Privacy and Security Law Blog

Fourth Circuit Decision Deepens Split of Authority on Federal Computer Fraud and Abuse Act's Prohibition on Conduct that "Exceeds Authorized Access"

Joins Recent 9th Circuit Decision Narrowly Construing the Law

By Ronnie London

The U.S. Court of Appeals for the 4th Circuit has issued a ruling in WEC Carolina Energy Solutions v. Miller, holding that the federal Computer Fraud and Abuse Act (“CFAA”) prohibition on exceeding “authorized access” to a computer covers only the scope of access allowed and exceeded, not subsequent use of any information obtained by way of such access.  In doing so, the 4th Circuit echoed the recent 9th Circuit en banc decision in U.S. v. Nosal adopting a similarly narrow construction of the statute, as described in our post here.  As noted, the Nosal decision departed from broader interpretations of “exceeds authorized access” adopted by the 5th, 7th, and 11th Circuits, and the 4th Circuit’s WEC decision now makes that split even more attractive for possible Supreme Court review.

The CFAA is primarily a criminal statute intended to deter computer hackers, though it permits civil actions by private parties damaged as a result of a violation (assuming they incur sufficient injury).  It generally prohibits intentionally or knowingly accessing a computer without authorization or exceeding authorized access in a variety of contexts, including those involving government computers, attempts to defraud to obtain something of value, and/or causing damage or loss to the computer or its data.

In WEC, the company alleged former employee Miller, and/or his assistant, either of their own volition or at the behest of a WEC competitor that Miller later joined, downloaded confidential WEC documents, which were then emailed to Miller’s personal e-mail address.  WEC also alleged Miller and his assistant downloaded confidential information to a personal computer.  Soon after leaving WEC, Miller reportedly used the downloaded information to make a presentation on behalf of WEC’s competitor to a potential WEC customer.

Largely following the en banc 9th Circuit decision in Nosal, the 4th Circuit held that violations by Miller (and/or his assistant) of WEC’s policies on access to and use of company confidential information could not form the basis of CFAA liability.  Like the 9th Circuit, the WEC court “reject[ed] any interpretation that grounds CFAA liability on a cessation-of-agency theory.”  Such liability, the 4th Circuit agreed, could too broadly impose liability for any employee use of company computers that veered outside his employer’s permissible use policy.  As the court noted:  “Although an employer might choose to rescind an employee's authorization for violating a use policy, we do not think Congress intended an immediate end to the agency relationship and, moreover, the imposition of criminal penalties for such a frolic.”

The 4th Circuit also noted that because its analysis involved the CFAA, a statute that has both civil and criminal applications, “special attention” was warranted as any interpretation would apply uniformly in both contexts.  The court thus followed the canon of strict construction of criminal statutes, i.e., the “rule of lenity” under which, to provide fair warning of what a law intends if a certain line is crossed, interpretations not “clearly warranted” by its text are avoided.  Ultimately, in the same manner as the 9th Circuit, the court in WEC refused to make the CFAA a vehicle for employers hoping to rein in rogue employees, especially given other legal remedies that exist; otherwise it would transform a statute meant to target hackers into a means for imposing liability on workers who access computers in bad faith or disregard use policies.
 

Trackbacks (0) Links to blogs that reference this article Trackback URL
http://www.privsecblog.com/admin/trackback/283375
Comments (0) Read through and enter the discussion with the form at the end
Davis Wright Tremaine LLP
Anchorage
188 West Northern Lights Blvd.
Suite 1100
Anchorage, AK 99503-3985
Phone:
(907) 257-5300
San Francisco
505 Montgomery Street
Suite 800
San Francisco, CA 94111-6533
Phone:
(415) 276-6500
Bellevue
777 108th Avenue NE
Suite 2300
Bellevue, WA 98004-5149
Phone:
(425) 646-6100
Seattle
1201 Third Avenue
Suite 2200
Seattle, WA 98101-3045
Phone:
(206) 622-3150
Los Angeles
865 South Figueroa Street
Suite 2400
Los Angeles, CA 90017-2566
Phone:
(213) 633-6800
Washington, D.C.
1919 Pennsylvania Avenue, NW
Suite 800
Washington, D.C. 20006-3401
Phone:
(202) 973-4200
New York
1633 Broadway
27th Floor
New York, NY 10019-6708
Phone:
(212) 489-8230
Shanghai
Suite 701-704
Two International Finance Centre
8 Century Avenue, Pudong District
Shanghai 200120 P.R. China
(011) 86-21-6279-8560
Portland
1300 SW Fifth Avenue
Suite 2300
Portland, OR 97201-5630
Phone:
(503) 241-2300
Attorney Advertising.

Prior results do not guarantee a similar outcome.