United States 
Canada (EN) 
México 
France 
Deutschland 
United Kingdom 
Quick Hits
- The Third Circuit recently ruled that violations of employer computer access policies alone do not amount to federal CFAA violations.
- The ruling follows a “gates-up-or-down” approach, finding that employees do not exceed authorized access under the CFAA by accessing company systems, even if done for improper purposes or contrary to company policy, as long as employees are permitted to access those systems.
- The court further determined that account passwords by themselves are not considered trade secrets under federal or Pennsylvania law.
On October 7, 2025, the Third Circuit issued an amended precedential decision in NRA Group LLC v. Durenleau, adopting a “gates-up-or-down” approach to CFAA violations. The court found that when employees access company systems they are normally authorized to access, even if they do so in ways or for purposes that are not allowed, they do not exceed authorized access under the CFAA unless they “hack” into systems they are not permitted to access.
The case involved the conduct of two former employees of debt collector NRA. While out sick, one employee needed to access a document to submit a company license renewal by an impending deadline. The employee asked another employee to log into her work computer in the office and send her a spreadsheet with her work account passwords. The actions violated the employer’s computer-use policies.
NRA filed suit against the employees, alleging they violated the CFAA, Defend Trade Secrets Act (DTSA), and the Pennsylvania Uniform Trade Secrets Act (PUTSA). The two employees counterclaimed for sexual harassment, retaliation, and hostile work environment. The U.S. District Court for the Middle District of Pennsylvania granted the employees summary judgment and dismissed the claims against them.
Gates-Up-or-Down Inquiry
The Third Circuit affirmed the district court ruling, relying on the Supreme Court of the United States’ decision in Van Buren v. United States, which involved a police officer who ran a license plate search in the police department’s system exchange for a bribe. In that case, the Supreme Court adopted a “gates-up-or-down inquiry” to determine whether an employee “exceeds authorized access” and looked at whether the employee “obtain[s] information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend,” rather than whether an employee misuses their access. The Supreme Court thus held that although the police officer accessed the law enforcement database for an improper purpose and violated department policy, he did not “exceed authorized access” in violation of the CFAA.
Similarly, in Durenleau, the Third Circuit ruled that the employees had not violated the CFAA because they accessed computer systems they were otherwise authorized to access, even though their method for accessing the information might have violated company policies. The appellate court found it significant that the employees did not take action to circumvent security barriers or “hack” systems to access the information. In other words, “the gates of the access were ‘up’ for both women,” the Third Circuit stated.
In reaching this conclusion, the Third Circuit rejected arguments from the employer that the employees had violated the CFAA when one employee asked another employee to access her computer in violation of the employer’s workplace computer-use policy. The appellate court pointed out that both employees had access to the employer’s computer system. “[T]he gates were up, even if the road signs—the NRA policies—all told the women to stop and turn around,” the court wrote.
Potential Criminalization of Commonplace Workplace Policies
Notably, the Third Circuit also found it significant that the CFAA imposes both civil and criminal penalties. The court called the implications of NRA’s argument “breathtaking” because it would allow employer policies to set the contours of federal criminal law, and potentially expose millions of employees to criminal liability for technical violations of workplace policies.
“Instead, we hold that, absent evidence of code-based hacking, the CFAA does not countenance claims premised on a breach of workplace computer-use policies by current employees,” the Third Circuit stated. The court suggested that such disputes are better handled through causes of action alleging breaches of contract or business torts, fraud, or negligence.
Passwords as Trade Secrets
Further, the Third Circuit affirmed the district court’s finding that the employee’s account passwords were not trade secrets under the DTSA and PUTSA because they did not have “independent economic value.” The appellate court noted that the employer had “not alleged that its passwords [were] the product of any special formula or algorithm that it developed.” The court reasoned that while the information or databases that the passwords protected might have contained protected trade secrets, the passwords themselves did not include any information that could be considered a trade secret.
Next Steps
The Third Circuit’s decision in Durenleau reaffirmed that violations of workplace computer-use policies do not amount to violations of the CFAA, and that employees who are permitted to access a company’s computer system do not exceed their authorized access under the CFAA simply by violating company policies. As a result, employers may not be able to rely on the CFAA to protect their computer systems and databases from employee misuse.
Employers should consider periodically reviewing their information technology (IT) access protocols to prohibit employees from accessing systems and information that they do not need to access. Such measures are consistent with cybersecurity best practices and are reasonable steps to safeguard the secrecy of trade secrets. Because an employee’s compliance with computer access and usage policies still has significance for a variety of employment claims, employers should consider ensuring that computer access and usage policies are communicated to and agreed to by employees.
Additionally, the Third Circuit decision indicated that passwords protecting proprietary business information are likely not considered trade secrets under federal or Pennsylvania law because they do not have independent economic value. Still, the proprietary information that is guarded by passwords can continue to qualify as a trade secret, even if a protective password might not.
Ogletree Deakins’ Cybersecurity and Privacy and Unfair Competition and Trade Secrets practice groups will continue to monitor developments and will provide updates on the Cybersecurity and Privacy, Pennsylvania, and Unfair Competition and Trade Secrets blogs as additional information becomes available.
Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts
