Should NC Employees Worry About the Computer Fraud and Abuse Act?

Congress passed the Computer Fraud and Abuse Act (“CFAA”) in 1986 to curb hacking practices, especially against the federal government. However, the law’s broad construction lent itself to the law’s use in prosecuting or suing departing employees for unauthorized access or exceeding authorized access of company computers or networks when they download company data for their use after departure.

Until a few years ago, such claims made under the CFAA by employers against departed employees were successful in some courts. But in 2012, the Fourth Circuit (which covers North Carolina), ruled in a case called WEC Carolina Energy Solutions LLC v. Miller that an employee did not violate the Computer Fraud and Abuse Act’s prohibitions against unauthorized access or access in excess of authorization by downloading confidential proprietary information from his employer’s computer network and later using that information in a competing business.

The employee was authorized by the employer to access its networks and computers without limitation at the time that he downloaded the information. The court found that his later use of that information for a subsequent employer did not violate the CFAA, because the CFAA only forbids use of information downloaded without prior authorization.

The Fourth Circuit sent a clear message through its opinion that it will almost never be willing to extend the CFAA to impose liability on a departing employee because doing so would criminalize an employee’s violation of a computer or network use policy even if the violation was committed for the purpose of advancing the employer’s interests.

To date, the US Supreme Court has not weighed in on this issue, so at least for now, departing employees in North Carolina appear to be safe from prosecution under the CFAA.

Of course, this isn’t to say that employees should take the Fourth Circuit’s ruling as an unrestricted license to have a free-for-all with their employers’ proprietary information, because doing so could still constitute a breach of contract or give rise to some other state common law cause of action.

This entry was posted in Employment Law. Bookmark the permalink.