In 1986, Congress passed the Computer Fraud and Abuse Act, or CFAA, which established criminal liabilities for unauthorized access to information stored on a protected computer. Since that time, the CFAA has been amended to keep up with new privacy concerns and, in some cases, civil liability has been attached. The typical CFAA claim is asserted by a party against an unrelated entity accused of stealing computer files for personal gain. However, in cases where a company is seeking to prosecute one of its own employees for accessing protected files, the meaning of the phrase “without authorization,” an element of any CFAA claim, is hotly contested.
In a December 27, 2010, decision by the Eleventh Circuit, the court upheld the conviction of an employee for accessing certain social security information for improper purposes, even though the employee was authorized to access that social security information. The court said that policies defining both the types of information that an employee may access along with the purpose for which the employee may use that information are both relevant under the CFAA “without authorization” inquiry. In contrast, the Ninth Circuit ruled in 2009 that an employee who was given access to files, without such access being accompanied by a specific “permitted use” requirement, could not be considered in violation of the CFAA regardless of the use of the information—even if the use was clearly non-business-related.
The decisions by these two and other Circuit courts are indicative of a split in authority when interpreting “without authorization.” However, the lessons for businesses should not be subject to debate. Businesses need to implement thoroughly considered and well-crafted Acceptable Use Policies addressing, among other things, the specific types of information that employees may access along with descriptions of how such information may be used by those employees. It is best practice to review and amend these documents on an annual basis, as changes to company structure or employee access frequently change.
About the author
Andrew Martin:
As an associate attorney with extensive prior experience advising information technology start-ups, Andrew’s practice focuses on finding solutions for his clients’ intellectual property issues. Due to his extensive experience in the software and technology industries, Andrew understands both the practical and legal issues involved in IP licensing agreements and disputes. In addition to licensing, Andrew helps his clients find new ways to use existing technologies to assist his clients in areas such as data privacy compliance. Andrew uses his diverse background which includes founding a record label and working for a world-wide concert promoter when counseling the firm’s entertainment clients.
Get in touch: amartin@scottandscottllp.com | 800.596.6176