Fourth Circuit Joins Courts Limiting Employers' Use Of The Computer Fraud And Abuse Act To Prosecute Disloyal Employees

The federal Computer Fraud and Abuse Act (CFAA) allows an employer to bring a civil action against an employee who accesses the employer's computers "without authorization" or in a manner that "exceeds authorized access." Although the CFAA is primarily a criminal statute designed to combat hacking, employers often bring claims under the CFAA when a "disloyal employee" (typically, an employee who has accepted employment with a competitor) downloads or emails confidential information for the benefit of the employer's competitor.

In WEC Carolina Energy Solutions LLC v. Miller, the U.S. Court of Appeals for the Fourth Circuit confronted such a situation. According to the complaint, shortly before the employee resigned from his position as project director for WEC, he downloaded to his personal computer and emailed to himself or his assistant a substantial number of WEC's confidential documents. Shortly thereafter, the employee resigned and used WEC's information to make a presentation to a potential WEC customer on behalf of WEC's competitor. Although WEC had authorized the employee's access to the company's intranet and computer servers, WEC's policies prohibited using that information without authorization or downloading it to a personal computer. After the customer awarded two projects to the competitor (allegedly as a result of the employee's actions), WEC sued its former employee under the CFAA, claiming that he violated the CFAA because, under WEC's policies, he was not permitted to download WEC's proprietary information to a personal computer. By doing so, WEC argued, the employee either: (1) lost all authorization to access the confidential information; or (2) exceeded his authorization.

The district court dismissed WEC's CFAA claim, reasoning that WEC's policies regulated use of information, not access to that information. While the employee's purpose in accessing the information was contrary to WEC's policies regulating use, this was not a violation of a policy relevant to access. Consequently, the district court found that there was no liability under the CFAA.

The Fourth Circuit affirmed the district court's holding. The court noted that there are two schools of thought as to whether the CFAA's operative terms "without authorization" and "exceeds authorized access" extend to situations where a "disloyal employee" uses a computer he otherwise has access to through his employer to perform disloyal acts such as downloading or emailing...