In a decision that underscores the importance of carefully considering company computer-use policies and permissions, the United States District Court for the Middle District of Florida held last month that a company could not maintain a Computer Fraud and Abuse Act (“CFAA”) claim against a former employee because the company had given the employee “unfettered access and usage” of the computer system during his employ.
In its detailed decision, the court surveyed other decisions interpreting the CFAA, as well as the legislative history of the Act, and concluded a narrow interpretation of the phrase “exceeds authorized access.” As a result, plaintiff employer did not state a claim for unauthorized access under the CFAA, even where the employer alleged the defendant “exceeded her authorized access by acting in bad faith by changing the access credentials used by other authorized users and creating backdoors and other vulnerabilities” on the network.
In the June 15, 2015, opinion in Allied Portables, LLC v. Youmans, M.D. Fla., No. 2:15-cv-00294-SPC-CM, Judge Sheri Polster Chappell explained that many courts, including the Fourth and Ninth Circuit Courts of Appeals, and the majority of the 11th Circuit’s district courts, favored a narrow interpretation of “exceeds authorized excess,” such that a claim would lie only where the employee accessed information for which permission was not provided by the employer. Thus, the Youmans court reasoned that it is not the subjective intent of the employee, or subsequent violations of company policies based on misuse of information, that determine liability under CFAA. Rather, violations are judged upon the level of access the employer has defined for the employee; if the employer has not set limits, or has provided “unfettered” access as Allied Portables did, then an employee cannot be considered to have exceeded the authorized level of access.
Judge Chappell quoted a recent Southern District of Georgia opinion, Power Equip. Maint., Inc. v. AIRCO Power Servs., Inc., 953 F. Supp. 2d 1290 (S.D. Ga. 2013) to explain that “either one has been granted or has not,” so an employer “cannot use the CFAA to grant access to information and then sue an employee who uses that information in a manner undesired by the employer.” This explanation demonstrates the importance of either clearly defining company computer-use policies to delineate authorized and unauthorized uses, or by structuring account settings to limit the scope of authorized uses. These proactive approaches may help companies avoid dismissal of CFAA claims based on the reasoning in Youmans.
As the Southern District of Georgia has explained, “it is the employer’s decision as to what the employee can access that determines whether an employee exceeded his authorized access.” AIRCO, 953 F. Supp. 2d at 1296. Thus, the narrow view espoused in AIRCO and Youmans aligns with this principle and “creates something more akin to a bright line rule that is easy to apply in the numerous and complex factual scenarios likely to arise when assessing whether an employee’s actions violated the CFAA.” Id. This interpretation of the CFAA puts the onus on employers to ensure they define what type of access is authorized before seeking to hold employees liable for exceeding the desired levels of authorization.