People who work in tech know their employers have internal rules or policies regarding intellectual property and access to the employer’s systems. But few are familiar with a federal statute, the Computer Fraud and Abuse Act (“CFAA”), which can impose far more severe penalties on violations of those policies, than the policies themselves. The CFAA has been interpreted by some courts to criminalize simple workplace policy transgressions. That can include retaining confidential data after leaving employment, or even accessing data for a purpose contrary to the rules or policies of the employer. Simply put: One’s breach of a computer usage policy or contract may well be deemed a felony.
All tech employees and website users should be aware of the reach of this statute. Anyone facing possible discipline at work for actions related to data security or intellectual property should consider the potential for criminal or civil charges under the CFAA, and find out how best to protect themselves from such charges.
MacDonald Hoague & Bayless can help. For over 60 years, we have been fighting for employee and individual rights, and our litigation attorneys are experienced in criminal, employment, and intellectual property law.
The following information is intended to provide general information about the Computer Fraud and Abuse Act. It is not intended to provide legal advice or guidance as to whether these laws apply to you. Advice can only be provided by a qualified attorney, and then only after he or she has carefully reviewed the facts of your situation.
What Is the CFAA?
The Computer Fraud and Abuse Act, also known as the CFAA, is a federal statute codified at 18 U.S.C. § 1030. Although intended to combat hacking, it has been used civilly as well as criminally in situations where an employer asserts that an employee has used a workplace computer account to improperly access or obtain confidential or proprietary information.
Employers have used the statute to bring civil suits against former employees and their new employers, alleging the former employees and their new employers are using information improperly obtained from the former employer.
An aggressive use of the criminal provisions of this statute recently became headline news after the suicide of American computer programmer, entrepreneur, writer, political organizer and activist, Aaron Swartz. While a research fellow at Harvard University, Swartz was arrested by MIT police after connecting a computer to the MIT network and setting it to download academic journal articles from the “JSTOR” digital repository or database. As a research fellow at Harvard, he was authorized to access JSTOR through its network, but his downloading program used a guest user account issued to him by MIT.
For doing this, federal prosecutors in Massachusetts charged Swartz with several counts of violating the CFAA as well as wire fraud counts. The criminal charges carried possible penalties of $1 million in fines and over 30 years in prison. Swartz declined a plea bargain which would have required him to plead “guilty” to the multiple felonies. He committed suicide in his Brooklyn apartment while under federal indictment.
The broadest section of the CFAA criminalizes “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtaining . . . information from any protected computer.” (Emphasis added) A “protected computer” is further defined broadly, as a computer used by a financial institution, the United States government, or a computer “which is used in or affecting interstate or foreign commerce or communication.” (Emphasis added). This definition essentially encompasses any computerized device that can connect to the internet. Individuals can also be charged with conspiring with others to commit such a violation, even if no violation occurs, or aiding and abetting a violation committed by someone else.
The CFAA Has Been Used to Criminally Prosecute Employees
Different federal courts have interpreted the CFAA differently. The U.S. Supreme Court has yet to resolve these differences. The biggest disagreement among the courts concerns what it means to “exceed authorized access” to a computer.
Several courts have held that this includes an employee using a computer account or database they are allowed to access, but doing so for a purpose that their employer’s computer “use” policies prohibit. For example:
- In United States v. Rodriquez, the Eleventh Circuit Court of Appeals upheld the conviction of an employee of the Social Security Administration who accessed the agency’s databases to obtain personal information about his ex-wife and former and potential girlfriends. (The Eleventh Circuit has jurisdiction over federal cases from Alabama, Florida and Georgia.)
- In United States v. Teague, the Eighth Circuit Court of Appeals upheld the conviction of an employee of a government contractor who accessed the National Student Loan Data System to view information about President Obama’s student loans. (The Eighth Circuit has jurisdiction over federal cases from Minnesota, Iowa, North Dakota, South Dakota, Nebraska, Missouri and Arkansas.)
Other courts have held that this definition is overly broad. They say that allowing a criminal conviction based on mere violations of any corporate usage policy would criminalize common practices such as checking Facebook or sending a personal email. For example:
- In United States v. Valle, the Second Circuit Court of Appeals reversed the conviction of a New York City police officer who had used law enforcement databases to look up information on women about whom he wrote disturbing fantasies on a sadistic fetish website. (The Second Circuit has jurisdiction over federal cases from Connecticut, New York and Vermont.)
- In United States v. Nosal, the Ninth Circuit Court of Appeals reversed the conviction of a former employee at an executive search firm who had convinced current employees to send him information they were allowed to access from the firm’s proprietary database. Recently, however, the Ninth Circuit upheld the same person’s conviction on other counts based on evidence he had a former employee use a current employee’s password to access the database (rather than having the current employee access and send the information). In a lengthy dissent, one of the judges on this more recent Nosel panel wrote that the decision effectively criminalizes any password sharing that violates a corporate use policy. (The Ninth Circuit has jurisdiction over federal cases from Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, Washington, Guam, and the Northern Mariana Islands.)
The CFAA Has Been Used in Civil Lawsuits, Including to Sue Employees and Competing Companies
Under the CFAA, an employer can sue its former employee and/or her new employer, claiming the employee used unauthorized access to the former employer’s computers to take proprietary information to a new employer or venture. For example:
- In EF Cultural Travel v. Explorica, the First Circuit Court of Appeals upheld a CFAA injunction obtained at the trial court level by a travel company against a competitor. The Court held that a former employee of the plaintiff travel company violated the CFAA when he used his proprietary knowledge of the structure of that company’s website to write a program for his new employer, a competitor, that could “scrape” his former employer’s public website to collect information about that company’s competing prices faster than a human looking through the website could. The injunction prevented the defendant company from using the software written by the former employee of the plaintiff company. (The First Circuit has jurisdiction over federal cases from Maine, Massachusetts, New Hampshire, Rhode Island, and Puerto Rico.)
- In WEC Carolina Energy Solutions v. Miller, the Fourth Circuit Court of Appeals dismissed a lawsuit brought by Mr. Miller’s former employer against him and his new, competing employer, holding that the employee had not violated the CFAA when he downloaded confidential employer information he was entitled to access at the time (when his authorization had not been rescinded) to a personal computer, even though this violated the employer’s “use policy.” (The Fourth Circuit has jurisdiction over federal cases from Maryland, Virginia, West Virginia, North Carolina and South Carolina.)
- In July 2016, in Facebook v. Vachani, the Ninth Circuit Court of Appeals held that violating Facebook’s terms of use is a violation of the CFAA’s “without authorization” provisions. Power Ventures, Inc. (“Power”) had a service that let users aggregate their contacts on different social media sites. Its software allowed Facebook users to authorize Power to access their Facebook accounts to gather information for them for use at Power’s website. Power users also authorized the software to send Facebook messages to other Facebook users on their behalf. Facebook sent a “cease and desist” letter to Power, and created IP barriers to try to block Powers’ continued access of Facebook accounts. Power changed its IP addresses and continued. Facebook then sued Power and its CEO/founder, Steve Vachani, for violation of the CFAA (among other claims). The appeals court agreed with Facebook, that this conduct by Powers violated the CFAA as an intentional accessing of Facebook’s computers “without authorization.”
How Can a Lawyer Help?
There have been legislative proposals to exclude terms of use violations from the CFAA. They include “Aaron’s Law” introduced by Rep. Zoe Lofgren from Northern California. Reform of the CFAA has been endorsed by the Electronic Frontier Foundation (EFF), the ACLU, and prominent Law Professors Lawrence Lessig and Orin Kerr, among others. But none of those proposals have passed. And the CFAA remains a complex and broad statute that creates potentially serious civil and criminal liability for a wide range of conduct. Its dangers are further complicated by the current disagreements or “shifting sands” of decisions among different federal courts across the country about how it should be applied or interpreted.
What Can a Lawyer Help Me With?
Obviously, anyone facing criminal charges or civil claims that they violated the CFAA needs good legal advice. But so do employees facing workplace discipline related to computer access, employees leaving a company to start or join a competing venture, and employers hiring an employee who previously worked for a competitor.
MacDonald Hoague & Bayless can help.
Leslie Hagin and the other criminal and employment law attorneys at MHB have a wide range of experience representing individuals facing criminal investigation and/or charges, employees in conflict with their employers, as well as those seeking advice and counsel on how to avoid or resolve such issues.