The Computer Fraud and Abuse Act (CFAA) was enacted by Congress in 1986 as a response to the emergence of computer crimes. Oftentimes in the employment situation when an employee leaves there is a claim that the employee took computerized materials with them and violated the CFAA.
The United States Supreme Court recently narrowed the applicability of the CFAA. Prior to this decision some courts were interpreting it to apply in the circumstance where a person who had authority to access computer information did so for an unauthorized purpose (often times when an employee has taken information for use in his or her next job). A more strict interpretation of the statute disregarded a person’s motivation for accessing the computer information and asserted that it only mattered that the person had exceeded their authority to access the information.
The decision rendered by the United States Supreme Court clarified that the issue was one of access not intent. If one is authorized to only enter certain areas of the computer any act by which they enter an unauthorized area may be a violation of the CFAA irrespective of the intent. It is no longer relevant for the purposes of liability that an employee obtained information for an unlawful purpose. The employer must now show that in obtaining the computer information the employee accessed a computer that they were not permitted to access, or alternatively, the employee accessed an area of the computer that they were not authorized to access. This decision significantly narrows the scope of the Computer Fraud and Abuse Act’s applicability. It also, importantly, gives definition to the applicability of the CFAA which has both criminal and civil penalties for violations.