The scholarship and divergence of opinion on the Computer Fraud and Abuse Act's reach has become so pervasive that the issues no longer seem as complex as they once did.
Most practitioners still are not familiar with the CFAA, and since it's buried in the criminal code, civil litigators shouldn't have much reason to learn the statute's intricacies. But since it's a federal statute that has criminal and civil reach, the CFAA occupies a somewhat unique place for trade secret and non-compete litigators. In essence, the CFAA can serve as the jurisdictional hook to get competition cases into federal court.
The statute is densely worded and a patchwork of amendments. But for simplicity it enables an employer to pursue a civil cause of action if an ex-employee took information out of a protected computer (essentially anything hooked to the internet) and caused damage or loss. There are permutations to the various sub-sections, but that's the CFAA's civil reach in a nutshell.
I wrote recently about another CFAA case that arose in the employment context, which I felt crystallized the deep split among courts about how to apply the statute when insiders access information to use it contrary to their employers' interests. The issue comes up often because it is easy to misappropriate information out of computers, and at least half of trade secret defendants get tripped up through electronic evidence.
But the actual language of the CFAA is not easy to apply. In the employment context, one can use it against an employee who access a computer "without authorization" or in a manner that "exceeds authorized access." This raises the question - not easily solved - of whether an employee who has the ability to access corporate information, but who intends to misuse it, really has violated the CFAA at all.
The case of American Furukawa, Inc. v. Hossain, 2015 U.S. Dist. LEXIS 59000 (E.D. Mich. May 6, 2015), provides a clear illustration of all the CFAA issues that crop up in employment cases. They include allegations of improper downloading of files to an external drive, planned competition, questionable conduct on the employee's part around the time of departure, and then the fortuitous discovery of actual competition through a misdirected e-mail. (Yes, auto-fill is a boon to the plaintiff's bar.)
With those allegations, the court allowed the CFAA claim to persist, even disagreeing with other courts within the same judicial district. In essence, the court gave deference to limitations the employer placed on computer access, use, and purpose. It held that the misuse of information in violation of policy or contractual limitations can give rise to an "exceeds authorized access" claim. Succinctly put, the court stated "such explicit policies are nothing but 'security measures' employers may implement to prevent individuals from doing things in an improper manner on the employer's computer system."
The opinion itself is notable for its harsh criticism of the decision in United States v. Nosal, a decision out of the Ninth Circuit that takes a very narrow interpretation of the CFAA and its "access" language. In fact, in several places, the district court cited the government's brief before the Ninth Circuit, in which it argued for a broad access definition. The case provides an interesting survey of the law surrounding the circuit split in the CFAA. And it further underscores the need for legislative reform or (less likely) a case to make its way to the Supreme Court.