By 1986, it was clear that computers were becoming an inextricable component of modern society. However, this new and developing technology was ripe for abuse in various ways. At the time, there were not any adequate legal remedies for victims of these abuses, so Congress saw fit to create a criminal statute addressing those concerns. Thus, The Computer Fraud and Abuse Act (CFAA) of 1986 was born.
The CFAA’s primary concern was to prevent “hacking.” As such, the CFAA made it a crime under § 1030(a)(2)(C) for an individual to “intentionally access a computer without authorization or exceed authorized access” to obtain “information from any protected computer.” The CFAA defines “exceeding authorized access” in § 1030(e)(6) as accessing a computer with authorization and using such access to obtain or alter information in the computer that the accessor is not entitled to obtain or alter.
The Circuit Courts are currently split on how to interpret “exceeds authorized access” as it relates to the employment context. The First, Fifth, Seventh, and Eleventh Circuits have adopted a broad approach by limiting authorized access to that which is specifically authorized by the employer. In other words, an employee may have physical access to a computer, but is limited in the ways they may use that computer. On the other hand, the Fourth and Ninth Circuits have adopted a narrow approach and have limited “exceeds authorized access” to activities akin to what most people colloquially refer to as “hacking.”
In United States v. Nosal, the Ninth Circuit held that an individual “exceeds authorized access” by violating a restriction on access but not by violating a restriction on use of a work computer and its contents. The Ninth Circuit decided to interpret the statute as applying only to those who access an unauthorized computer. As such, the CFAA would not apply to those who have authorized access and later use that information to the detriment of their employer, regardless of whether or not the action violates the employer’s computer use policies.
Conversely, in United States v. John, the Fifth Circuit held that “exceeding authorized access” includes exceeding the purposes for which the employer authorizes access. Under this broad interpretation, an employee violates the CFAA and exceeds their authorized access on a protected computer through activities outside the scope of employer designated access. This interpretation sets the level of authorization where the employer dictates it via use agreements.
Both interpretations have their merits and their issues. On the one hand, several canons of statutory construction (e.g. congressional intent, rule of lenity, etc.) lead to the conclusion that the narrow interpretation is the correct approach. This is, in large part, due to the fact that the broad approach has the fatal flaw of imposing potential widespread and sweeping criminal liability on seemingly innocuous daily activity. However, to adopt the narrow interpretation would be to accept the premise that an employee can only violate the CFAA by accessing a device that the employee was not permitted to; whereas, if the employee accessed information that they were not permitted to, and then subsequently used that information to the detriment of their employer, they have not violated the CFAA.
The broad interpretation addresses this issue by interpreting the language of the CFAA to mean that employers can determine what levels of access their employees may have over company information. However, as the case law stands today, this means that employees could face criminal liability for accessing websites such as Facebook, Instagram, Yelp, Twitter, etc. This is unacceptable.
Due to the fact that neither of these interpretations yields an entirely acceptable outcome, the Supreme Court of the United States should not grant certiorari on this issue because it would be forced to adopt one of these two flawed interpretations or to create a new rule entirely. Instead, Congress should amend the statute to address these concerns while retaining the goals of the original legislation.
The opinions expressed herein are those of the individual contributors to the ASLJ Blog and should not be construed as the opinions of the Arizona State Law Journal or the Sandra Day O’Connor College of Law at Arizona State University.