November 30, 2020

Computer Fraud and Abuse – Is it About Access or Use?

I must admit. This law was not on my radar: the Computer Fraud and Abuse Act (CFAA). But I recently read two articles published by SHRM about lawsuits filed by employers under the Act. One is being heard by the U.S. Supreme Court. Ponder this.

You have a policy that prohibits employees from unauthorized access, use or disclosure of any of your electronic communications systems, including information or data contained therein.  You fire an employee for violating your policy or the employee violates your policy and then quits.  It is what happens next that is at the heart of this issue.  It is not about whether the employee violated your policy. That’s clear. But what if the employee was authorized to access your system and the information, like your HR or payroll administration, but the employee disclosed some data or information from your system to a competitor?  The access was authorized but the use was not. So, if you sued the (now former) employee for violating the CFAA would you win? It depends (no surprise, right?).

The courts are split.  Some interpret the CFAA to address only unauthorized access. Others interpret the CFAA to also include unauthorized use of the information obtained through unauthorized access.  The article about the 6th Circuit case reported the court followed the former rule, agreed with the lower court, and found in favor of the former employees.  The article about the case before SCOTUS reports the case was heard on November 30th and a decision is currently pending.

Stay tuned.  Unlike most employment issues and cases, the SCOTUS decision may or may not impact how you draft your related policies. It will clarify your right to take legal action under the CFAA against an individual who accesses your computer systems and uses that information without your authorization.