Consider this scenario: Your Human Resources Manager decides to leave your employ but, before she announces her decision, she copies all of the company’s policies, forms, and even confidential salary data. She emails herself copies of these files and saves them on a flash drive, which she takes with her when she leaves on the last day. You discover the theft after she’s left and are horrified. What recourse do you have?
Part of the answer will depend on your jurisdiction. In certain jurisdictions, employers may be able to use a law called the Computer Fraud and Abuse Act (CFAA) to fight back against disloyal employees. The CFAA prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access” in certain circumstances. A recent decision by the Eleventh Circuit Court of Appeals is an important one for employers not only in the states within the 11th Circuit but also for employers in states, like Delaware, where their circuit court of appeals (in our case, the Third Circuit), has not yet ruled on the application of the CFAA to the employment-law context.
Roberto Rodriguez worked for the Social Security Administration (SSA) and had access to the SSA’s databases as part of his job duties. The SSA’s policy prohibits its employees from using the databases for non-business reason. Rodriguez violated this policy when he looked up personal information about various women that he knew and had met. He looked up his ex-wife’s earnings history and the address of a woman he met at a church study group to send her flowers on Valentine’s Day. Rodriguez was found guilty on 17 counts of violating the CFAA.
On appeal, Rodriguez argued that he did not violate the CFAA because, at all times, he had been authorized to access the databases. Thus, he argued, he could not be guilty of “intentionally accessing a computer without authorization.” Although this argument may have worked, he could not avoid the second theory available under the CFAA—that he had “exceeded authorized access.” The CFAA defines this as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.”
The 11th Circuit upheld the conviction under the second prong, finding that Rodriguez exceeded his authorized access and violated the CFAA when he obtained personal information for a nonbusiness reason. In other words, the court concluded that, although Rodriguez had authority to access the database at the time he looked up the women’s personal information, he exceeded that authorization when he violated his employer’s policy and accessed the database for reasons beyond the scope of the authority he’d been given.
This is an important decision for employers because it approves an interpretation of the CFAA whereby employees who misuse their access to their employer’s computer network constitutes a violation of the law.
United States v. Rodriguez, No. 08-16696 (11th Cir. Dec. 27, 2010)
See also Computer Fraud and Abuse Act: Government to the Rescue of Employers?
Putting the CFAA to Use, TV Style