In 2012, several federal courts of appeals issued conflicting opinions over the scope and meaning of the Federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), particularly as it relates to employees hacking into and taking, without authority, employer’s confidential computer data. A recent law review article by Robert Kain entitled “Federal Computer Fraud and Abuse Act – Employee Hacking: Legal in California and Virginia But Illegal In Miami, Dallas, Chicago and Boston,” Fla. Bar Journal, Jan. 2013, (available here) discusses the divergent opinions between various federal appeals courts.
The CFAA criminalizes certain computer related behavior and, if the damage exceeds $5,000 over a single year, provides a civil remedy for its victims. The 9th Circuit Court of Appeals held in 2012 that the CFAA does not cover an employee-hacker or an insider that takes data and uses it in an anti-competitive manner after leaving the company. United States v. Nosal, 676 F.3d 854 (9th Cir. 2012)(en banc). Months later, the 4th Circuit Court of Appeals agreed and held that the CFAA is not violated unless an employee lacks any authorization to obtain or alter the data when he was employed. WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012)(after resigning, the ex-employee used the data in an anti-competitive manner). One U.S. District Court in Florida had earlier adopted the Nosal approach. Lee v. PMSI, Inc., No. 8:10-cv-2904-T-23TBM, 2011 WL 1742028 (M.D. Fla. May 6, 2011).
In contrast, the 1st, 5th, 7th and 11th Circuits have taken the opposite view and support the concept that an employee-hacker violates the CFAA whether he uses the data with or without financial gain. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010)(employee-hacker violated statute even though he never used the data for financial gain); Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006)(after resigning, the ex-employee used the data in an anti-competitive manner and violated the Act); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 578-79 (1st Cir. 2001)(an employment agreement establishes the parameters of unauthorized access); and United States v. John, 597 F.3d 263 (5th Cir. 2010)(employee-hacker violated statute even though she rightfully had access to the computer data, but then gave the data to cohorts who incurred fraudulent credit card charges).
This divergent approach over the scope of the CFAA presents an issue for the business community since the scope of coverage by the CFAA over employees or ex-employees who access and use, without authority, computer data casts a shadow over the employer’s rights to control its computer operations.