Minnesota Court Narrowly Interprets the Computer Fraud and Abuse Act
Recently, a Minnesota federal district court construed the federal Computer Fraud and Abuse Act narrowly and dismissed an employer’s CFAA claim against three former high-level employees. In Walsh Bishop Associates, Inc. v. O’Brien, et al. [pdf], the court held that civil liability under the CFAA does not extend to an employee’s alleged later misuse of information that the employee was authorized to access. Thus, the court concluded that civil liability under the statute turns on whether the former employees were authorized to access the data at issue, not on whether the former employees allegedly misused the data after accessing it.
The CFAA makes it unlawful for any person to obtain information from a computer by intentionally accessing the computer without authorization or by exceeding authorized access. Employers frequently include a CFAA claim in suits against former employees for trade secret misappropriation.
In Walsh Bishop, the defendants were former executive-level employees. Among other things, the employer alleged that the defendants accessed documents the employer claimed were confidential and took those documents with them after leaving the employer’s employ.
In reaching its decision regarding the scope of civil liability under the CFAA, the Walsh Bishop court recognized a split of authority among federal courts on the issue of whether the statute’s “exceeds authorized access” requirement was intended to include the alleged misuse of information properly accessed. In rejecting the employer’s argument for a broad reading of this requirement, the court referenced the CFAA’s legislative history and emphasized that Congress amended the statute in 1986 to remove “use” as a basis for exceeding authorization. The court relied on the plain language of the statute and focused on whether the defendants accessed information that they were forbidden to access.
In its complaint, the employer alleged that the defendants had the “highest level” of access to the employer’s confidential and proprietary information. The court concluded, therefore, that the employer had authorized the defendants to access the data at issue and dismissed the CFAA claim, reasoning that the statute does not impose liability on individuals who have permission to access information, but later allegedly use it for an improper purpose.
Minnesota’s federal courts likely will continue to address the scope of civil liability under the CFAA and the issue of prohibited access versus use, given the relatively small number of CFAA cases that exist in that district. The recent Minnesota case adopts the narrower reading of the CFAA’s “exceeds authorized access” requirement (following other, similar decisions from that district and other districts) and tightens the requirements needed before an employer can prevail against former employees under the CFAA. In most trade secret cases, a former employee is accused of taking and using confidential information that was accessible to him or her in the course of employment. The typical trade secret case does not involve employees gaining unauthorized access to confidential electronic data. If Minnesota’s courts continue to read the CFAA narrowly, as the court did in Walsh Bishop, civil liability under the CFAA will not usually be a claim that employers may rely upon as part of their arsenal of claims against departing employees.