Menu

Showing 6 posts in CFAA.

Employers Should No Longer Rely on Their Policies Alone to Support a Computer Fraud and Abuse Act Claim Against Current or Former Employees

On June 3, 2021, the U.S. Supreme Court issued its opinion in Van Buren v. U.S. addressing a long-standing circuit split on employee computer access limits under the Computer Fraud and Abuse Act (CFAA). For many years the federal courts struggled with and disagreed over how to interpret the CFAA provisions that impose criminal and civil liability on a person who "intentionally accesses a computer without authorization or exceeds authorized access." 18 U.S.C. §1030(a)(2). The phrase "exceeds authorized access" is defined by the CFAA as follows: "To access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. §1030(e)(6). Unlike the typical employment scenario, the Van Buren case involved a police officer who used his access to a law enforcement database to search a license plate in exchange for $5,000.00 that was offered to him as part of a planned FBI investigation. The police officer was charged with a felony violation of the CFAA based on the allegation that his license plate search violated the "exceeds authorized access" provision of the CFAA. 18 U.S.C. §1030(a)(2). Specifically, the government's case against the police officer was that he used his authorized access to the license plate database for "an improper purpose" that included "any personal use." Van Buren, p. 4, citing App. 17. After the police officer was convicted by a jury, he was sentenced to 18 months in prison. On appeal the Eleventh Circuit affirmed by holding that the police officer had violated the CFAA by his action in accessing the law enforcement database for an "inappropriate reason." Van Buren v. U.S., 940 F.3d 1192, 1208 (9th Cir. 2019). More ›

Implementing a Policy Review to Ensure You Are Protected Under The Computer Fraud and Abuse Act, Part 2: How to Conduct Your Policy Review

In Part 1 of this series, we discussed the Computer Fraud and Abuse Act (“CFAA”) and situations that are readily prohibited by the CFAA, such as when current or former employees gain access to an employer's databases or files to harm the employer or damage its business contacts. We also discussed how a policy review could be beneficial for your workplace. In Part 2, we will discuss how to conduct your policy review and questions you should consider throughout the review in more detail here. More ›

Implementing a Policy Review to Ensure You Are Protected Under The Computer Fraud and Abuse Act, Part 1: Why You Should Conduct a Policy Review

Ambrose McCall will be presenting "The Computer Fraud and Abuse Act: Navigating the New Normal of Workplace Technology and Cybersecurity" on Thursday, October 12, 2017, at the 22nd Annual Labor & Employment Seminar. This year's Seminar will be held at the Hilton Chicago-Northbrook in Northbrook, Illinois. Please visit our website for more details. More ›

Seventh Circuit Clarifies how to mtet Injury Requirement of the Computer Fraud and Abuse Act

Employers who encounter the option of pursuing a current or former employee or independent contractor under the Computer Fraud and Abuse Act have at times passed on this option due to the specific injury requirement imposed by the Act. Fortunately, the Seventh Circuit of the U.S. Court of Appeals has recently provided guidance on how to satisfy the injury requirement imposed by the Act so as to avoid the entry of an adverse summary judgment that bars the pursuit of a claim under the Computer Fraud and Abuse Act ("CFAA"). More ›

Ninth Circuit: Employees do not Violate the CFFA when Violating Computer use Restrictions

The Ninth Circuit Court of Appeals recently issued an opinion concerning employee violations of the Computer Fraud and Abuse Act. More ›

Ninth Circuit Allows Employees to be Prosecuted Under Computer Fraud and Abuse Act for Breach of Employer’s Network Policy

After leaving the company, a former executive search firm employee persuaded former co-workers to provide him with certain information from the company’s databases as it pertained to various candidates and employers, in order to help him set up a competing company. The employer had a computer-use policy that placed clear and conspicuous restrictions on the employees’ access to the system and to the information contained in the system. Specifically, the company had taken considerable steps to protect and ensure the privacy of its confidential data, including assigning unique login credentials to employees, controlling access to the computer systems, and requiring employees to execute confidentiality agreements pertaining to these databases and information. The government indicted the former employee and the two current employees for violations of the Computer Fraud and Abuse Act (CFAA) for knowingly accessing a protected computer without authorization or exceeding authorized access with the intent to defraud. The former employee and current employees argued that they had been authorized to access and use the database and the information, and thus did not violate the CFAA. The U.S. Court of Appeals for the Ninth Circuit held that the employees had violated the criminal statute by accessing the database, obtaining information from that database, and using it in a way that violated the employer’s restrictions. The court found that the employer took considerable measures to protect its information and that the employees knew (by virtue of these written protective measures) that they were not authorized to access the database and information in order to defraud the employer. This ruling demonstrates the importance of having computer-use and electronic-communications policies. Such rules are critical so that employers can protect their trade secrets and confidential information by making employees aware of what access is “authorized” versus “unauthorized.”