The federal Computer Fraud and Abuse Act (CFAA) was primarily intended to deter and punish database hacking by third parties. Employers involved in disputes with former employees have attempted to use CFAA in response to situations where the departing employee downloads confidential information for his or her own use or for that of a competitor. The results of these efforts have been mixed, with federal courts generally refusing to apply CFAA to employees who had access to their employers’ computer systems at the time they downloaded the information in question. However, in a recent unpublished decision, the Fourth Circuit Court of Appeals (which includes North Carolina and South Carolina) upheld a federal criminal conviction of a former employee who accessed his employer’s database after leaving employment.

In U.S. v. Steele, the defendant resigned his employment with a federal contractor and went to work for a direct competitor. For nine months after his departure, the defendant continued to access his former employer’s database to obtain contract bidding information and related documents. The former employer had neglected to change passwords the defendant used to access its computer system after his resignation. A jury convicted the defendant of criminal violation of CFAA, and the court sentenced him to four years in federal prison and $400,000 in fines and penalties.

On appeal, the defendant contended that his actions did not violate CFAA because that law only prohibits unauthorized access to computer systems. He noted prior Fourth Circuit cases where the court refused to apply CFAA to employees who used their legitimate access to the systems to download sensitive company information. He claimed that because his former employer had failed to change the passwords used during his employment, he still had authorized access to the database in question.

The Fourth Circuit rejected this claim, affirming the conviction and sentence. The court noted the major distinction between this and the other CFAA cases: At the time that the defendant accessed the system, he was no longer an employee. Separation from employment alone removes the assumption of authorization that applies during the employment relationship. Despite his former employer’s failure to change passwords, it had taken other steps to revoke his access to company information, including collecting his company-issued laptop, and denying him physical access to the office.

These steps, along with termination from employment resulted in the subsequent access to the system being without authorization. Obviously, employers should take reasonable security measures to prevent former employees from accessing their electronic communications systems, including changing passwords. In situations where separated employees present special concerns over sensitive company information, separation agreements should include specific promises by the employee not to attempt to access these systems after separation from employment. However, in those rare cases where a former employee tries to obtain information after employment ends, CFA provides a powerful federal criminal tool for addressing such misconduct.