Narrow Fourth Circuit Reading Hampers Cybersecurity

In July of 2012, the Fourth Circuit joined the Ninth Circuit in adopting a narrow reading of one of the principal statutory tools for combatting computer and cybercrime, the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, broadening a split among courts of appeal in interpreting the reach of the statute. In late October, the unsuccessful appellant in the Fourth Circuit, WEC Carolina Energy Solutions, LLC, filed a Writ of Certiorari in the hope that the Supreme Court will reverse the court of appeals and resolve the split in authority. The crux of the issue is when an employee exceeds his authority in violation of the CFAA by accessing his employer’s computer and obtaining data for improper means, such as for a new employers benefit. The CFAA is primarily a criminal statute, but it also includes a private cause of action. It provides, in part that:

(a) Whoever . . . (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . (C) information from any protected computer . . . [or] (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . may be criminally and civilly liable under the statute.

The Act defines the expression exceeds authorized access as meaning to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter The expression protected computer is defined very broadly, including inter alia, any computer which is used in or affecting interstate or foreign commerce or communication.

The CFAA has advantages as a cybersecurity enforcement tool not only because of its breadth but also because it does not require proof of ownership or commercial misappropriation of trade secrets or other proprietary information. In WEC Carolina Energy Solutions, LLC v. Miller, 687 F.3d 199 (4^th Cir. 2012), the court of appeals held that Miller, a former WEC employee, did not violate the CFAA when he accessed the company’s system and downloaded confidential company information that he then used on behalf of his new employer. It reasoned that WEC confidentiality policies limited use of information, not employees access to computer systems. Drawing on the principle that criminal statutes should be construed narrowly, it read the expressions without authorization and exceeds authorized access as applying solely to access to a company’s protected computers, and not to any restrictions on how accessed information is then used. In doing so, it adopted a similar interpretation of the CFAA as did the Ninth Circuits in its en banc decision in United States v. Nosal, 676 F.3d 854 (9^th Cir. 2012).

Other courts of appeal take a broader view. The Seventh Circuit reasoned that an employee accessing a computer for improper purposes violates his duty of loyalty to the employer and thus loses all authorization to act as its agent, such that access is without authorization. With perhaps simpler reasoning, the Fifth and Eleventh Circuits have found CFAA violations reasoned that employees authorization for access to a system necessarily is defined and limited (by employer policy or otherwise) by permitted purposes or uses. For example, a policy that an employee may use confidential information only for company business necessarily limits the employee’s authorization to access that confidential information for disclosure to a new employer. Still, other courts have found CFAA violations where employees accessed systems and used information without a legitimate business purpose, though not clearly in violation of employer policies.

Cybersecurity is a major challenge of the day. We now read reports with frequency about company or government systems being hacked and personal information being stolen. Experts in the field insist the public learns about only a small fraction of these incidents. No one wants to publicize security weaknesses, as doing so can undermine confidence among investors and customers as well as invite additional attacks. The importance of the issue, therefore, may prompt the Supreme Court to take up the issue. In the meantime, companies and institutions in the jurisdiction of the Fourth Circuit can best enhance their prospects for recourse under the CFAA by fashioning company policies as clearly as possible expressly to define access rights in terms of the purpose of use and, where practical, to limit both methods by which an employee may access systems and authorized servers and databases. Christopher J. Mugel practices intellectual property law from Kaufman & Canoles Richmond, Virginia office. – Christopher J. Mugel