In December of 2015, the Second Circuit joined the dispute over whether an employee can be sued under the Computer Fraud and Abuse Act (CFAA) when they use their employer’s computer system in a way that is outside the scope of employment. With the Second Circuit weighing in, seven of the twelve Federal Courts of Appeals have taken up a position in the fight, with four courts on one side of the split and three in opposition. And while the Second Circuit’s interpretation of the disputed part of the CFAA appears sound, the disturbing facts surrounding the case may cause further polarization.
What’s the problem?
The CFAA can be used to prosecute anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” 18 U.S. Code § 1030(a)(2). Under this provision of the statute, several employers have sued their former employees for misappropriating certain information for personal benefit, such as trade secrets or customer contacts. Even though the employee may have had authorized access at the time when they extracted the information, employers argue that authorized access is exceeded when the use of that information falls outside the scope of employment. In other words, the employee may have authorized access for work purposes, but they exceed that authorization when they abuse that access.
Using the CFAA to prosecute former employees in this way makes sense when an employee is surreptitiously collecting confidential information from their current employer with the intent of quitting that job to go work for a competitor. This sort of misappropriation may result in substantial profit loss for the former employer.
However, the same liberal interpretation of the CFAA would also potentially criminalize employees who casually misuse a company computer for personal reasons that is outside the scope of their employment, such as to check their personal email, use social media platforms, or even pay their bills online. The contention among the Circuit courts is whether to employ a broad or narrow interpretation of “exceeding authorized access.”
The Broad Interpretation
Circuit Courts in Favor: 1st, 5th, 7th, 11th
Any use of a company’s computer system by an employee that “exceed[s] the purposes for which access is ‘authorized’” is a potential violation of the employer’s computer user policy, and thus subject to criminal charges under the CFAA. This interpretation focuses on the ”authorized” element of the statute and imposes liability on employees whose use of the information falls outside of the realm in which they have been “authorized” to access it.
These courts assert that an employee exceeds authorized access with any violation of their company’s computer terms-of-use policy. In the Fifth Circuit case of United States v. John, a Citigroup account manager had exceeded her authorized access by giving customer information to her brother, resulting in credit card fraud. The Eleventh Circuit Court decided in United States v. Rodriguez that an employee of the Social Security Administration had exceeded his authorized access when he used his privilege to highly sensitive personal information to pursue women he had romantic interest in.
The Seventh Circuit applied agency theory in the case of International Airport Centers, LLC v. Citrin, when an employee deleted files from his computer after deciding to quit and go work for a competitor, which was in violation of his employment contract. The court held that “his authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit [his current job] in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee.”
The Narrow Interpretation
Circuit Courts in Favor: 2nd, 4th, 9th
Authorized access is exceeded when an employee takes measures to gain access to information that is outside the scope of their authorized privilege. This is a stark comparison to the broad interpretation, which hinges on misuse of information that an employee has access to. The narrow interpretation disregards misuse of information and instead focuses on the “access” element of the statute. Essentially, if the employee has been granted access to the computer system, then misuse of that computer or its encompassing information alone does not amount to a violation of the CFAA. Instead, the employee exceeds access only when they obtain or tamper with unauthorized files.
The Ninth Circuit asserted in United States v. Nosal that “[i]f every employee who used a computer for personal reasons and in violation of her employer’s computer use policy were guilty of a federal crime, the CFAA would lend itself to arbitrary enforcement, rendering it unconstitutionally vague.”
The Fourth Circuit specifically rejected the agency theory as employed by the Seventh Circuit, with the belief “that the theory has far-reaching effects unintended by Congress.”
In the most recent narrow interpretation decision handed down by the Second Circuit, United States v. Valle, a police officer utilized the NYPD’s restricted databases for personal gain to locate a woman he had previously known in high school. Concurrently, the officer was engaged in conversations with an online fetish community where he discussed his “desire to kidnap, rape, torture, and eat women whom he knows,” including the specific woman he searched for in the database. The Second Circuit decided that the police officer’s use of his work’s database did not violate the CFAA, holding that an employee exceeds authorized access “only when he obtains or alters information that he does not have authorization to access for any purpose which is located on a computer that he is otherwise authorized to access.”
Does Abuse of Access Matter?
The Second, Fourth, and Ninth Circuits all make compelling arguments for the need to “construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals.” (9th Cir., Nosal) However, it is unsettling to think that no federal statute criminalizes the behavior of an employee who abuses their computer privileges at work, especially when that abuse puts members of the public in danger. If Congress were to amend the CFAA to clarify what it means to “exceed authorized access,” it could potentially satisfy all of the Circuit courts by narrowing the definition enough to avoid criminalizing benign behavior, while maintaining an element of intent to ensure that actual corrupt behavior does not escape punishment.