Does an employee act “without authorization” or “exceed authorized access” under the Computer Fraud and Abuse Act, 18 USC § 1030, by accessing computers with a username and password provided by an employer, albeit in a manner against the employer's policies and/or interests? The Fourth Circuit has joined other courts taking a narrow view of the CFAA, holding that the statute does not give rise to a cause of action in such circumstances. WEC Carolina Energy Solutions, Inc. v. Miller, 687 F.3d 199 (4th Cir. July 26, 2012).
Mike Miller, before resigning his employment from the plaintiff, WEC, allegedly obtained proprietary information that he subsequently used to successfully win business on behalf of Arc Energy Solutions, WEC's competitor. Miller and his assistant, Kelly, allegedly downloaded documents and emailed them to personal email addresses. The downloading was accomplished via user accounts that WEC had provided to Miller and Kelly. The District Court held that this conduct could not be the basis for a CFAA claim.
As the Fourth Circuit noted, and as a review of CFAA cases discussed on this blog amply illustrates, the circuits (and the district courts) have been split on the issue of whether an employee using an employer-provided account acts “without authorization” or “exceeds authorized access” under the CFAA by violating the employer's policies or interests even if the employee is using an account to which the employer has provided access.
The court noted the existence of two schools of thought. The first “holds that when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it.” The second school of thought “interprets 'without authorization' and 'exceeds authorized access' literally and narrowly, limiting the terms' application to situations where an individual accesses a computer or information on a computer without permission.”
Here, following what it felt was the plain meaning of the statute, the court joined the second school of thought, holding that access “without authorization” meant that the employee had gained access to a computer without employer approval. Likewise, “an employee 'exceeds authorized access' when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access.” The court thought it notable that “neither of these definitions extends to the improper use of information validly accessed.” (Emphasis in original.)
In upholding the District Court, the Fourth Circuit explicitly rejected “any interpretation that grounds CFAA liability on a cessation-of-agency theory.” Such a theory, the court noted, could implicate employees who violated policies forbidding access to Facebook pages and the like. Surely the criminal liability of the CFAA was not intended to extend to such conduct. In sum, “although Miller and Kelly may have misappropriated information, they did not access a computer without authorization or exceed their authorized access.” Therefore, under the view adopted by the Fourth Circuit, Miller and Kelly did not violate the CFAA.