There is a split in the US Appellate Courts about the application of the Computer Fraud and Abuse Act (CFAA). 18 USC §1030. The CFAA creates civil and criminal penalties for accessing a computer “without authorization,” or “exceeding authorized access.” When Congress enacted this law in 1984, it intended to apply the CFAA to computer hackers. Penalties can be a fine, or even jail time. 18 USC 1030(c). For example, in the case of United States v. Morris, 928 F.2d 504 (1991), Robert Morris created a “worm” that could slow down a computer once infected. He was sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the cost of his supervision.
However, employers have tried to apply it to its employees who allegedly misuse proprietary information. In essence, arguing that although they had authorized access to the information, that the employee’s use of that information exceeded the scope of the authorization.
The result is that there is a split in the US Courts. The First, Fifth, Seventh and Eleventh Circuit Courts of Appeals which cover Maine, Massachusetts, New Hampshire and Road Island; Lousianna, Mississippi and Texas; Illinois, Indiana and Wisconsin; and Alabama, Florida and Georgia, respectively, have held that employers can bring civil suits against their former employees under the CFAA. For examples, see United States v. John, 597 F.3d 263 (5th Cir. 2010), Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), and United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).
However, the Fourth Circuit (Virginia, West Virginia, Maryland, North Carolina, and South Carolina) and Ninth Circuit (California, Oregon, Washington, Arizona, Montana, Hawaii, Idaho, Alaska, Nevada, Guam & Northern Mariana Islands) Courts of Appeals disagree holding that such an employee may be misusing the information, but nonetheless had authorized access to it, and as a result the CFAA does not apply. For examples, see United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) and WEC Carolina Energy Solutions, LLC v Miller, et al., Case No.11-1201 (4th Cir. 2012).
The result is either Congress will need to amend the law again, or the US Supreme Court will need to take a case clarifying the matter. This is of importance because all employers and employees are affected by it, and there is potential criminal liability. Also, Bradley Manning has been indicted for violations of the CFAA (among other things). So there could be a very interesting showdown between the well-reasoned, compassionate positions of the Fourth and Ninth Circuits versus the perceived desire of the government to throw the book at Bradley Manning.
For now, however, whether you live in those Circuits applying CFAA to employees or not, it is much wiser to simply have a good employee contract and/or confidentiality agreement that prohibits misuse of proprietary information.