Hacking into Federal Court: Employee “Authorization” Under the Computer Fraud and Abuse Act

Hacking into Federal Court: Employee “Authorization” Under the Computer Fraud and Abuse Act

Thomas E. Booms · 13 Vand. J. Ent. & Tech. L. 543

Abstract

Few would disagree that computers play an important role in modern United States society. However, many would be surprised to discover the modest amount of legislation governing computer use. Congress began addressing computer crime in 1984 by enacting the Computer Fraud and Abuse Act (“CFAA”). The CFAA represented the first piece of federal legislation governing computer crimes and has undergone eight amendments to date, making it one of the most expansive criminal laws in the United States. In 1994, Congress added a civil provision opening the door for application of the statute in novel situations. Initially enacted to target crimes committed by “hackers,” the most common type of CFAA case in recent years involves claims brought against disloyal employees. The typical fact-pattern involves an employee who uses his work computer to misappropriate confidential or proprietary business information from his current employer to start a new business venture or join a competitor. Applying the CFAA to this common situation has resulted in a split of authority regarding the interpretation of “authorization,” an undefined predicate for liability under the statute. Some courts have construed the term narrowly, holding that an employee’s misuse or misappropriation of an employer’s business information is not “without authorization” so long as the employer has given the employee permission to access such information. Others have construed the term broadly, holding that an employer has a cause of action when an employee obtains business information with disloyal intent for the employee’s own benefit or that of a competitor, regardless of whether the employer granted permission to access the information.

This Note examines the CFAA’s history and analyzes the benefits of seeking relief under the CFAA compared to alternative claims. It also discusses the judicial color given to the term “authorization,” looking at the rationales behind each approach and focusing on emerging trends in the employer-employee context. Additionally, it examines past Supreme Court cases in an effort to predict how the Supreme Court will ultimately resolve this issue. The Note concludes by proposing that the Supreme Court adopt a narrow interpretation of “authorization,” and hold that an employee does not violate the statute by acquiring interests adverse to those of his employer when the employee accesses information with his employer’s permission.