Computer Fraud & Abuse Act (CFAA)

Another court has rejected the broader interpretation of the Computer Fraud and Abuse Act (“CFAA” or “the Act”) as applying to employees who exceed their authorized use.  A recent decision in Minnesota highlights the issue of whether the Act imposes civil liability on employees who have permission to access their employers’ data, but do so with a wrongful purpose.  See TripleTree, LLC v. Walcker No. 16-609, 2016 WL 2621954 (D. Minn. May 6, 2016).

The court considered this question in the context of a trade secrets case.  A former employee of TripleTree, an investment banking company, was discovered to have accessed the Company’s confidential information and to have engaged in a series of suspicious activities just prior to leaving the Company for a competitor.  Id. at *1.  TripleTree filed claims against its former employee for, among other things, violating the CFAA and the Minnesota Uniform Trade Secrets Act.  Id. at 2. 

The court sua sponte considered whether it should dismiss TripleTree’s CFAA claim.  Id. at *3.  The CFAA sanctions a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains  . . . information from a protected computer.”  18 U.S.C. § 1030(a)(2)(c).  Any person who suffers from a violation of the Act may bring a civil claim for damages.  18 U.S.C. § 1030(g).  As an employee of TripleTree, the Defendant was permitted to access the Company’s confidential information.  The court considered whether the Defendant’s malicious intent in accessing the information transformed an otherwise lawful act (using the Company’s computers) into a violation of the CFAA.Continue Reading Recent Case Highlights Circuit Split on Important Computer Fraud and Abuse Act Question

Earlier this month, the District Court for the Northern District of California addressed the scope of the Computer Fraud and Abuse Act (“CFAA”), drawing a firm line between causes of action based on improper access of an employer’s computer, and causes of action based on improper use of the employer’s data.  Because of the narrow view taken within the Ninth Circuit as to the scope of claims properly falling under the CFAA, the district court held that there was no viable claim under the CFAA.
Continue Reading Access v. Use: An Important Distinction in the Computer Fraud and Abuse Act

Last week, the Ninth Circuit  issued an important decision for employers in United States v. Christensen, No. 08-50531, 2015 WL 5010591, at *14 (9th Cir. Aug. 25, 2015). In that case, the Court of Appeals held that employees who misuse their access to their employers’ computer systems can be held criminally liable under California Penal Code § 502(c)(2). While many lower-court decisions within the Ninth Circuit had questioned the scope of Section 502(c) and certain of its sub-parts, and some considered it to be primarily an “anti-hacking statute,” the Ninth Circuit’s decision makes clear that § 502(c) applies even to an employee who accesses a database or system with a valid password, but proceeds to take, copy, or use data without permission to do so.
Continue Reading Access Denied — Christensen Sets the Standard for Violations of Penal Code § 502(c)

Congress continues to show interest in refining federal trade secret law to meet the challenges of the internet age. Two bills potentially impacting a company’s ability to protect its trade secrets have been introduced. The first, “Aaron’s Law Act of 2013,” seeks to resolve the Circuit split under the Computer Fraud and Abuse Act (CFAA)

In a blow to victims of data theft, the Ninth Circuit in United States v. Nosal held that the Computer Fraud and Abuse Act (CFAA) was not an available remedy where the alleged thief had authorized access to the computer system from which data was stolen. The Northern District Court of California’s recent decision in