CFAA – Confidentially Yours or Mine?

Confidentially, how good is your NDA –  the Non-Disclosure Agreement you have your employees sign periodically? For the time being, it appears better to be in New England to protect your private data where the U.S. 1st Circuit Court of Appeals has upheld legal protections under federal law. In the Pacific Northwest –  the 9th Circuit Court of Appeals, with worse weather, data protection is under a cloud. We key in today on the Computer Fraud and Abuse Act (CFAA) providing for criminal and civil penalties for an employee “knowingly and with the intent to defraud” accessing “a protected computer without authorization, or exceeds authorized access, and by means of such conduct” furthering “the intended fraud and obtains anything of value.” As Massachusetts Lawyers Weekly (MLW) reported  a 9th Circuit decision that damaged an arrow often used by employers to target employees who use confidential information from company computer systems.

The value of a claim under the act is that injunctive relief may be available to stop former workers from using improperly accessed information for their own benefit and to the detriment of the employer, said Amy K. Jensen, a  San Francisco attorney

“That may give the employer some recourse” when a contract claim may not, Jensen said. (Kimberly Atkins – MLW 6/7/2012)

The U.S. Court of Appeals for the Ninth Circuit made employer lawsuits more difficult in their circuit with its United States v. Nosal decision. The Ninth Circuit decided that an employee, when accessing information in a computer, does not violate the CFAA when he or she violates an employer’s computer use restrictions.  We note, by the way, that it was the CFAA that caused much criticism of its abuse by the U. S. Attorney in the prosecution of MIT hacker Aaron Swartz who was indicted under the Act when he sadly committed suicide.  Some brand the Act a notoriously broad statute enacted by Congress seemingly to criminalize use of a computer out of proportion to many offenses.

As Harvard Law School Internet scholar Lawrence Lessig has written for The Atlantic: “For 25 years, the CFAA has given federal prosecutors almost unbridled discretion to bully practically anyone using a computer network in ways the government doesn’t like.”

If you are an employer in the New England area, however, the 1st Circuit Court of Appeals concluded that contracts creating restrictions may serve as the basis for claims for “damage or loss” meeting the $ 5,000 threshold under the CFAA.  It granted the employer the right to sue under the act when employees use  access it for improper purposes in violations of the NDA they signed while at their former employer. EF Cultural Travel v. Explorica Inc, 274 F.3d 577 (1st Cir., 2001)

The CFAA provides for criminal and civil penalties against an employee who “knowingly and with the intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”

Penalties for violating the CFAA include fines and imprisonment, with the term varying with severity and number of violations with a maximum length ranging from a year to many years in the most severe cases.

The Fourth Circuit recently asked the Supreme Court to review recent cases and help define the law. The U.S. Supreme Court’s denial of certiorari, basically meaning that it was not ready to look at it, has left the scope in cyberspace! While New England certainly favors employers for the time being, other circuits are not so protective of data but more so of individuals.  We will closely watch the CFAA in the future.

Massachusetts has its own criminal access statute but with penalties of 30 days in jail or a $ 1,000 fine. See G. L. Ch. 266, Sec. 120F, Unauthorized access to computer systems.

Leave a Reply