The Computer Fraud and Abuse Act (“CFAA”) is a federal law that has been appearing in lawsuits brought by employers against their former employees at an ever increasing rate. The CFAA prohibits employees from accessing their employer’s electronic information without authorization, and includes both criminal and civil causes of action. Specifically, the CFAA makes it illegal for an employee to “knowingly and with the intent to defraud, access a protected computer without authorization, or exceed authorized access, and by means of such conduct further the intended fraud and obtain anything of value.”
In Massachusetts to date, there has been a split among judges that have interpreted the law. On the one hand, some judges interpret the CFAA narrowly to only prohibit “hacking,” but on the other hand, some judges have interpreted the CFAA broadly to prohibit an employee’s misuse of an employer’s electronic information, even when the employee was authorized to access it in the first place.
The CFAA is a potentially powerful weapon for employers because a prevailing employer is entitled to be reimbursed by the employee for a forensic review of any computers used by the employee to determine what the employee might have copied or deleted when he separated from employment. In addition to increasing the damages that an employer may recover, the CFAA can also help the former employer in a non-competition case against its former employee by effectively isolating the employee from his or her new employer. While it is common for a new employer to indemnify the employee that it hires in breach of a non-competition clause, it would be far less likely to do so in the face of federal criminal fraud charges under the CFAA.
Ultimately, employers and employees should take two things from potential CFAA suits: 1) employers should clearly define the servers and electronic systems that its employees are permitted to access; and 2) employees should err on the side of caution and only access electronic information that they know they are permitted to access or reach out to the employer to confirm authorization.
