“Authorization” and “Transmission” — Interpretations of the Computer Fraud and Abuse Act

While initially conceived in 1984 to punish hackers and safe guard classified financial and credit information relating to government and financial institutions, the Computer Fraud and Abuse Act (the “CFAA”) has evolved over the past two decades to reflect emerging technology in the areas it was created to protect. Specifically, the CFAA affords employers civil remedies which can be applied to workplace and unfair competition disputes by (1) providing employers with federal court jurisdiction over such disputes and (2) allowing employers to bring a CFAA claim without proving that the information fraudulently acquired was a trade secret, constituted confidential or proprietary information or breached an employment contract, confidentiality agreement or non-compete agreement.

Section 1030 of the CFAA offers the right to injunctive relief and damages where a former employee “without authorization” has accessed a company’s computer network in order to abscond with proprietary information and documents or interfere with relationships between the company and its customers or suppliers. Traditionally, the courts have simply required companies to prove that a defendant intentionally accessed a protected computer without authorization and as a result of such conduct intentionally, recklessly or otherwise caused damage through the transmission of a program, code or command causing at least $5,000 in losses. While the burden of proof may seem minimal, there is a growing debate regarding what constitutes “without authorization” or “transmission”.

What constitutes “authorization”?
Some courts have held that an employee’s authorization to access its employer computer system ceases or is exceeded when that employee engages in conduct intended to benefit a new employer. Other courts have developed an even broader interpretation of “unauthorized access” stating that any time an employee acts other than in his employer’s best interest in accessing an employer’s computer system such authorization is without access. However, at least one recent court decision went against this precedent and declined to find an employee lost permission to access a company’s computer system when the employee accepted employment with another company

In Lockheed Martin Corp. v. Kevin Speed, three Lockheed employees downloaded and copied data files just prior to leaving the company to begin employment with a rival company who was competing with Lockheed for a government contract. The court stated that “the gist of Lockheed’s complaint is aimed not so much as the employees’ improper access of the… information, but at the employees’ actions subsequent to their accessing the information.” Since Lockheed permitted the employees to have access to the specific information that was at issue, the court ruled that the CFAA was inapplicable. In light of this interpretation, cautious employers should seek to limit their employees’ “authorization” by including provisions in the company’s computer usage policies that clearly prohibit the use of the network for purposes adverse to the interests of the company. As always, obtaining written acknowledgements from employees whereby they expressly agree to abide by such policies is also strongly recommended.

What constitutes “transmission”?
It is a violation of the CFAA if a former employee knowingly causes the transmission of a program, information, code, or command and as a result of such conduct, intentionally causes damage without authorization to a protected computer. Specifically, in International Airport Centers v. Citrin, the 7th Circuit Court of Appeals ruled that a violation of the CFAA occurred when an employee permanently erased files from his company laptop computer using a secure erasure program downloaded from either the Internet or a CD. In so finding, the court broadened the interpretation of “transmission” to include programs that come in physical media such as a floppy disk or CD. While the employer in International Airport Centers successful argued that the employee’s authorization to use the computer was effectively terminated when he violated his employment agreement, the judge stressed that even if the employee had retained legitimate authorization, it is unlikely that the company would have authorized destruction of data that was unrecoverable.

As with all law as applied to continually evolving technologies, the courts will continue to refine their interpretation of the CFAA in the employment context. While the CFAA conceivably offers a company another option to recover damages in an unfair competition dispute, cautious employers should attempt to define some of the ambiguous terms in the CFAA such as “authorization” and “transmission”, incorporating such definitions into the company’s information and technology systems policies.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.