When Congress enacted the Computer Fraud and Abuse Act in 1986, a number of us believed that employers had a powerful tool to deal with employees improperly removing key company information from electronic data storage systems for the employee's benefit. The statute, which has both civil and criminal components, makes a person liable for damages if they intentionally access a computer without authorization, or exceed authorized access to a computer, to obtain information from any protected computer; accesses a protected computer without authorization or exceed authorized access to commit fraud; or intentionally access a protected computer without authorization and recklessly cause damage or loss to the computer's owner.
CFAA cases typically arise in one of two circumstances: someone outside the company hacks into the company's servers or databases and either maliciously damages the system, or removes confidential information for use elsewhere, or an employee who has routine access to the system takes information from it to use for the benefit of a competitor, or for the employee's own use, to the detriment of his employer. While the courts have had no trouble finding that the CFAA applies to the first scenario, the courts are split on whether the statute applies to the second.
A recent decision by the Fourth Circuit provides useful guidance on the application of the CFAA to situation where an employee, who is authorized access to employer's computer system, removes proprietary information from it, shortly before he leaves the company to join a competing business. In this case, a project director for a company providing specialized welding and related services to the power generation industry was accused of systematically removing confidential and trade secret information from his employer's network by sending it via his work computer to his personal e-mail address.
Note to potential data thieves everywhere-in my experience, it is virtually impossible for the average employee to remove information from a company server in electronic form without detection. And every one of my clients performs an immediate review of all the activity on a manager's information technology account, following an abrupt and unanticipated departure.
There are two schools of thought with respect to CFAA application to this kind of situation. The first school, which is in session here in the Seventh Circuit, is that an employee who removes information from an employer's computer system, in breach of his fiduciary duty to the employer (as in our example case), cannot say that she is authorized to do so, and is therefore in violation of the statute. I like this approach, because it's logical and makes common sense. After all, no employer would say that an employee who steals its trade secrets is doing so in an authorized manner. The second school of thought takes a more literal reading of the statute, noting that an employee who can access the computer system as part of his job is "authorized", regardless of the purpose for which he does so. This more limited reading of the statute, which was articulated by the Ninth Circuit, is the one that was ultimately adopted by the Fourth Circuit in this case.
A key part of the Fourth Circuit's ruling is that the CFAA is a criminal statute, as well as a civil one. Criminal statutes are usually read very narrowly, in order to provide as much notice to the public as to what conduct is actually prohibited. The court noted that a broad reading of what is "authorized" access would theoretically criminalize conduct by any employee that was not specifically okayed by an employer. Visits to Facebook, shopping sites, personal banking sites, etc., would become criminal violations because they were not specifically authorized by an employer's policy. The court also noted that it was not necessary to find an expansive scope for the CFAA because there were numerous other state law causes of action, e.g., theft of trade secrets, breach of fiduciary duty, etc., that would encompass and protect the employer's data in this type of situation.
In short, the CFAA is not a cure-all for employee data theft. My personal opinion is that the Fourth Circuit's read on this is likely to be more persuasive with the federal district courts that confront the situation. Accordingly, companies should look to more traditional means of protecting their data under trade secret, fiduciary duty, confidentiality, and other doctrines.