Employee Liability under the Computer Fraud and Abuse Act: An Explainer
Mike Miller planned to quit his job and begin working for his employer’s competitor. Before leaving, he downloaded confidential documents from his workstation. He later used those documents to benefit his new employer at the expense of his old employer. Accepting these allegations as true, did he violate a fiduciary duty? Yes. Did he breach his employment contract? Yes. But was he a hacker? The Fourth Circuit said no, but other courts would have disagreed.
Congress enacted the Computer Fraud and Abuse Act (“CFAA”) in response to the development of computer hacking, a novel form of “electronic trespassing.” The CFAA was an exclusively criminal statute until 1994, when Congress amended the Act to create a private cause of action. This amendment turned the CFAA into a powerful new tool for employers seeking civil remedies against employees who misappropriate confidential information. To state a CFAA claim, an employer must establish that its employee: (1) intentionally accessed a protected computer, (2) lacked authorization or exceeded authorized access, (3) obtained information, and (4) caused at least $5,000 in damages. Liability often turns on the court’s interpretation of the second element. In many employment-centered CFAA cases, the employer gives the employee full access to the business’s computer systems—including the information which the employee is alleged to have stolen. Both parties agree that the employee had at least some authorization to access the information, so the issue is whether the employee exceeded his authorized access by virtue of the theft.
Employers argue—and the First, Fifth, Seventh, and Eleventh Circuits have agreed—that employees exceed their authorization whenever they access information for non-business purposes. Under this view, authorization is bound up with the employee’s intended use. Many employment agreements contain explicit limitations on the use of computer systems, and such policies are often couched in the language of “authorization.” Therefore, employees are not authorized to access computer systems for any and all purposes, but rather for the limited purposes circumscribed by the employer’s policies. If the purposes for which access was granted are exceeded, authorization itself is exceeded.
On the other hand, employees argue—and the Second, Fourth, and Ninth Circuits have agreed—that the CFAA confines liability to individuals who violate restrictions on access to information, not those who violate restrictions on its use. Under this view, Congress included the word “access” to suggest a narrower scope than exceeding authorization generally. The act of exceeding authorized access implies going beyond an initial grant of limited access to retrieve additional information without permission. This construction of the statute rejects the notion that employers can authorize conditional access which turns on the subjective intent of the employee. Otherwise, employers could “transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.”
Some of these courts have drawn further support from the CFAA’s dual status as both a criminal and civil statute. The Supreme Court has suggested that such statutes require consistent interpretation in both settings. Specifically, “whether we encounter [their] application in a criminal or noncriminal context, the rule of lenity applies.” The Court has “always reserved lenity for those situations in which a reasonable doubt persists about a statute’s intended scope even after resort to the language and structure, legislative history, and motivating policies of the statute.” Applying this rule to the CFAA, some courts hold that ordinary tools of legislative construction fail to establish an “unambiguously correct” interpretation, so lenity demands the reading which favors employees.
Despite these fundamental disagreements, almost all courts concede that either reading is at least plausible. As the Second Circuit recognized, “If this sharp division means anything, it is that the statute is readily susceptible to different interpretations.” If the Supreme Court were to resolve the issue, how should it address the opacity of the statutory text? One option is to read the statute within the paradigm of “electronic trespassing.” A hypothetical example from the physical world may be illustrative. A bank robber who enters a vault does so without authorization. The robber is equivalent to an outside hacker. A bank janitor, who is only authorized to access the bank’s common areas, would exceed his authorized access if he were to enter the vault. The janitor is equivalent to an inside hacker. But what about the bank teller, who is authorized to access the vault, but only for legitimate banking purposes? If the teller were to steal money from the vault, is it reasonable to call him a trespasser? The Court’s answer should determine whether the CFAA applies to the teller’s digital equivalent.
Such a decision will obviously affect employees’ substantive liability under the Act, but also employers’ capacity to engage in forum shopping. In many cases, employers’ CFAA claims are the only federal causes of action. For example, Mike Miller’s employer raised one claim under federal law (i.e, the CFAA) and nine claims under state law (e.g., conversion, misappropriation of trade secrets, unfair trade practices, breach of fiduciary duties, etc.). In the absence of diversity, federal courts’ ability to hear state law claims is premised on supplemental jurisdiction. Without a colorable federal claim, plaintiffs lose access to the federal forum. However, a dismissal for want of jurisdiction doesn’t leave an employer without legal recourse. Mike Miller’s employer was still free to vindicate the nine remaining state-law claims—it just had to do so in state court. The applicability of the CFAA determines employers’ ability to choose between state and federal forums, but not their ability to seek remedies for their employees’ underlying misconduct. Therefore, when courts are deciding how to read the statute, they shouldn’t feel pressured to achieve a normatively fair outcome. In these cases, justice won’t ultimately hinge on whether the CFAA covers non-hacker employees, so courts should adopt whichever reading is truest to the text and purposes of the Act.