What can an employer do when its employee accesses data in a way that violates company policy? In the past, one avenue for relief was the Computer Fraud and Abuse Act (CFAA), a federal statute that creates the potential for both civil and criminal liability for individuals who "intentionally accesses a computer without authorization or exceeds authorized access." CFAA, 18 U.S.C. § 1030(a)(2). Because it is a federal statute, the CFAA opens the doors to the federal courts to litigate these types of disputes.
Recently, the Third Circuit Court of Appeals continued the
trend of narrowing the scope of potential liability under the CFAA.
Building on the U.S. Supreme Court's 2021 decision in Van Buren v. United States – discussed in
our prior blog post, Supreme Court Narrows Liability Under the Computer
Fraud and Abuse Act (June 7, 2021) – the Third Circuit in
NRA Group, LLC v. Durenleau, answered whether
an employee can be held liable under the CFAA for accessing her
employer's computer system in violation of workplace policies
by sharing her credentials with a different employee. The answer:
No; the CFAA is not meant to provide a remedy for workplace policy
violations.
Relying on Van Buren's "gates-up-or-down" approach,
the Third
Circuit explained that an employer has granted and thus
authorized access to a computer when the employer approves
or sanctions use of the computer. Although company policy may
prohibit access in certain ways—such as remotely or by using
a colleague's login credentials—if the employee was
granted access to the computer, merely violating company policy
does not constitute exceeding authorized access. This
view, the Third Circuit explained, is consistent with the
narrow construction of the CFAA required by the Supreme
Court since the statute creates the potential for not only
civil, but also criminal liability. The Court
expressed disfavor toward criminal penalization for common
violations of employer guidelines and policies or the
"federalization" of "a range of disputes that have
traditionally been within the purview of state law."
With its decision in NRA Group, employers in the Third Circuit (New Jersey, Pennsylvania, and Delaware)—as well as many other circuits throughout the country—are unlikely to find relief under the CFAA against employees that have violated contracts or policies in accessing company data. There are other remedies available, typically traditional state-law claims like breach of contract, business torts, fraud, and negligence, which, absent some other federal claim or basis for federal jurisdiction, will be litigated in state courts.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
