Fourth Circuit Decision Deepens Split of Authority on Federal Computer Fraud and Abuse Act's Prohibition on Conduct that "Exceeds Authorized Access"
Joins Recent 9th Circuit Decision Narrowly Construing the Law
The U.S. Court of Appeals for the 4th Circuit has issued a ruling in WEC Carolina Energy Solutions v. Miller, holding that the federal Computer Fraud and Abuse Act (“CFAA”) prohibition on exceeding “authorized access” to a computer covers only the scope of access allowed and exceeded, not subsequent use of any information obtained by way of such access. In doing so, the 4th Circuit echoed the recent 9th Circuit en banc decision in U.S. v. Nosal adopting a similarly narrow construction of the statute, as described in our post here. As noted, the Nosal decision departed from broader interpretations of “exceeds authorized access” adopted by the 5th, 7th, and 11th Circuits, and the 4th Circuit’s WEC decision now makes that split even more attractive for possible Supreme Court review.
The CFAA is primarily a criminal statute intended to deter computer hackers, though it permits civil actions by private parties damaged as a result of a violation (assuming they incur sufficient injury). It generally prohibits intentionally or knowingly accessing a computer without authorization or exceeding authorized access in a variety of contexts, including those involving government computers, attempts to defraud to obtain something of value, and/or causing damage or loss to the computer or its data.
In WEC, the company alleged former employee Miller, and/or his assistant, either of their own volition or at the behest of a WEC competitor that Miller later joined, downloaded confidential WEC documents, which were then emailed to Miller’s personal e-mail address. WEC also alleged Miller and his assistant downloaded confidential information to a personal computer. Soon after leaving WEC, Miller reportedly used the downloaded information to make a presentation on behalf of WEC’s competitor to a potential WEC customer.
Largely following the en banc 9th Circuit decision in Nosal, the 4th Circuit held that violations by Miller (and/or his assistant) of WEC’s policies on access to and use of company confidential information could not form the basis of CFAA liability. Like the 9th Circuit, the WEC court “reject[ed] any interpretation that grounds CFAA liability on a cessation-of-agency theory.” Such liability, the 4th Circuit agreed, could too broadly impose liability for any employee use of company computers that veered outside his employer’s permissible use policy. As the court noted: “Although an employer might choose to rescind an employee's authorization for violating a use policy, we do not think Congress intended an immediate end to the agency relationship and, moreover, the imposition of criminal penalties for such a frolic.”
The 4th Circuit also noted that because its analysis involved the CFAA, a statute that has both civil and criminal applications, “special attention” was warranted as any interpretation would apply uniformly in both contexts. The court thus followed the canon of strict construction of criminal statutes, i.e., the “rule of lenity” under which, to provide fair warning of what a law intends if a certain line is crossed, interpretations not “clearly warranted” by its text are avoided. Ultimately, in the same manner as the 9th Circuit, the court in WEC refused to make the CFAA a vehicle for employers hoping to rein in rogue employees, especially given other legal remedies that exist; otherwise it would transform a statute meant to target hackers into a means for imposing liability on workers who access computers in bad faith or disregard use policies.