Either Way You Say it, It’s Unauthorized: Mass. Federal District Court Declines to Dismiss Computer Fraud and Abuse Act (CFAA) Claim
On November 12, 2013, A court in the U.S. District Court for the District of Massachusetts issued a decision concerning the ongoing debate about the meaning of “exceeding authorized access” under the Computer Fraud and Abuse Act. Moca Systems, Inc. v. Bernier, No. 13-10738-LTS (D. Mass. Nov. 12, 2013). MOCA Systems, Inc. filed suit against its former CEO and his newly formed company, Penley Systems, LLC, claiming Bernier improperly accessed MOCA’s computer systems to obtain confidential information and trade secrets for use at his new company.
MOCA alleged that within days of his termination, Bernier entered MOCA’s office, took a company-owned computer, downloaded MOCA’s trade secrets and confidential information, and then deleted a significant amount of information in an attempt to cover his tracks.
As this blog has previously noted, federal appellate courts are currently split on the interpretation of the term “exceeds authorized access” under the CFAA, and whether the term should be interpreted narrowly or broadly. “Exceeds authorized access” is defined by the CFAA to mean, “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to so obtain or alter.” The phrase “without authorization” is not defined by the statute, however, and courts are currently divided on whether the phrase should be interpreted broadly or narrowly.
The court concluded that MOCA’s allegations supported a claim that Bernier had accessed the computer “without authorization” under either the narrow or broad reading of the CFAA, and denied Bernier’s motion to dismiss. Declining to weigh in on the split in authority, the court noted:
Resolution of the pending motion, however, does not require the Court to determine which line of cases is better-reasoned, since the allegations in this Complaint differ materially from these cases and suffice under either standard.
In situations such as this, when an employer suspects foul play and theft of corporate resources, employers should consider making a forensic copy of the computer in question immediately. Turning the computer on before making a forensic copy can create difficulties in investigating the employee’s activities because it can alter the metadata relating to downloaded and deleted files.