The Computer Fraud and Abuse Act (CFAA) has become a powerful weapon in the trade secret litigator’s arsenal. An employee who accesses his or her employer’s computer files in the days or weeks before leaving for a competitor may find him or herself on the other end of a lawsuit in federal court charged with violating the CFAA, even if he or she had permission and a password to access the information. On April 10, 2012, the Ninth Circuit Court of Appeals issued its decision in United States v. Nosal, holding that the phrase “exceeds authorized access” should be afforded a narrow interpretation given that the purpose of the statute was to punish hacking and not the misappropriation of trade secrets. The court refused to apply the statute to persons who are allowed access to an employer’s computer system but use that access for some purpose contrary to the interests of the employer. In other words, the court limited the application of the CFAA to outside hackers, as opposed to employees who violate their employers’ computer usage policies.
Two recent federal district court decisions follow the reasoning of Nosal. In Dana Ltd. v. American Axle and Mfg. Holdgins, Inc., the District Court for the Western District of Michigan held that the defendants did not violate the CFAA when they accessed and copied their employer’s computer files prior to their resignation to go work for a competitor. The court did, however, hold that the deletion of original files by a current employee could violate the CFAA if the files were not available from some other source and the damage thresholds were met. In Wentworth-Douglass Hosp. v. Young & Novis Professional Ass’n., the District Court for the District of New Hampshire reconsidered an earlier denial of summary judgment and concluded that the CFAA did not apply to two hospital employees who had passwords to access their employer’s computer system, but who allegedly accessed the system for an impermissible purpose. Similarly, in a June 26, 2012, case out of the New York County Supreme Court, MSCI Inc. v. Jacob, the court held that the CFAA did not encompass misappropriation of information that the defendant lawfully accessed.
Until the issue finds its way to the U.S. Supreme Court, there likely will continue to be legal authority on both sides of this issue, although more and more courts seem to be taking a narrower approach to the CFAA. The U.S. Solicitor General has obtained a 30-day extension to file a petition for the U.S. Supreme Court to review the Nosal case.