New Decision May Limit Businesses' Use of Federal Act to Address Employee Computer Fraud

Posted by Edward Sharkey on Thu, 05/17/2012 - 22:22

One legal tool available to businesses to address fraud perpetrated by employees is the Computer Fraud and Abuse Act (CFAA). The CFAA creates penalties for persons who, with the intent to defraud, access computer systems without proper authorization.

"Without proper authorization" includes "exceed[ing] authorized access." In some cases, companies have used this language to bring claims against employees who were authorized to access the computer in question, but who then took confidential information and misused it, in violation of company policy.

Businesses like the CFAA because it provides for damages normally not available under state law. Now, a recent decision by the U.S. Court of Appeals for the 9th Circuit may limit the usefulness of the CFAA for this purpose.

In the case, an employee was indicted for using his log-in credentials to log into his employer's database and download confidential customer information. He took the information to start his own business. The employee was authorized to access the information, but his use of the information for his own business violated company policy.

The appeals court affirmed dismissal of the charges, holding that the CFAA is meant to address computer hacking or unauthorized access to computers. It is not intended to deal with persons who are authorized to access a system but who misuse the information found there.

The decision contrasts with decisions from other courts, which have interpreted the law more broadly, and it creates a split in the law that can only be resolved by the Supreme Court or congress. There is no decision addressing the issue in Maryland's federal circuit, the Fourth Circuit.

The takeaway for businesses: one tool for addressing misuse of confidential data by employees is potentially less reliable than it was (and it is ineffective in California and the rest of the states in the Ninth Circuit). Traditional claims under state law, however, are still available. A business should be sure to have a robust computer use policy in place and to publicize it to all employees.

Call Today (301) 657-8184

 Google+  View Edward Sharkey's profile on LinkedIn