The Computer Fraud and Abuse Act (CFAA), enacted in 1986 at the dawn of the personal computer revolution, has become a key tool for both prosecutors and civil litigators in pursuing breaches of employers’ computer systems. The CFAA can provide protection to employers who have had intellectual property taken by current or former employees for purposes other than that for which the employee is authorized to use the IP. Although the CFAA is subject to multiple interpretations from different judicial circuits, employers can properly use the Act to enhance their Intellectual Property protection if they are mindful of what constitutes a violation of the act.
The CFAA provides a federal cause of action for plaintiffs who have suffered “damage or loss” as a result of a series of violations that are laid out in the Act. The most common of these violations is 18 U.S.C. § 1030(a)(2), imposing civil liability for anyone who “intentionally accesses a computer without authorization or exceeds authorized accesses and thereby obtains . . . information from any protected computer.” The terms “without authorization” and “exceeds authorized access” have been subject to much judicial interpretation.
Courts have split as to the meaning of “without authorization.” Wisconsin is governed by the broad construction of this split, which is embraced by the First, Fifth, Seventh, and Eleventh circuits. Under this broad construction, any employee use of a computer that is beyond what is authorized terminates the employee’s authorization. Subsequent use of the computer is done “without authorization,” even if the subsequent use was originally within the scope of permissible use of the computer.
By contrast, the Second, Fourth, and Ninth circuits have taken a much more narrow approach to the phrase “without authorization.” Under this narrow interpretation, “without authorization” applies only to those who access a computer and have no authorization to access the computer for any purpose, such as hackers. Employees that are authorized to use a computer and subsequently violate the terms of use are not encompassed by this narrow approach. This interpretation is consistent with the legislative history of the CFAA, which indicates that Congress intended “without authorization” to apply to those who had no authorization whatsoever to access the computer. Courts embracing the narrow interpretation of “without authorization” have warned of the wide-ranging scope of activities that the broad interpretation encompasses. Under the broad interpretation of the CFAA, harmless activities done by employees while at work, such as checking news sites, streaming music, or watching YouTube videos, in violation of an employer’s terms of use, would become federal crimes.
The CFAA can provide protection to employers by providing a federal claim against employees in certain situations. Because of the CFAA’s focus on what an employee is authorized to access on a work computer, employment agreements should explicitly state that the employee’s computer use is limited to the scope of his or her employment. The employment agreement should give specific examples of impermissible computer use, such as using company client data for the employee’s own personal benefit. In the “broad interpretation” circuits, employees who have access to the employer’s computers and use information acquired from those computers for purposes beyond the scope of the employer’s terms of use may be found to be in violation of the CFAA. Finally, employers should inform departing employees that any access to company computers following their departure will be considered access without authorization and, therefore, a violation of the CFAA.
Employers who are aware of the nature of the CFAA may avail themselves of its protection with the proper procedures. Such protection is invaluable in an era of growing importance for computer system security.
If you would like to learn more about how to tailor your employment policies and handbooks to better avail yourselves with the protection of the CFAA, contact Tori Kluess, Kurt Goehre or another member of the Intellectual Property Team and/or Employment Team at the Law Firm of Conway, Olejniczak & Jerry, S.C.