Under what circumstances can an employee, having accessed a computer via means provided by an employer, be civilly liable to the employer under the Computer Fraud and Abuse Act for “unauthorized access” of the computer? Courts are split on this question, as well as the standard for when an employee “exceeds authorized access” under the CFAA. As two recent cases demonstrate, depending on the facts, and depending on the jurisdiction, an employer may have a cause of action under the CFAA when a rogue employee abuses the employer's computer systems.
Section (a)(2)(C) of the CFAA imposes liability on anyone who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer." Section (a)(6) of the CFAA defines "exceeds authorized access" to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."
In Walsh Bishop Assoc., Inc. v. O'Brien, 2012 U.S. Dist. LEXIS 25219, Civil No. 11-2673 (D. Minn. Feb 28, 2012), the issue was whether the defendants had violated Section (a)(2)(C) of the CFAA. While still employed by the plaintiff, the defendants took the plaintiff's information from computers that the plaintiff had provided to them, and that they were permitted to access. The plaintiff argued “that a person exceeds authorized access by accessing information in order to use it in a manner contrary to an employer's interests and use policies.” The defendants responded that their access “did not violate the CFAA because” the plaintiff had “authorized their computer access 'at the highest levels.'” The Court, after noting a split of authority even within its own district, agreed with the defendants, saying that the plaintiff would have rewritten the statute, and that "subsection(a)(2) is not based on use of information; it concerns access."
Section (a)(5)(C) of the CFAA imposes liability on anyone who "intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss." (In an earlier post I discussed the split of authority concerning how “loss” is to be defined.)
In SBM Site Services, LLC v. Garrett, 2012 U.S. Dist. LEXIS 24130, No. 10-cv-00385 (D. Colo. Feb 27, 2012), the Court considered a motion to dismiss a CFAA claim brought under Section(a)(5). The individual defendant had had possession of a company-issued laptop both before, and for three weeks after, he left the plaintiff's employ. The Court noted that some courts had tied the question of whether access was “unauthorized” to whether the employee had an agency relationship with the employer, while other courts took “a more narrow view,” adopted by the Ninth Circuit, holding that an employer had to have “specifically rescinded the employee's access to the computer.” In this case, the plaintiff survived a motion to dismiss under either standard, because the defendant had had access to the computer after his employment ended, i.e., after the employer had rescinded access. Nonetheless, SBM provides a good primer on the different views courts in various jurisdictions take on when “access” is “unauthorized” and thus when a civil claim under the CFAA may be a good tool for aggrieved employers.