• Court Decisions Could Remove Ambiguity About Unauthorized Employee Computer Access
  • February 9, 2012 | Author: Pierre Grosdidier
  • Law Firm: Haynes and Boone, LLP - Houston Office
  • In just a few years, the Federal Computer Fraud and Abuse Act of 1984 (the “CFAA,” 18 U.S.C. § 1030) - a sweeping statute that criminalizes the unauthorized access of protected computers - has evolved into a broad and powerful weapon in computer-related criminal and civil litigation. Originally enacted to target hackers, the statute now reaches almost any imaginable malfeasance that involves a computer.

    Two recurring categories of cases arise in an employment context. First, those where disgruntled employees delete files or “wipe” hard drives in spite before they take the door. Second, cases where employees leave with copies of their employers’ proprietary information, such as client databases or electronically-stored trade secrets, with the intent of starting or joining a competing business.

    The statute does not define what constitutes unauthorized access. Courts have split over this issue, adopting conflicting broad and narrow constructions of the term. The issue is important to employers that are the unwitting victims of their own employees’ computer abuse. Employers who want to sue these employees in federal court under the CFAA can be stymied by the statute’s ambiguity. The Ninth Circuit issued two decisions that bear on the meaning of unauthorized access (LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), and U.S. v. Nosal, 642 F.3d 781 (9th Cir. 2011)). Nosal included a strong dissent, however, and the court decided to rehear the case en banc on October 27, 2011. The Court’s final ruling is likely to flesh out all the arguments that courts have articulated on this issue. Nosal is an important case to watch for employers mindful of insider computer fraud or abuse, especially as more companies move to cloud computing where security issues are both numerous and complex.