Commentary on the Status of the Computer Fraud and Abuse Act

Feb 18, 2013

U.S. Supreme Court takes pass on CFAA lawsuit; uncertainty remains

In 1st Circuit, ‘ball in employer’s court’

By Correy E. Stephenson

The U.S. Supreme Court’s denial of certiorari in a Computer Fraud and Abuse Act case leaves employment lawyers in the 1st Circuit and beyond with continuing uncertainty.Employers frequently add a CFAA claim to suits against former employees that take confidential information from company computer systems.

But federal courts across the country have split on just how broadly the act should be interpreted.

The CFAA provides for criminal and civil penalties against an employee who “knowingly and with the intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”

The 1st U.S. Circuit Court of Appeals has granted employers the right to sue under the act when employees have authorized access but use it for non-job-related purposes, while others, such as the 9th Circuit, have narrowly interpreted the law to require an actual hacking of the computer system.

Raising the hopes of employment lawyers nationwide, a 4th Circuit case sought certiorari before the Supreme Court, hoping to end the circuit split.

But in January, the justices denied review, leaving employment lawyers with continuing uncertainty.


“This is a big deal for employment lawyers,” said Brian P. Bialas of Foley Hoag in Boston.

Until the Supreme Court agrees to decide the issue, Bialas added, “the ball is definitely in the employer’s court in the 1st Circuit.”

Circuit split widens

For multiple reasons, the CFAA is a valuable tool for attorneys representing employers. In addition to establishing federal jurisdiction, the CFAA lets victorious plaintiffs recover damages such as the cost of hiring a computer forensic firm to investigate the employee’s activities, Bialas said.

And the act provides for injunctive relief, which can allow employers to stop a former worker from taking information to a new employer or using it for his own benefit.

The law comes into play when an employee leaves a job or is terminated and attempts to take information with him.

While an employee typically is authorized to access company documents on an internal document management system, “if she does so not in the course of her employment but rather for the purpose of viewing information that might be helpful for her next employer or some other improper purpose, then [the CFAA] can be triggered,” said John R. Bauer, a partner at Robinson & Cole in Boston.

For example, Bauer said, an employer would consider financial information, a formula or a client list confidential.

“Even though the person has literal authorized access to the documents, the access is used not for the purpose of fulfilling job responsibilities,” he said, adding that an alleged breach of the company’s computer use policy can — in some jurisdictions — provide the basis for a CFAA claim.

In the 1st Circuit, an employer has been allowed to bring suit against a former employee for accessing data in violation of a confidentiality agreement. The decision in EF Cultural Travel BV v. Explorica stands with similar decisions from the 5th, 8th and 11th circuits, where courts have also allowed employers to allege violations of the CFAA when the employee breached a confidentiality or computer use agreement.

A case from the 9th Circuit stands in stark contrast.

In an en banc decision issued last year, a criminal action against an employee who had authorization to access his employer’s database but used his log-in credentials to download source lists, names and contact information to start his own business was dismissed.

Even though the employee in U.S. v. Nosal violated a company policy that prohibited the disclosure of confidential information, the panel held that the statute did not apply. The CFAA requires unauthorized access to computer data or computer hacking, the 9th Circuit said.

Last July, the 4th Circuit agreed, holding in WEC Carolina Energy Solutions LLC v. Miller that the CFAA does not impose liability on authorized workers who breach computer user policies.

Noting the widening circuit split, the company petitioned the high court for review, which was declined by the justices in January.

Employers: Establish a policy

The Supreme Court’s denial of cert leaves attorneys representing employers in Massachusetts standing on solid ground.

To protect a company, make sure to have a data or computer use policy in place, Bialas advised, and “include a provision about confidentiality to use as a basis for a CFAA claim.”

However, the jurisdictional split “creates a problem for employers who have employees in multiple states,” Bauer said.

The employer “might be able to bring an action against an employee in one state but can’t take action against an employee in another state for doing the exact same thing,” he said.

For now, employees — and their new employers — face potential lawsuits with the existing 1st Circuit CFAA caselaw.

But attorneys agreed that the circuit split will be resolved, whether by the Supreme Court or via an update to the legislation.

The CFAA has received the attention of federal lawmakers recently after the suicide of Aaron Swartz, a computer prodigy who had been criminally charged under the law. With the statute under consideration, a tweak to clarify the breadth of its application in civil employment suits is possible, Bialas noted.

If not, “the Supreme Court would certainly be the easiest way for a lot of people to get some clarity,” he added hopefully.

Leave a Reply

Your email address will not be published. Required fields are marked *