Computer Fraud and Abuse Act: What Employees Need to Know

What is the Computer Fraud and Abuse Act? 

The Computer Fraud and Abuse Act ("CFAA") was originally enacted in 1984 as a criminal statute to protect data on federal computers and to deter hackers.  Over time, the scope of the CFAA evolved to include a private right of action for any person who suffers damage or loss because of a violation of the CFAA.  Employers have increasingly taken advantage of the CFAA's civil remedies to obtain both injunctive and monetary relief against employees, making the federal statute a strong tool against employees especially in the context of non-compete and trade secrets litigation.

Elements of a CFAA Claim

To establish a civil action against an employee under the CFAA, an employer must prove that the employee: (1) intentionally accessed a "protected computer," (2) "without authorization," and as a result (3) caused damage or loss of at least $5,000. 

The employer cannot bring a civil action against an employee however, if the alleged misconduct does not involve conduct prohibited by the Act.  Violations include but are not limited to:

1. damage to a protected computer that results in a loss of at least $5,000;
2. the impairment of a medical examination, diagnosis, treatment or care of an individual
3. physical injury to a person; and
4. threats to public health or safety.

 What is a "protected computer" under the CFAA?

A "protected computer" includes any computer that is "used in interstate or foreign commerce or communication."  This likely includes any computer connected to the internet. 

Did the employee have authorization to access the protected computer?

The key element that an employer must prove in a CFAA claim is the employee gained unauthorized access to the employer's computer system.  Accordingly, the employer does not have a claim under the CFAA if access to the part of the employer's computer system that the employee allegedly accessed was never revoked.  Additionally, courts are likely to dismiss a CFAA claim where an employee's counsel can prove that the alleged "access" was harmless, was not for an improper purpose, or that the employee accessed the former employer's computer system for legitimate, work related reasons. 

What constitutes loss or damage under the CFAA?

A CFAA claim is actionable only where the employee's conduct resulted in $5,000 of damage or loss to the employer.  Examples of damage or loss under the CFAA include:

1. loss of business;
2. loss of goodwill;
3. the cost of diagnostic measures;
4. the impairment to the integrity or availability of data, a program, or information;
5. misappropriation of trade secrets; and
6. the cost of restoring computer data, fixing actual damages to a computer system, or modifying a computer system to preclude further data transfer.

 Failure of proof on this element is fatal to an employer's CFAA cause of action.

What is the statute of limitations? 

The CFAA provides a two-year statute of limitations for bringing a claim under the Act.  The limitations period begins to run on the date of the alleged violation.

What can an employee do to avoid CFAA liability?

A departing employee should return all equipment to the employer that was provided to her during the course of her employment.  Additionally, an employee should refrain from deleting or downloading any information from the employer's computer system to a personal disk, email, or thumb drive without the employer's consent. 

Selecting a lawyer

Due to the complex nature of CFAA claims, an employee who is being sued for alleged violations of the CFAA should seek experienced counsel capable of handling these complex cases.