Is Misuse of Information That An Employee Was Authorized to Access A Violation of the Computer Fraud and Abuse Act?

 In
0

The U.S. Court of Appeals for the Sixth Circuit recently deepened a federal circuit split on what constitutes a violation under the Computer Fraud and Abuse Act (CFAA) in a situation involving employee misuse of confidential company information for personal gain.

In Royal Truck & Trailer Sales & Service, Inc. v. Kraft, the company discovered that, prior to their sudden departure, two employees had accessed confidential company information and utilized that information for their own purposes. The company sued the former employees under the CFAA, which provides for claims against someone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer.” One of the elements of such a claim is that “the access was unauthorized or exceeded Defendants’ authorized access.”

The Sixth Circuit noted that the employees were authorized to access the confidential information, and thus the only question was whether their misuse exceeded their authorized access. According to the Sixth Circuit, it did not, as the phrase “exceeds authorized access” means that an individual has permission to enter a computer for specific purposes, but later obtains information for which access has not been authorized. The Sixth Circuit determined that the purpose of the law “is penalizing those who breach cyber barriers without permission, rather than policing those who misuse the data they are authorized to obtain.”

In so holding, the Sixth Circuit noted that the conduct at issue might violate company policy, or other state or federal laws. It also recognized that its holding reinforced a circuit split – that it joined the Second, Fourth and Ninth Circuits in finding that misuse of information that is validly accessed is not a violation of the CFAA, while the First, Fifth, Seventh, Eighth and Eleventh Circuits have interpreted the “exceeds authorized access” language more broadly. The Sixth Circuit pointed out that this issue will likely be resolved by the U.S. Supreme Court in a criminal case that it had recently agreed to hear.