Jackson Lewis e-discovery guru Ralph Losey has posted an article about the Computer Fraud and Abuse Act (“CFAA”) on his e-discovery blog ediscoverylawtoday. Losey posits that more courts may be turning to the minority application of the CFAA as applying only to acts of unauthorized access, as opposed to unauthorized use. As he states in part:
A majority of courts have to date construed the meaning of “unauthorized access” in the CFAA to include access for unauthorized purposes, such as to steal an employer’s information. They applied the anti-hacker statute even though the employee was authorized to access the computer system, just not for purposes of theft. Now a growing number of courts are stepping back from the expansive construction of what it means to be a “hacker” under the statute. They are instead limiting the CFAA to situations where the access to the computer itself was unauthorized, and disregarding whether or not the access was for a permitted use.
A recent case out of the District Court in Pittsburgh provides an example of this new trend, and includes a good discussion of the law. Carnegie Strategic Design Engineers, LLC v Cloherty, March 6, 2014. Judge Eddy points out that there is a split in the Circuits on the issue, and then follows the minority view that the CFAA was not intended to convert disloyal employees into hackers. The plaintiff employer’s case was dismissed with prejudice because there were no allegations that the employee was not authorized to access the computer system, just allegations of improper purpose.