To Steal or Not to Steal: An Analysis of the Computer Fraud and Abuse Act and Its Effect on Employers

Abstract

The following is a surprisingly common scenario among employers in the United States today: a model employee works diligently at her job, while taking intermittent breaks to check her email or surf the Internet. The employee tries her best to balance her home and work life, occasionally emailing files home to work in the evening. She might even occasionally download files onto a USB device either for the purposes of accessing them after hours or using as templates with future employers. Eventually, due to demands either at home or at the office, the employee becomes disgruntled with her job and decides to leave for another position. Before leaving, she may email more copies of her files home or save them onto a USB device, again to save for her records. This example raises several issues: (1) Has the employee acted “without authorization” according to the Computer Fraud and Abuse Act (CFAA)?; (2) Does the employer have a federal civil cause of action against the employee?; and (3) How can employers protect themselves from employees stealing data with unsettled law concerning the CFAA?

The circuits are split as to how to interpret the language “without authorization” and “exceeds authorized access” as it applies to the CFAA. Two distinct positions have developed among the courts. The first applies a narrow, employee-friendly interpretation of the language; the second applies a broad, employer-friendly interpretation of the language. This leaves employers in a very uncertain position as to how best to protect their data. The conflict stems around “what constitutes ‘unauthorized access’ under the statute, particularly as it relates to employer–employee relationships and proprietary database misuse.” Specifically, “courts have split on the question of whether an employee with an improper purpose may be held civilly liable under the CFAA.” What can employers do to protect themselves with uncertainty in the case law? This Comment will help employers understand the variances in the legal interpretations of the courts, as well as help employers best understand how to protect themselves in the event that the narrow interpretation is adopted or applied.

This Comment addresses the split among the circuits interpreting the “without authorization” and “exceeds authorized access” language of the CFAA by looking to why this legislation is necessary and identifying what employers must do for data protection under the umbrella of existing law. Part Two of this Comment addresses the rise of employee data theft, which is becoming more common to employers today. Part Three of this Comment looks at the historical development of the CFAA. Part Four of this Comment examines and contrasts the cases among the federal circuits regarding whether an employee acts “without authorization.” The key to adequate protection for employers is to understand the reasons for the split and why the narrow, employee-friendly, interpretation should become the prevailing viewpoint. Part Five of this Comment, the conclusion, identifies key preventative measures employers can take to protect themselves against electronic data theft. The uncertainty among the courts is vast, but the Supreme Court should rule in favor of the narrow interpretation and employers must be prepared to have adequate tools in place to protect their assets.