information but then “improper[ly] use[s]” that information (for example, to develop a competing business).