Another court has rejected the broader interpretation of the Computer Fraud and Abuse Act (“CFAA” or “the Act”) as applying to employees who exceed their authorized use. A recent decision in Minnesota highlights the issue of whether the Act imposes civil liability on employees who have permission to access their employers’ data, but do so with a wrongful purpose. See TripleTree, LLC v. Walcker No. 16-609, 2016 WL 2621954 (D. Minn. May 6, 2016).
The court considered this question in the context of a trade secrets case. A former employee of TripleTree, an investment banking company, was discovered to have accessed the Company’s confidential information and to have engaged in a series of suspicious activities just prior to leaving the Company for a competitor. Id. at *1. TripleTree filed claims against its former employee for, among other things, violating the CFAA and the Minnesota Uniform Trade Secrets Act. Id. at 2.
The court sua sponte considered whether it should dismiss TripleTree’s CFAA claim. Id. at *3. The CFAA sanctions a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from a protected computer.” 18 U.S.C. § 1030(a)(2)(c). Any person who suffers from a violation of the Act may bring a civil claim for damages. 18 U.S.C. § 1030(g). As an employee of TripleTree, the Defendant was permitted to access the Company’s confidential information. The court considered whether the Defendant’s malicious intent in accessing the information transformed an otherwise lawful act (using the Company’s computers) into a violation of the CFAA.