The Basics: "Hacking," the Computer Fraud and Abuse Act, and You
Today we're going to look at a federal statute that is increasingly becoming central to disputes between outgoing executives and their former employers -- a statute originally designed to prohibit computer "hacking."
Now, if you’re anything like me, when you hear the word “hacking,” you probably envision Matthew Broderick using a dial-up modem to break into his high school’s computer and change his grades. (In fact, Broderick pulled this same trick twice in the 1980s; first in WarGames and then again in Ferris Bueller’s Day Off.) Indeed, if you asked the average person to define “hacking,” they would probably come up with something like WarGames; that is, they would consider hacking to be breaking into a computer or network to which you were not given permission to access, in order to do something nefarious, like changing your grades or starting World War III.
It probably comes as no surprise that after those blockbuster movies (and some real-life events, too), Congress enacted a statute to prohibit “hacking” back in the heyday of the 1980s. That statute – the Computer Fraud and Abuse Act (“CFAA”) – is still the law today, and is codified at 18 U.S.C. §§ 1030.
But what you might not know is that in many areas of the country, there's a court-interpreted disconnect between the CFAA’s definition of hacking and Matthew Broderick. That disconnect, in turn, has become a very real issue today for departing executives and their employers. For example, if you’ve been fired and you delete files off of your laptop before returning it, you may be civilly and even criminally liable under the CFAA in some jurisdictions. (International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). (Less relevant – but more salacious – is the Justice Department’s efforts to prosecute a mom under the CFAA for lying about her age on MySpace.) United States v. Drew, 259 F.R.D. 449 (C.D. Calif. 2009).
It all depends on how the courts in your area interpret the CFAA. Read on....
In relevant part, the CFAA renders criminally liable any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer,” 18 U.S.C. § 1030(a)(2), as well as any person who “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.” Id. at § 1030(a)(5). The statute provides for parallel civil liability “to obtain compensatory damages and injunctive relief or other equitable relief” if, inter alia, the total amount of the loss exceeds $5,000. Id. at § 1030(g).
As a result, employers often assert claims under the CFAA against former employees they suspect of having misappropriated trade secrets. Moreover, because the CFAA is a federal statute, it may provide a vehicle for the employer to bring what would otherwise be state-law claims of misappropriation in federal court.
The key, as you might suspect, lies in how courts have interpreted the phrases “without authorization” or “exceeds authorized access.” Perhaps the most well known case is U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc).
The Ninth Circuit sets forth the facts: "David Nosal used to work for Korn/Ferry, an executive search firm. Shortly after he left the company, he convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business. The employees used their log-in credentials to download source lists, names and contact information from a confidential database on the company's computer, and then transferred that information to Nosal. The employees were authorized to access the database, but Korn/Ferry had a policy that forbade disclosing confidential information. The government indicted Nosal on twenty counts, including… violations of the CFAA. … Nosal filed a motion to dismiss the CFAA counts, arguing that the statute targets only hackers, not individuals who access a computer with authorization but then misuse information they obtain by means of such access." Nosal, 676 F.3d at 856.
The Court, sitting en banc, agreed with Nosal and adopted a narrow interpretation of the CFAA focused on the word “access.” Essentially, the Ninth Circuit adopted the Matthew Broderick definition; hacking is when you literally don’t have the password or otherwise sneak on to a computer to which your employer has not given you permission to access. This view has been endorsed by the Fourth Circuit as well. WEC Carolina Energy Solutions v. Miller, 687 F.3d 199 (4th Cir. 2012).
From a predictability standpoint, the problem is that at least four other U.S. Courts of Appeal – for the First, Fifth, Seventh, and Eleventh Circuits – have endorsed a much broader interpretation of the CFAA, holding, as in the Citrin case discussed above, that the employee’s access is “without authorization” whenever the employee furthers interests that are adverse to his or her employer’s. See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001); United States v. John, 597 F.3d 263 (5th Cir. 2010); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).
The Supreme Court recently dismissed WEC Carolina Energy Solution’s petition for a writ of certiorari, so this split amongst the circuits will continue for now. As a result, a company that does business across the country may now be able to maintain a federal cause of action under the CFAA against an employee in one part of the country but not against a different employee who engages in the exact same conduct in another part of the country.