[co-author: Ayah Moshet]
What can an employer do when its employee accesses data in a way that violates company policy? In the past, one avenue for relief was the Computer Fraud and Abuse Act (CFAA), a federal statute that creates the potential for both civil and criminal liability for individuals who “intentionally accesses a computer without authorization or exceeds authorized access.” CFAA, 18 U.S.C. § 1030(a)(2). Because it is a federal statute, the CFAA opens the doors to the federal courts to litigate these types of disputes.
Recently, the Third Circuit Court of Appeals continued the trend of narrowing the scope of potential liability under the CFAA. Building on the U.S. Supreme Court’s 2021 decision in Van Buren v. United States – discussed in our prior blog post, Supreme Court Narrows Liability Under the Computer Fraud and Abuse Act (June 7, 2021) – the Third Circuit in NRA Group, LLC v. Durenleau, answered whether an employee can be held liable under the CFAA for accessing her employer’s computer system in violation of workplace policies by sharing her credentials with a different employee. The answer: No; the CFAA is not meant to provide a remedy for workplace policy violations.
Relying on Van Buren’s “gates-up-or-down” approach, the Third Circuit explained that an employer has granted and thus authorized access to a computer when the employer approves or sanctions use of the computer. Although company policy may prohibit access in certain ways—such as remotely or by using a colleague’s login credentials—if the employee was granted access to the computer, merely violating company policy does not constitute exceeding authorized access. This view, the Third Circuit explained, is consistent with the narrow construction of the CFAA required by the Supreme Court since the statute creates the potential for not only civil, but also criminal liability. The Court expressed disfavor toward criminal penalization for common violations of employer guidelines and policies or the “federalization” of “a range of disputes that have traditionally been within the purview of state law.”
With its decision in NRA Group, employers in the Third Circuit (New Jersey, Pennsylvania, and Delaware)—as well as many other circuits throughout the country—are unlikely to find relief under the CFAA against employees that have violated contracts or policies in accessing company data. There are other remedies available, typically traditional state-law claims like breach of contract, business torts, fraud, and negligence, which, absent some other federal claim or basis for federal jurisdiction, will be litigated in state courts.
