We’ve written previously about the Computer Fraud and Abuse Act (CFAA) being limited by judicial interpretation, especially for employers as civil plaintiffs, and offered tips on alternatives to controlling unauthorized access to or use of enterprise IT systems by employees. Reports Of The Computer Fraud and Abuse Act’s Demise Have Been Greatly Exaggerated | Information Intersection. The terrain is getting even murkier.
The Court of Appeals for the Ninth Circuit last April in Nosal gave the statute a limited construction, holding that the “exceeds authorized access” offense is “limited to violations of restrictions on access to information, and not restrictions on its use.” That may make sense from the perspective of a law dating to 1984 and initially designed to criminalize physical damage to computing systems, but not from the perspective of how courts transition precedent from one technical era into another. The CFAA is not that old. Yet already we are confronted with an increasing conflict as to its basic scope when applied to civil remedies for insiders who exceed their authority and injure corporate good will or IP. Indeed, cybersecurity experts often warn that the greatest threats to business IT systems and the information they store arise not from hackers, but dishonest or disaffected employees, even “well-meaning insiders.”
Last week the Fourth Circuit added more fuel to the CFAA fire in WEC Carolina Energy Solutions LLC v. Miller, extending Nosal to civil claims and concluding that the law does not codify violations of corporate information technology policies. The employer’s IT policy (as this blog recommended) prohibited employees from using company information without authorization and from downloading information to their personal computers. So was use of information in violation of that policy, but obtained from a computer an employee is otherwise authorized to access, “without authorization” or “exceed[ing] authorized access”?
The WEC Carolina court said no. Unauthorized access applies to an employee who has “approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access…. Notably, neither of these definitions extends to the improper use of information validly accessed.” They do not cover information misuse alone, the court reasoned, because as a criminal statute the CFAA must be construed in accordance with the plain meaning of its language so defendants have fair warning about punishable conduct. The Fourth Circuit also rejected the “cessation-of-agency” theory espoused by the Seventh Circuit. Under this theory, if as an employee you use a corporate computer network in breach of your company’s policy, you have violated your fiduciary duty and therefore any right of access is terminated by operation of law, making ongoing use of the network a violation of the CFAA. The Fourth Circuit held that this approach would improperly suck in “millions of ordinary citizens” who innocently check Facebook or sporting event scores while at work.
Our conclusion here likely will disappoint employers hoping for a means to rein in rogue employees. But we are unwilling to contravene Congress’s intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy. Providing such recourse not only is unnecessary, given that other legal remedies exist for these grievances, but also is violative of the Supreme Court’s counsel to construe criminal statutes strictly.
The ambiguities inherent in the often-amended CFAA are growing as aggressive litigants vie for competing interpretations. They expose the often-secret reality that the statute was not structured for an era when most employees have company-issued computing devices and are permitted remote BYOD access to corporate IT systems. The argument that the CFAA regulates the workplace today because everyone uses what the statute classifiues as “protected computers” (used in interstate commerce, i.e., with an Internet connection) is on its last legs. We do suspect that the wide gulf among the federal appellate courts may inspire the Supreme Court to take up a CFAA case next term, which begins in October 2012, but even if review is accepted a decision would likely not be handed down until 2013 or even 2014. Employers obviously cannot wait that long and, given political paralysis on cubersecurity in the Senate, a legislative clarification seems extremely unlikely.
The lesson: employers should keep tabs on the CFAA, but put more of their IT and IP protection ”eggs” into confidentiality agreements, NDAs and other “baskets” that do not raise the linguistic disputes and uncertainty plaguing civil CFAA litigation today.
Note: Originally written for and reposted with permission of my law firm’s Information Intersection blog.
Leave a Reply