The 9th U.S. Circuit Court of Appeals ruled that workers authorized to access company computers do not lose or exceed that access under the Computer Fraud and Abuse Act even if their intent was to acquire data to open a competing business (.pdf).
There is no language in the 1984 anti-hacking statute, the San Francisco-based appeals court said Wednesday, supporting the “argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer’s interests.”
The decision marks the second time in as many months the courts have restrained the use of the CFAA.
In July, for example, a Los Angeles federal judge tossed the guilty verdicts against Lori Drew, who was charged criminally of participating in a MySpace cyberbullying scheme against a 13-year-old Missouri girl who later committed suicide. The case against the 50-year-old Drew hinged on the government’s novel argument that violating MySpace’s terms of service was the legal equivalent of computer hacking and a violation of the CFAA.
The appellate court’s decision Wednesday, meanwhile, sets the stage for possible review by the U.S. Supreme Court. The ruling conflicts with a 2006 decision by the Chicago-based 7th U.S. Circuit Court of Appeals that said employees lose “authorization” to company computers if their motives are disloyal.
Congress adopted the CFAA to enhance the government’s ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality. The CFAA prohibits a number of computer crimes, but the majority focus on accessing computers without authorization or in excess of authorization.
At issue before both appellate courts was the area of the law granting the public the right to sue for damages.
In both cases, the employers maintained the employees forfeited their “authorized access” when using a company computer to acquire confidential information to further their personal interests rather than the company’s interests.
The San Francisco court ruled that, if a company has provided employees authorization to access internal materials, workers couldn’t be sued under the anti-hacking statute unless they encroach into files in which they were not given permission.
However, the Chicago appellate court said that an employee lost authorized access privileges to a laptop and was liable for damages for breaching a “duty of loyalty.” The employee accessed confidential company data even though he was planning to quit his job to start a competing business, the court noted.
By having such motives, the court concluded, the employee forfeited “his authority to access the laptop.”