CFAA Overbreadth: Employee-Employer Issues

The CFAA was created with hackers in mind, yet it has been increasingly used by companies to file civil actions against ex-employees. Subsection (g) provides civil remedies for “any person who suffers damage or loss by reason of a violation of this section.” Since the 1996 amendments, the CFAA now reaches virtually any computer and also applies to “insiders” working within a company or organization.

Especially with regards to employer-employee relations, the ambiguity of “authorized access” puts any employee with access to a company computer at risk of being accused of violating the CFAA. When does an employee’s access become authorized and who gives this authorization? Courts have looked at authorization through three major interpretations; agency-based, code-based, and contract-based. (See Field, Katherine Mesenbring, “Agency, Code, or Contract: Determining Employees’ Authorization Under the Computer Fraud and Abuse Act,” 107 Mich. L. Rev. 819 (2009)) Agency-based interpretation is found in Shurgard Storage Ctrs. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (2000). The court looked at agency (defining that “the authority of an agent terminates if, without knowledge of the principal, [the agent] acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal” in Restatement of Agency). In Shurgard, the employee in question, while still employed, sent proprietary information to a rival company that had just offered the employee a job. (id. at 1123) Although the employee was still employed at Shurgard Storage, employment alone did not imply authorization, rather, whether the employ was an agent served as the standard. (id.)

An alternative interpretation is code-based or “intended function.” This looks at authorization based on computer code based protections or the scope of use of the computer allowed. (Field at 825) This interpretation is used in Lockheed Martin Corp. v. Speed, 81 U.S.P.Q.2D (BNA) 1669. In this case, Speed, a Lockheed employee with “complete access” to a specific piece of information, copied the documents relating to that information onto a CD. (id at 3) The court criticizes the agency interpretation used in Shurgard because it deems that “the plain language of the statute is sufficient to interpret [“without authorization”]” and that extrinsic materials (such as the Restatement of Agency) need not be considered. (id. at 12) The court then continues into a more code-based interpretation by affirming that because Lockheed permitted employees to access company computers, especially the specific piece of information at issue. Thus, the court looked at what range of information the employee had access to, and whether or not the employee went out of that scope. Because  Speed, at the time of copying the files, was simply accessing files he was already allowed to access, he was found to be acting within authorization.(id. at 28)

The final interpretation is a contract based one, defining an employee’s scope of authorization by what is written down in contracts or employment handbooks. (Field at 827) In Westermeier on Using the Computer Fraud and Abuse Act against Former Employees (2009 Emerging Issues 4206), it is suggested that the best practice for employers to reach employees who misuse information stored on company computers is to “modify employment agreements to define the employee’s authorized scope of access to the employer’s business information stored on the employer’s computer systems. This definition should be made with the CFAA definition of “exceeds authorized access in mind.” (id.) This is consistent with a contract based approach, however the majority of courts employ either a code-based or agency-based interpretation. (Field at 829) Nonetheless, contract-based interpretation could gain strength when compounded with code-based interpretations, as written agreements on scope directly contribute to finding “intended function.”

Advertisements

~ by alyssaufl on January 11, 2010.

One Response to “CFAA Overbreadth: Employee-Employer Issues”

  1. […] Orignally intended to combat hackers, the CFAA has now expanded, with each amendment, to reach employees accessing files on company computers and accessing of open wireless access points without express permission. However, despite its […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: