Watch Now


Authorized employee access to company information may prevent lawsuit for stealing that information under Computer Fraud and Abuse Act

It is not an unusual event for an employee to leave their employment to pursue new opportunities. Unfortunately, sometimes these departing employees choose to use their experience against their former employer by working for that employer’s competitor. If that employee is not subject to an enforceable non-competition agreement, there is little that the former employer can do in response. This is simply the nature of the market. Occasionally, however, these former employees choose to abscond with their former employer’s business documents so that they can have an added advantage in their new competitive position. If these documents are removed from the employer’s computers or other electronic systems, employers will often bring suit and allege violations of the federal Computer Fraud and Abuse Act (“CFAA”). This Act, originally designed to punish criminal hacking, has caused a wide split amongst courts across the country regarding its potential application to civil matters.

Background

The Sixth Circuit Court of Appeals (which oversees Tennessee, Kentucky, Ohio, and Michigan) recently addressed a situation similar to the one discussed above. Here, two employees of the employer abruptly resigned. Prior to their resignation, these employees accessed confidential company information from their company-issued computers and cell phones and then used this information in violation of company policy and to the benefit of their new employer – a direct competitor of the employer. As a result, the former employer brought suit against the employees alleging violations of the federal Computer Fraud and Abuse Act.

Court Decision

As noted by the Court of Appeals, the relevant provision of the Computer Fraud and Abuse Act instructs that one who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer … shall be punished.” Although a violation of this Act can be met with criminal punishment, the Act also creates a private right of action if certain conditions are established. Specifically, in order to succeed in a civil action, the plaintiff must prove that: (1) the defendant intentionally accessed a computer; (2) the access was unauthorized or exceeded the defendant’s authorized access; (3) through this access, the defendant obtained information from a protected computer; and (4) the conduct caused loss to one or more persons during any one-year period aggregating at least $5,000.00 in value.

Here, the court found that the first, third and fourth elements described above were present and undisputed. The former employees intentionally accessed a computer, obtained information through that access, and caused at least $5,000.00 in loss to the employer as a result. Therefore, the only disputed item before the court was whether the employees “exceeded their authorized access” by misusing the accessed information in violation of company policy.


The definition section of the Computer Fraud and Abuse Act defines “exceeds authorized access” as “to access a computer without authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” The court had previously defined the term “without authorization” as “without sanction or permission.” Based on this definition, the court found that the Computer Fraud and Abuse Act’s aim was to penalize those who breach cyber barriers without permission, rather than to punish those who misuse the data they are authorized to obtain.

In the current instance, the former employees did not access any part of the employer’s computer system in which they were not already permitted access. As such, because the employees had authorization to access the information they removed, their conduct did not “exceed” their “authorized access” as those terms were used in the Computer Fraud and Abuse Act. Therefore, the Court of Appeals affirmed the judgment of the district court dismissing the employer’s complaint.

Takeaway

This issue continues to be prevalent within many companies and employers. The Sixth Circuit’s decision in this matter joins several other circuits in narrowly interpreting the Computer Fraud and Abuse Act. As noted by the court in their decision, however, this very issue is currently pending before the United States Supreme Court and a decision should come soon to provide further clarification. Until then, employers in the Sixth Circuit should be careful to allege violations of the Computer Fraud and Abuse Act against former employees who had unfettered access to the employer’s computer systems and information. The burden is on the employer/company to prove that the employee acted inappropriately.  Employers need to have adequate policies in place to prevent such access or violations.  Employers should review their existing policies to make sure access is limited appropriately.   

R. Eddie Wayland is a partner with the law firm of King & Ballow. You may reach Mr. Wayland at (615) 726-5430 or at rew@kingballow.com. The foregoing materials, discussion and comments have been abridged from laws, court decisions, and administrative rulings and should not be construed as legal advice on specific situations or subjects.