Hospital employees did not “exceed authorized access” under the Computer Fraud and Abuse Act (CFAA), 18 USC § 1030, when they violated the hospital’s computer usage policy by attaching removable storage devices to computers that they were otherwise authorized to access. Wentworth-Douglass Hospital v. Young & Novis Professional Ass’n., No. 10-cv-120-SM (D. N.H. June 29, 2012).
The plaintiff hospital brought its claim under the CFAA, 18 USC § 1030(a)(2)(C), because the defendants allegedly “without the prior authorization and approval of the [hospital’s] Information Systems Department and in violation of the [hospital’s use policy], . . . connected removable storage devices or external hardware to hospital computers and obtained or altered information from [hospital] computers . . . that they were not entitled to obtain or alter.” The defendants argued that they should not be liable for “exceeding authorized access” in light of the recent Ninth Circuit decision in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012). The Nosal court held “that the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions.”
The court here agreed that the narrow view of “exceeds authorized access” under the CFAA was the better interpretation. Where an employee has merely accessed the computer he or she was authorized to access, the CFAA is not violated. In this case, “the hospital’s policy prohibiting employees from accessing company data for the purpose of copying it to an external storage device is not an ‘access’ restriction; it is a limitation on the use to which an employee may put data that he or she is otherwise authorized to access.”
Further, the court noted that the CFAA was a criminal statute. The court agreed with the Nosal court that employees who violated an employer’s use restrictions should be subject to being fired, but that that was different than being subject to criminal liability.
Moreover, another defendant’s alleged conduct did fall within the ambit of the CFAA. That defendant had allegedly accessed computer servers to which his password did not allow him access; “he allegedly used his wife’s password to gain unauthorized access.”