Employment and the Computer Fraud and Abuse Act
If you are lucky, you will go through your entire life without knowing what the Computer Fraud and Abuse Act (“CFAA”) is or how it applies to employment law.
In recent years, the issue of what types of claims exist against an employee who left (or got fired from) a job and either took or retained company documents or electronically stored information of their former employer has become quite a hot-button issue. Some aggressive employers sued former employees under the CFAA if they learned that an employee still possessed confidential information obtained from a company computer. They argued that the employee accessed a company computer without authorization to obtain information violated the CFAA.
The CFAA creates a civil remedy where a party can sue for damages if a person intentionally accessed a computer without authority and obtained data from that computer that caused a loss. Besides civil damages and attorneys’ fees, this statute also has criminal penalties.
Companies would sue a former employee who had obtained data from a company computer system while employed but who then kept that data to assist the employee in his or her lawsuit. The companies argue that the use of the information was not authorized and violated the CFAA. The companies then sue for damages and attorney’s fees. Because the statute authorized statutory penalties and attorneys’ fees, a violation could subject the former employee to a large liability.
Earlier this year, however, the Supreme Court finally ruled on a criminal case involving the CFAA. However, this opinion impacts employment law. The issue in Van Buren v. United States was whether a police officer violated the CFAA to log into a law-enforcement database. The police officer used valid credentials to log into the database, but he did so for non-law enforcement purposes. He violated his department’s policies. But did he violate the CFAA?
According to the Supreme Court, no. The CFAA makes it illegal for a person to obtain information from a computer system without authorization. However, the CFAA does not make it illegal for someone—who may have improper motives—to access a computer system to obtain information otherwise available to that person. So, if you are authorized to access a computer system, you do not violate the CFAA when you do so—even if you are doing it for an improper reason.
In the employment context, this ruling removes a weapon from a company’s arsenal. A company can no longer sue an employee for allegedly violating the CFAA if the employee legally obtained company information by accessing a computer system while the employee still had the authorization to do so.
Now, if the employee accesses parts of the computer system that the employee does not have the authorization to access, then the answer is different. The employee could face CFAA liability for that. However, if an employee gets information from a computer system while the employee has authority to access that system, then the employee no longer faces the risk of a CFAA claim.
Again, in a perfect world, few employees will ever know what the CFAA is and how it might affect their employment. However, this ruling protects employees who gather information while working for a company that might support a future claim against the company. So long as the employee had the authority to access the computer system, the employee should not be accused of violating the CFAA.
This Supreme Court ruling takes one possible risk off of employees who want to sue a former employer.