The Computer Fraud and Abuse Act (sometimes referred to as the “CFAA”), 18 U.S.C. § 1030, is a federal law that prohibits access a computer and obtaining information without authorization or by exceeding authorized access. The statute (at section 1030(a)(2)(C)) states that whoever “intentionally accesses a computer without authorization or exceeds authorization and thereby obtains … information from any protected computer[,] if the conduct involved an interstate or foreign communication … shall be punished.” Although the CFAA is mainly a criminal statute, it also has a civil remedies applicable to business and employment litigation. The statute (at 18 U.S.C. § 1030(g)) states that “any person who suffers damage or loss [as a result of a violation] … may maintain a civil action … for compensatory damages and injunctive relief or equitable relief.” Peter Mavrick is a Fort Lauderdale business litigation attorney, and represents clients in business litigation in Miami, Boca Raton, and Palm Beach. The Mavrick Law Firm represents businesses and their owners in breach of contract litigation and related claims of fraud, non-compete agreement litigation, trade secret litigation, trademark infringement litigation, employment law, and other legal disputes in federal and state courts and in arbitration.
A great deal of court litigation has been fought over whether the CFAA applies to situations where an employee was fully authorized to access and obtain certain information over a computer network, and then uses that network access for an illicit purpose such as for a competitor’s benefit. Employers have argued that its employees are authorized to use their work computers only conducting company business, not for the benefit of a competitive business venture. A problem with the CFAA is that the statute does not define the ambiguous wording “without authorization.” Federal courts have a split in authority concerning whether an employee with an improper purpose may be held civilly liable under the CFAA for acquiring computer information that is otherwise permitted to the employee in the course of his employment.
One line of authority has relied on the Restatement (Second) of Agency § 112, which explains that “[t]he authority of an agent terminates if, without knowledge of the principal, he acquires [an] adverse interest or if he is otherwise guilty of a serious breach of loyalty to the principal.” Courts following this line of authority have concluded there is a CFAA violation when an employee misuses his authority to access information on the employer’s computer network to to benefit someone other than the employer. For example, in Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006), the United States Court of Appeals For The Seventh Circuit held that “Citrin violated [the CFAA because] his authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee.” Similarly, in a trade secret misappropriation lawsuit, the federal district court in Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121 (W.D. Wash. 2000), concluded the employer properly stated a claim under the CFAA against an employee who had “full access” to the employer’s computers, but who used that access to misappropriate trade secrets to benefit a competitor.
A second line of authority, however, has opted for a less expansive interpretation of the statutory wording “without authorization.” These courts have held that “without authorization” generally means only misconduct by “outsiders” of the business who never had authority to access the business’ computer in the first place. The United States District Court for the Southern District of Florida, in the case In re America Online, Inc., 168 F.Supp.2d 1359 (S.D. Fla. 2001), concluded that the statutory wording “without authorization” “contemplate[s] a situation where an outsider, or someone without authorization, accesses a computer.” Likewise, Int’l Ass’n of Machinists & Aero. Workers v. Werner-Matsuda, 390 FSupp.2d 479 (D.Md. 2005), explained that, “[t]hus, to the extent that Werner-Masuda may have breached the Registration Agreement by using the information obtained for purposes contrary to the policies established by the IAM Constitution, it does not follow, as a matter of law, that she was not authorized to access the information, or that she did so in excess of her authorization in violation of the … CFAA.”
Peter Mavrick is a Fort Lauderdale business litigation lawyer. The Mavrick Law Firm represents clients in Miami, Boca Raton, and Palm Beach. This article does not serve as a substitute for legal advice tailored to a particular situation.