Courts Reining In What it Means to be a “Hacker” Under the Computer Fraud and Abuse Act (CFA)
The Computer Fraud and Abuse Act (“CFAA”) is an anti-hacker statute that prohibits unauthorized access, or the exceeding of authorized access, of computers connected to interstate commerce. 18 U.S.C. § 1030. Violators are subject to both criminal and civil liability. Employers have long taken advantage of the CFAA’s civil remedies to “sue former employees and their new companies who seek a competitive edge through wrongful use of information from the former employer’s computer system.” P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC, 428 F.3d 504, 510 (3d Cir. 2005).
A majority of courts have to date construed the meaning of “unauthorized access” in the CFAA to include access for unauthorized purposes, such as to steal an employer’s information. They applied the anti-hacker statute even though the employee was authorized to access the computer system, just not for purposes of theft. Now a growing number of courts are stepping back from the expansive construction of what it means to be a “hacker” under the statute. They are instead limiting the CFAA to situations where the access to the computer itself was unauthorized, and disregarding whether or not the access was for a permitted use.
A recent case out of the District Court in Pittsburgh provides an example of this new trend, and includes a good discussion of the law. Carnegie Strategic Design Engineers, LLC v Cloherty, March 6, 2014. Judge Eddy points out that there is a split in the Circuits on the issue, and then follows the minority view that the CFAA was not intended to convert disloyal employees into hackers. The plaintiff employer’s case was dismissed with prejudice because there were no allegations that the employee was not authorized to access the computer system, just allegations of improper purpose.
There are practical lessons in this case to employers fighting back against employees who leave with their trade secrets, including one that is e-discovery specific. First, whenever possible, include claims for trade secret theft and misappropriation. Do not put all your marbles on the anti-hacking statute, the Computer Fraud and Abuse Act, and its many state law equivalents. Your judge may well agree that the employees are disloyal, and maybe even thieves, but not agree that they are computer hackers.
In addition, investigate carefully the facts of a departed employee’s access to the computer system. Are there any indications that the access itself was unauthorized, regardless of the intended purpose of the access? For instance, did they access a portion of the system beyond their authority? Did they use someone else’s account, user name, or password? Did they use a thumb drive to download the files? This action is prohibited by some employers who have classified information in their system (think of the NSA and Snowden). Also, check carefully the times of access. Was the system ever accessed after they were no longer an employee?
You may want to retain a computer forensic expert to look for evidence of exactly how the thefts took place. Electronic discovery of these facts, and more, may show that the access to the computer system itself was unauthorized. Proof of computer hacking like that will help you to build a strong case.