Yet another federal appeals court has attempted to parse the Computer Fraud and Abuse Act’s (“CFAA”) ambiguous statutory language. The issue, on which the federal courts cannot agree, is whether an employee who has authorized access to a computer, but uses that access for an illegal purpose — typically to take confidential information in anticipation of resigning to start a competing company or join one — violates the CFAA.
The controversy is focused on the words “without authorization” and “exceeds authorized access” in the law:
[Whoever] knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value … shall be punished. 18 U.S.C. § 1030(a)(4).
Late last year, in a widely noted decision, the 9th Circuit adopted the “narrow” view of the CFAA, holding the law does not extend to an employee who has authorized access but uses that access to make unauthorized use. U.S. v. Nosal (en banc).
In late July the Fourth Circuit issued a decision in WEC Carolina Energy Solutions v. Miller, agreeing with Nosal and holding that conduct by an employee that violates the employer’s “use policy” (typically contained in an employee manual, handbook or “computer use policy”) does not give rise to a violation of the CFAA. As Fourth Circuit stated, “we reject an interpretation of the CFAA that imposes liability on employees who violate a use policy, choosing instead to limit such liability to individuals who access computers without authorization or who obtain or alter information beyond the bounds of their authorized access.”
Under the Fourth Circuit’s interpretation of the statute, (1) without authorization refers to a situation where someone is not authorized to access a computer and accesses it, and (2) exceeds authorized access applies when someone has “approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access.”
Under the “broad” view of the CFAA, which has been rejected by the Ninth and Fourth Circuits, employees who have authorized access to a computer, but who exceed the scope of that access, are subject to liability under the statute. The First Circuit, where I practice, has adopted this view of the law. EF Cultural Travel v. Explorica (2001).
There is now a clear circuit conflict over the interpretation of this law. The Ninth and Fourth Circuits read it narrowly, and several other circuits (including the First), apply it broadly. Often, a circuit split over the meaning of a federal statute provides a basis for the Supreme Court to grant review and break the tie. The betting is that this will occur here.
Why does any of this matter? Because in a civil case it enables a plaintiff to get a case that typically rests on state claims, such as conversion, misappropriation of trade secrets or breach of fiduciary duty, into federal court, a venue often preferred by plaintiffs.
Update: The government will not appeal the 9th Circuit decision in the Nosal case. Link to Motion for Issuance of Mandate here.