In a recent decision that the court acknowledged would disappoint employers hoping to rein in rogue employees, the Fourth Circuit refused to apply the federal Computer Fraud and Abuse Act (“CFAA”) to workers who access computers or information in bad faith, or who disregard a technology use policy. That decision is WEC Carolina Energy Solutions, LLC v. Miller.
The CFAA is primarily a criminal statute designed to combat computer hackers. However, the statute also provides a civil remedy to a private party, such as an employer, who suffers damage or loss by reason of a violation of the statute. Employers have increasingly been relying on the statute to seek damages from former employees who accessed a computer without authorization or exceeded their authorized access. Typically, the central issue in such cases is whether the former employee was permitted to access the computer data when it was retrieved.
In the Miller decision, the employee allegedly downloaded information from the employer’s computer system while working there, then resigned and used that information to obtain a potential client for a competitor. While some courts have held that such conduct violates the CFAA because it violates the employee’s duty of loyalty, thereby terminating her agency relationship and automatically stripping her of any authority to access the computer, other courts have adopted a narrower approach. These courts have limited their interpretation of the CFAA, which prohibits computer access that is “without authorization” or “exceeds authorized authority.” They have held that the CFAA only applies to situations where an individual accesses a computer or computer data without actual permission. In affirming dismissal of the CFAA claim against the employee, the Fourth Circuit adopted this latter approach.
Noting that the CFAA does not define “authorization,” the court held that the ordinary meaning of “authorization” means “approved” or “sanctioned by,” and that an employee “exceeds authorized access” when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of approved access. Thus, because the employee had authorization when she allegedly downloaded the computer data of her employer, she did not violate the CFAA, even if she kept that data and later used it for competitive purposes.
The court noted the problems that would logically follow if it were to interpret “authorization” more broadly. For instance, if “authorization” were broadly construed, an employee might be liable under the CFAA if the employee disregards his employer’s policy against downloading information so that he can work from home in order to meet deadlines set by his employer. Furthermore, the court rejected the cessation-of-agency theory adopted by some courts, noting that if the rule were taken seriously, it “would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer’s use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer’s computer systems.”
Because of the split between the federal circuit courts on breadth of this increasingly important statute, this issue may ultimately have to be addressed by the Supreme Court. Until then, employers in Virginia now face more difficulties in suing former employees under the CFAA.