Computer Fraud and Abuse Act: Broad Scope of Applicability

Many aspects of modern society are dependent upon computers.  And computer fraud and abuse has become prevalent.  For employers, it is important to have an employee computer access policy to protect your sensitive information.  As an employee, knowing the limits of your authorized access is essential to avoiding adverse employment action.

The Computer Fraud and Abuse Act is a federal law that was enacted by Congress in 1984.  It has been amended several times to keep up with technological advances.  It was originally enacted as a criminal statute, but now also allows for civil enforcement.  The Act defines a violator as “[w]hoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value…” The Act defines a “protected computer” as a computer that “is used in or affecting interstate or foreign commerce or communication…”  However, the provision “without authorization, or exceeds authorized access” is not defined, and it can be a trap for the unwary.

For example, in a recent case, the Fifth Circuit Court of Appeals held that “the concept of ‘exceeds authorized access’ may include exceeding the purposes for which access is ‘authorized.’”  In this case, the employee had been given access to a large bank’s internal computer system and the customer account information contained within it.  The employee accessed the information with the purpose of making it available to employee’s co-defendant to conduct fraudulent credit card charges.  Employee argued that the Act did not prohibit access to material to which she had authorization, and that the statute only prohibited her from accessing information she was not authorized to retrieve.

However, the Fifth Circuit concluded that the employee had exceeded her authorization, even though she “was authorized to view and print all of the information that [employee] accessed,” because her use of that information “to perpetrate fraud was not an intended use of that system” and was “contrary to [the] employee policies of which [employee] was aware.”

This concept is further seen in a case decided this year by a federal court in Texas.  Shortly before terminating his employment, an employee allegedly removed documents from an employer’s computer.  Employee argued he was authorized to delete files from employer’s computer.  However, the court stated, “An employer may ‘authorize’ employees to utilize computers for any lawful purpose but…only in furtherance of the employer’s business.”  While the authorization agreement did not prohibit the employee from deleting information form employer’s computer, employee may have exceeded the intended use of employer’s computer if it caused harm to employer’s business by deleting files.

As shown above, this statue can serve as a remedy to an employer whose confidential information has been compromised by unauthorized access of their computer.  Additionally, employees need to be aware of the boundaries of their computer authorization agreements.