The Computer Fraud and Abuse Act (CFAA) was enacted by Congress in 1986 to provide criminal and civil remedies against hackers. In more recent years, employers have attempted to use the CFAA to impose both civil and criminal penalties against employees who allegedly misappropriate their employer's electronic information. Last week, the Fourth Circuit Court of Appeals (which includes North Carolina and South Carolina) said that the CFAA does not apply to ordinary employee misappropriation of confidential business information.
In WEC Carolina Energy Solutions v. Miller, the employer sued a former employee who twenty days after quitting, solicited away the business of one of its customers. Among other claims, the employer alleged that the defendant violated the CFAA by downloading confidential WEC documents and forwarding them to a personal email address. WEC alleges that these documents were used in the client presentation several weeks later.
The employer based its CFAA claim on the defendant's alleged unauthorized downloading in violation of its electronic communications policy. The CFAA prohibits unauthorized access, or access beyond authorized levels to computer records and information. The Fourth Circuit affirmed dismissal of the CFAA claim on the grounds that the defendant's alleged conduct was not unauthorized.
The court rejected the Seventh Circuit's reasoning that any access made with the intent of use against the employer's interests is unauthorized. Instead, the Fourth Circuit followed the Ninth Circuit in concluding that the CFAA should be narrowly read to limit the meaning of unauthorized access to something akin to hacking, meaning steps taken to evade restrictions on access to certain information. The court was influenced by the fact that WEC's reading of the statute would have made the defendant's alleged actions federal crimes. The CFAA does not prohibit unauthorized use of information obtained by the defendant using his own password and access rights.
Of course, the employer in this case can pursue state law statutory and tort claims, such as trade secrets protection acts and breach of duty of loyalty. However, removal of the threat of a CFAA claim eliminates federal court jurisdiction, and also removes the possibility of federal criminal prosecution absent evidence that the employee took steps to access information restricted to him during his employment. Employers should consider reviewing their electronic communications policies to determine whether certain sensitive company information should be blocked from employee access absent specific authorization. Without such IT-based restrictions on access, misuse of such information will not form the basis of a CFAA claim.