Sign In

Article Information

  • When Circuit Breakers Trip: Restetting the CFAA to Combat Rogue Employee Access

    This article focuses on the narrow question of whether the Computer Fraud & Abuse Act (18 U.S.C. § 1030 et. seq) should be available to a private-sector employer as a vehicle to litigate classic employee business information theft, sabotage, economic espionage or misappropriation cases when such employee’s conduct does not result in damage to the employer’s electronic system, a computer’s circuitry or programming, or interruption of service. The current circuit split regarding the construction and application of the CFAA’s access authorization provisions to employment cases has meant that an employer’s likely recovery under the statute depends in most instances upon factors external to the employee’s alleged conduct and more on whether and to what extent the court in a particular jurisdiction is willing to voyage into the subjective mindset of the employee during the alleged conduct. After examining the legislative history of the CFAA, this article argues that the original intent of Congress was to target outside hackers, and employees of the company were not originally contemplated within the reach of the statute. However, as computer crimes became more sophisticated, Congress took steps to increase protection for owners of commercial information by factoring employee access into the CFAA provisions, albeit without crafting the amendments properly. Further, the article explains the theoretical underpinnings of the circuit split and argues that the split reflects divergent views on how to apply theories of contract, agency, and code-based approaches to the concept of “authorization” within the cyber security and computer information system context. While proffering a draft amendment to the statute, this article concludes by urging law makers or courts to 1) eliminate or exempt the “exceeding authorization” analysis when applying the statute to classic employee misappropriation cases; 2) end inquiries that focus on the employee’s subjective intent at the time of the access or the employee’s subsequent use of the information obtained; and 3) focus strictly on the unauthorized nature of the employee’s intrusion upon the employer’s protected computer information – Under this approach, the employer’s inability to prove an employee’s breach of explicit contractual prohibition or a trespass of system code would constitute an automatic bar to recovery under the statute.