While employers may, and likely will, have other remedies available, the CFAA offered certain relief and potential tactical advantages that have now been lost. We, therefore, encourage employers to review their employment agreements and policies to ensure adequate protection of their intellectual property.
The CFAA makes it illegal to intentionally access and obtain data from a computer either (i) without authorization to access the computer, or (ii) by exceeding the user’s authorization. Under certain circumstances, the computer’s owner can also pursue a claim in federal court against the bad actor for damages, including the cost of investigating the illegal conduct. Several Circuit Courts of Appeal interpreted the “exceeds authorization” provision to prohibit employees from using their access to an employer’s computer(s) for an unauthorized purpose—such as stealing their employer’s intellectual property. Employers operating within those circuits could thus seek criminal prosecution under the CFAA and/or bring CFAA claims against the employees. The Supreme Court rejected this interpretation.
In Van Buren v. United States, an employee was provided access to a computer system for certain limited purposes. The employee violated those restrictions by accessing the computer system to sell information for personal profit. Specifically, the defendant was a police officer who ran a license plate number through a law enforcement database and then sold the information. The officer’s conduct was undisputedly both unlawful and unauthorized. The Supreme Court ruled, however, that the employee did not violate the CFAA. The decision interpreted the phrase “exceeds authorization,” for purposes of the CFAA, to apply to the method of access, not the purpose. The police officer was authorized to run license plates through the database and thus did not exceed his authorization. The import of the ruling is that employers are only protected by the CFAA if an employee accesses a computer or files that they are not permitted to access—misusing permitted access will no longer be enough. Accordingly, many employers will be unable to bring CFAA claims, even where an employee undisputedly stole or damaged the employer’s intellectual property.
While Van Buren took away one tool available to employers, many others remain, particularly those grounded in contracts such as employment, confidentiality and intellectual property agreements. We, therefore, encourage employers to review those agreements, and their associated policies, with counsel to ensure that there is adequate protection.
Author Matthew McDonald is a partner in the litigation department at Klehr Harrison.