Agency, code, or contract: determining employees' authorization under the Computer Fraud and Abuse Act.

• Author: Field, Katherine Mesenbring

The federal Computer Fraud and Abuse Act ("CFAA") provides for civil remedies against individuals who have accessed a protected computer without authorization or in excess of their authorization. With increasing numbers of employees using computers at work, employers have turned to the CFAA in situations where disloyal employees have pilfered company information from the employer's computer system. The vague language of the CFAA, however, has led courts to develop three different interpretations of "authorization" in these CFAA employment cases, with the result that factually similar cases in different courts can generate opposite outcomes in terms of employee liability under the statute. This Note examines the three alternative interpretations of authorization in CFAA employment cases and concludes that courts should generally employ a code-based interpretation as the default definition of authorization under the CFAA, with employment contracts that clearly outline the limits of employee computer access providing meaning to authorization in cases where courts in their discretion find it to be appropriate.

TABLE OF CONTENTS INTRODUCTION I. THREE INTERPRETATIONS OF AUTHORIZATION A. Agency-Based Interpretation B. Code-Based Interpretation C. Contract-Based Interpretation II. LEGISLATIVE HINTS A. Specific Legislative Intent or the Lack Thereof B. Looking More Broadly: The General Legislative Aim of Combating Computer Misuse and an Allowance of Judicial Discretion 1. The General Legislative Aim of Combating Computer Misuse 2. A Legislative Grant of Discretion for Determining Authorized Access ? III. EVALUATING THE ALTERNATIVES A. A Code-Based Approach as the Standard Default Interpretation B. Evaluating the Merits of the Alternatives 1. The Agency-Based Approach 2. The Contract-Based Approach C. The Code-Based Default with a Contract-Based Alternative in Practice CONCLUSION INTRODUCTION

Computers are widely used in the workplace for understandable reasons: they often increase productivity, making employees more efficient and effective at their jobs. (1) But by making information more accessible and shareable, computers and computer networks in the workplace increase the risk that certain information--confidential, proprietary, or trade secret information--may end up in the hands of competitors. In light of this risk, companies take preventative measures; they encode computer networks to discourage hackers and require employees to enable and utilize password protections to prevent use by outsiders. These preventative measures, however, do little to protect against one risk: that an employee himself will use his access to the company's computers and network to gather and turn over such confidential, proprietary, or trade secret information to competitors.

Yet while it may be difficult to fashion preventative measures to thwart the efforts of such a rogue employee, companies are increasingly finding that they can recoup the associated losses through the use of a federal computer-misuse statute. This statute, the Computer Fraud and Abuse Act ("CFAA"), (2) was originally developed to target computer hackers. (3) The CFAA also, however, allows private citizens to bring suits against a person who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer" or who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access." (4) Thus, employers can bring their rogue employees into court, arguing under the rather general language in the CFAA that the employee was without authorization or exceeded his authorization to access the company computer system when he did so to obtain proprietary company information for devious, non-business purposes.

Courts, however, have trouble applying the CFAA's vague "authorization" language to the delicate and complex relationship that exists between employees and employers. Naturally questions arise over what it means to access without authorization or exceed authorized access when the person's employee status means that he already has authorization to access a computer--that is, his employer has directed him to use a computer and create, modify, or otherwise use the information on that computer system. In response to the problem of applying the CFAA's vague statutory language in employment situations, courts have developed three different understandings of authorization: agency based, code based, or contract based. Courts following an agency-based interpretation determine authorization through principles of agency law, such as employee loyalty. (5) Courts opting for a code-based interpretation define authorization by technical limits within computer systems, such as employer-installed password requirements. (6) Finally, some courts apply a contract-based interpretation under which authorization is determined by contractual limits placed in employee agreements and policies. (7)

The current state of confusion over how to define an employee's liability for computer misuse under the CFAA is undoubtedly less than ideal. This Note seeks to provide some clarity to the dispute by analyzing the legislative history and asking which approach best effectuates legislative intent behind the CFAA. Ultimately this Note suggests that courts should adopt a code-based approach to authorization as a default interpretation, while allowing contracts that are clearly applicable and aimed to prevent computer misuse to define authorization in some CFAA employment cases. Part I reviews the various interpretations of authorization within the employment context. Part II analyzes the legislative history of the CFAA, noting that while this history does not supply meaningful information regarding the specific legislative intent behind the authorized-access phrases within the CFAA, a more general look at the legislative history provides two valuable insights: first, the general legislative aim of the CFAA is combating computer misuse; and second, there is congressional assent to greater judicial discretion in defining authorization in CFAA cases involving insiders, such as employment cases. Based on these insights, Part III proposes the adoption of a code-based default interpretation and evaluates the merits of the agency-based approach and the contract-based approach as alternative interpretations in CFAA employment cases. This Part concludes by stressing the value of an approach where courts prefer a code-based understanding of authorization in most situations, but are free to deviate and determine authorization based on contracts in certain CFAA employment cases.

1. THREE INTERPRETATIONS OF AUTHORIZATION

   Although the CFAA is primarily a criminal statute, individuals and companies can also bring private civil suits against CFAA violators. (8) Many of these civil suits involve employers and their former employees. (9) In such suits, the employing company uses the CFAA to receive damages or an injunction after an employee uses a company computer to access, email, or copy sensitive company reformation. (10) A company's success in proving a violation of the CFAA within a given set of facts often turns on the court's answer to the following question: what does it mean to say that a person "intentionally accesses a computer without authorization or exceeds authorized access"? (11) The ambiguity of the statutory language has led courts to adopt different approaches to answering this question, with the result that employers and employees are often left without a consistent understanding of how a court will assess their CFAA claims.

   One can, however, distill three distinct categories of approaches from the courts' treatment of authorization in CFAA employment cases: the agency-based interpretation, the code-based interpretation, and the contract-based interpretation of authorization. These different interpretations have emerged slowly; it was only recently, after the Seventh Circuit's endorsement of an agency-based approach, that courts began to expressly note the possibility of alternative interpretations to authorization in their opinions. (12) This Part explores the development and operation of each of the categories of interpretation of employees' authorization in CFAA cases.

   1. Agency-Based Interpretation

      As suggested by the name, the agency-based interpretation of authorization is based on common-law agency principles. (13) The employer-employee agency relationship imposes "special duties on the part of both the employer and the employee which are not present in the performance of other types of contracts." (14) Important for our concerns, the employee owes a duty of loyalty to his employer, which requires him to act solely for the benefit of the employer or company. (15) Moreover, the employee's authority to act on behalf of the employer terminates when he obtains an interest adverse to the employer--for example, if he begins to work for a competitor. (16) Thus, importing these principles into authorization under the CFAA, an employee's authorization is implicitly revoked when he accesses a computer for purposes that do not further his employer's interests.

      Courts adopting the agency-based interpretation determine whether computer access was authorized under the CFAA through the direct use of these basic agency principles. In the first case to apply agency principles, an employee of a self-storage business emailed confidential information to a competitor just prior to leaving to work for that competitor. (17) In determining whether this access was unauthorized and violated the CFAA, the court relied on section 112 of the Second Restatement of Agency, which states, "Unless otherwise agreed, the authority of an agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to...