Passwords, Policies, And Trade Secrets: Lessons From NRA Group v. Durenleau And What It Means For Employers

On August 26, 2025, in NRA Group, LLC v. Durenleau et al., the U.S. Court of Appeals for the Third Circuit addressed two legal questions: (1) whether workplace policy infractions can turn into federal crimes, and (2) whether passwords protecting propriety business information qualify as trade secrets under federal or Pennsylvania law.

The case was reheard and affirmed on October 7, 2025, with the Third Circuit firmly answering both questions in the negative. The decision significantly limits employers’ potential claims against employees who breach company policies without engaging in actual hacking or unauthorized access.

Case Background

On January 26, 2021, the defendant employee was home sick and urgently needed access to a work document. She did not have a company-issued computer or any means of accessing the document remotely. To resolve the issue, she contacted her co-defendant colleague and provided her login credentials, allowing the colleague to access the document and send it to her. The document in question was a spreadsheet containing passwords to numerous company platforms and accounts.

The next day, the colleague again accessed the defendant employee’s account and emailed the documents to the employee’s personal email address. These actions violated multiple company policies, including prohibitions against sharing login credentials, storing passwords in a manner easily accessible to others, and using company systems for non-work purposes.

After both employees left the company, plaintiff company NRA Group filed suit against them, alleging violations of the Computer Fraud and Abuse Act (CFAA), federal Defend Trade Secret Act (DTSA), and the Pennsylvania Uniform Trade Secrets Act (PUTSA). The District Court ruled in favor of the employees, finding no violations of the CFAA or trade secrets laws, and the Third Circuit affirmed.

CFAA Interpretation

The defendant employees admitted to violating NRA Group’s computer policy when she emailed the spreadsheet with passwords to her co-defendant colleague. NRA Group argued that the two employees’ actions exceeded the authorized use and access, thus violating the statute. The company relied on the violation of their workplace policy, as well as the VPN and firewall security measures in place, to argue that the employees’ actions constituted unauthorized access. A violation of the CFAA imposes both civil and criminal penalties, meaning that if the Third Circuit found the two employees civilly liable for violating the statute, they would also be exposed to criminal liability.¹

The Court refused to do so; reasoning that the defendants did not exceed their authorized access at all. The “gates of access were up for both women” because they worked with these spreadsheets and neither “hacked into the company’s systems” to gain access.² While their conduct clearly violated internal policy, the Court emphasized that policy violations alone do not amount to unauthorized access within the meaning of the CFAA. The statute was intended to target hacking—not the misuse of legitimately obtained credentials. For example, an employee who shares his or her password with a colleague to access a document for work, even if against company rules, is not committing a federal crime. In contrast, an employee who uses code to bypass a firewall to access restricted data would likely violate the CFAA.

Trade Secrets Analysis

NRA Group further argued that the defendants violated the DTSA and the PUTSA. The two laws both protect trade secrets, and the Court considered the two provisions together. Each statute protects information that “(a) the owner has taken reasonable measures to keep secret, (b) derives independent economic value, actual or potential from being kept secret, (c) is not ‘readily ascertainable’ by ‘proper means,’ and, (d) were it disclosed or used, would have economic value to those who cannot readily access it.”³ Independent economic value can be a compilation of data, including customer data that was generated in a fashion that it constitutes intellectual property of the owner.⁴

The court hinged on whether the password protected spreadsheet had independent economic value. Although passwords may “have economic value” if “integral to accessing [proprietary information], they have no independent economic value in the way a formula or a customer list might have.”⁵ Thus, when “a plaintiff has not alleged that its passwords are the product of any special formula or algorithm that it developed, the passwords are not trade secrets.”⁶ Importantly, the passwords were not trade secrets because they were merely “numbers and letters” that guarded what was valuable—“it is what the passwords protect, not the passwords, that is valuable.”⁷

Accordingly, the Third Circuit affirmed the lower court’s finding that there was no evidence that the passwords had independent economic value and were not trade secrets under the DTSA and the PUTSA.

How This Impacts Employers

The decision in NRA Group, LLC v. Durenleau et al. narrows the circumstances under which employers may pursue federal claims for employee policy violations, absent evidence of hacking or unauthorized system access. Nonetheless, employers may still pursue remedies under contractual, disciplinary, and other civil causes of action. Criminal exposure may arise under other statutes if protected data is misused or exfiltrated. To protect proprietary data in light of this decision, employers should:

• Regularly train employees on data handling and password security.
• Enforce technical access controls and monitoring on sensitive data.
• Clearly outline and discipline violations of company policy through employment contracts.
• Consult legal counsel to ensure all data security and confidentiality agreements are up to date.

NRA Group, LLC v. Durenleau reaffirms that the law does not criminalize every internal policy infraction related to computer access. Employers should focus on robust internal controls and consider contractual remedies, as federal law now offers narrower protection for everyday policy violations. Employers should craft strong internal policies and procedures to reduce opportunities for employees to share passwords, log into others’ accounts, and send sensitive information to personal email addresses or phone numbers. Staying vigilant with data policies and employee training remains essential in this legal landscape.

Footnotes

1. NRA Group, LLC v. Durenleau, 2025 WL 2835754, (3d Cir. Oct. 7, 2025).

2. Id. at *9.

3. Id. (quoting 18 U.S.C. § 1839(3); 12 Pa. Cons. Stat. § 5302).

4. Bro-Tech Corp. v. Thermax, Inc., 651 F. Supp. 2d 378, 409 (E.D. Pa. 2009).

5. NRA Group, LLC v. Durenleau, 2025 WL 2835754, *12 (3d Cir. Oct. 7, 2025)

6. Id.

7. Id.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.