Exceeding Authorized Access in the Workplace: Prosecuting Disloyal Conduct Under the Computer Fraud and Abuse Act

• Published date: 01 June 2013
• DOI: http://doi.org/10.1111/ablj.12010
• Date: 01 June 2013
• Author: Christine Neylon O'Brien,Stephanie Greene

Exceeding Authorized Access in the

Workplace: Prosecuting Disloyal

Conduct Under the Computer

Fraud and Abuse Act

Stephanie Greene* and Christine Neylon O’Brien**

INTRODUCTION

Computers have introduced new distractions and new temptations into the

workplace. Employees may use work time to shop, socialize, or gamble on

employers’ computers even though such behavior may be prohibited by

employers’ computer use policies or by employment agreements. As com-

puter use has grown and employees work from home or remote locations,

the line between what is appropriate computer use and what is a violation

of an employer’s computer use policies has blurred.1What repercussions

should employees suffer if they violate employer computer use policies?

*Associate Professor of Business Law, Carroll School of Management, Boston College.

**Professor of Business Law, Carroll School of Management, Boston College.

We wish to thank Professor Margo E.K. Reder, Boston College, for her research and assis-

tance on this article.

This article was selected as Holmes Cardozo Finalist and Distinguished Proceedings Paper

and received the Best Employment Paper Award sponsored by Jackson Lewis LLP at the

Academy of Legal Studies in Business Conference 2012.

1See Ed Frauenheim, Stop Reading this Headline and Get Back to Work (July 11, 2005), CNET/

NEWS, http://news.cnet.com/Stop-reading-this-headline-and-get-back-to-work/2100-1022_3-

5783552.html (discussing a web survey of 10,000 employees conducted by salary.com and

web portal America Online that showed surfing the web was the largest time waster at work,

and noting that most employees spend more than two of their eight work hours on personal,

nonwork matters); see also Andrew T.Hernacki, Comment, A Vague Law in a Smartphone World:

Limiting the Scope of Unauthorized Access Under the Computer Fraud and Abuse Act,61A

M.U.L.

REV. 1543, 1544–48 (2012) (noting widespread use of cellphones, smartphones, and mobile

devices with mobile applications and arguing that broad interpretation of unauthorized

access under the CFAA violates the vagueness doctrine and due process).

bs_bs_banner

American Business Law Journal

Volume 50, Issue 2, 281–335, Summer 2013

© 2013 The Authors

American Business Law Journal © 2013 Academy of Legal Studies in Business

281

Some violations may be de minimis, whereas others might pose substantial

threats to employers—such as harm to reputation or exposure of confi-

dential information. In the most extreme cases, employees may use

employer computers to commit crimes. Thus, misuse of employers’ com-

puters encompasses a broad spectrum of behavior from lazy employees

who squander time at the computer to scheming criminals.

The sections of the Computer Fraud and Abuse Act (CFAA or Act) at

issue prohibit accessing computers “without authorization” or “exceeding

authorized access.”2While this language was largely intended to prohibit

both external and internal hacking,3both employers and prosecutors have

argued, and some courts have agreed, that this language also prohibits

conduct such as violating a computer use policy or other employment

agreement. Some may argue that employers and prosecutors are unlikely

to pursue minor violations of computer use policies, but courts are mindful

that a broad interpretation of the CFAA could support cases that involve

conduct that Congress did not intend to criminalize.4

This article refers to disloyal employees to describe those whom

employers or the government have targeted as violating the CFAA because

2See Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, Pub. L. No.

98-473, § 2102(a), 98 Stat. 2190, 2190–92 (1984). The Computer Fraud and Abuse Act, Pub.

L. No. 99-474, 100 Stat. 1213 (1986), is the name of the 1986 amendment to 18 U.S.C. § 1030

(2006). See Part I infra for a detailed explanation of the relevant sections of the CFAA.

3See discussion infra at Part V.A; see also LVRC Holdings LLC v. Brekka, 581 F.3d 1127,

1130–31 (9th Cir. 2009); Int’l Ass’n of Machinists & Aerospace Workers v. Werner-Masuda,

390 F. Supp. 2d 479, 495–96 (D. Md. 2005). Hacking is used to describe a variety of

compromises to networked computers, ranging from innocuous customizations (“modding”),

to circumventing security protocols, and further,criminal acts done to systems that perpetrate

even more harm. See Fernando M. Pinguelo & Bradford W. Muller, Virtual Crimes, Real

Damages: A Primer on Cybercrimes in the United States and Efforts to Combat Cybercriminals,16V

A.

J.L. & TECH. 116, 132–35 (2011); Julian E. Barnes & Daniel Lippman, Malware Threat to

Internet Corralled,WALL ST. J., July 9, 2012, at B3.

4See Part II.A & B discussing a broad interpretation of the CFAA. While the cases courts have

considered to date have involved serious transgressions, Part III of this article discusses the

en banc decision of the Ninth Circuit Court of Appeals in United States v. Nosal, 676 F.3d 854

(9th Cir.2012), where the majority noted that the less serious transgressions would be subject

to the same analysis and consequences as more serious infractions. Id. at 862; see also WEC

Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012) (rejecting an

interpretation that would hold employees liable for checking “the latest Facebook posting or

sporting event scores”); Orin S. Kerr, Cybercrime’s Scope:Interpreting “Access” and “Authorization”

in Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596, 1599 (2003) (discussing the alarming

prospect of broad interpretation of the CFAA resulting in expanding criminal liability to

breach of contract cases).

282 Vol. 50 / American Business Law Journal

they have misappropriated confidential information, violated a computer

use policy, or breached an employment contract. Such acts of employee

disloyalty have traditionally been the province of contract and tort law,5

with employers suing disloyal employees for misappropriation of trade

secrets, conversion, unfair competition, and tortious interference with a

business expectancy.6Trade secret law frequently provides a remedy to

employers when employees steal confidential information. Primarily a

5See Greg Pollaro, Disloyal Computer Use and the Computer Fraud and Abuse Act: Narrowing the

Scope, 2010 DUKE L.&TECHREV., No. 12, at ¶ 3 (concluding “the CFAA was not designed to

apply to employer/employee claims that are traditionally handled under state tort and

contract law”). It should be noted that egregious disloyalty may be proffered as a defense by

employers who have disciplined or discharged employees for engaging in concerted activities

that are protected by section 7 of the National Labor Relations Act. See Christine Neylon

O’Brien, The First Facebook Firing Case Under Section 7 of the National Labor Relations Act:

Exploring the Limits of Labor Law Protection for Concerted Communication on Social Media,45

SUFFOLK U. L. REV. 29, 49–58 (2011) (discussing the Supreme Court’s ruling in NLRB v. Local

Union No. 1229, Int’l Bhd. Elec. Workers (Jefferson Standard), 346 U.S. 464, 476–77 (1953), that

an employer need not retain an employee when conduct is so disloyal to the employer that

it provides a separate cause for discharge); cf. Matthew W. Finkin, Disloyalty! Does Jefferson

Standard Stalk Still?,28B

ERKELEY J. EMP.&LAB. L. 541, 551–57 (2007) (questioning the value

of disloyalty as a standard and noting it chills speech of social value). The concept of disloyalty

is based upon the agency concept that an employee owes a duty of loyalty to his or her

employer. See Charles A. Sullivan, Mastering the Faithless Servant?: Reconciling Employment Law,

Contract Law, and Fiduciary Duty, 2011 WIS.L.REV. 777, 777–78, 806 (noting that the most

recent RESTATEMENT OF AGENCY (THIRD) (2006) views employees as a species of agent). An

employee violates the duty of loyalty owed to the employer when the employee does not act

solely for the benefit of the employer in matters connected to the agency/employment, and,

in such cases, the employer may recover secret profits as well as wages paid during the period

of disloyalty. See Marisa Warren & Arnie Pedowitz, Practitioner’s Note, Social Media, Trade

Secrets, Duties of Loyalty, Restrictive Covenants and Yes, The Sky Is Falling,29H

OFTSRA LAB.&EMP.

L.J. 99, 105 (2011) (discussing cases relying upon the RESTATEMENT (SECOND)OF AGENCY).

Numerous statutory employment protections are limited by the concept that even if an

employee has engaged in protected activity, he or she may nonetheless be subjected to

discipline or discharge for separate unprotected activities that provide an independent cause

for discipline. Thus, engaging in protected activities, or being a member of a protected class,

does not provide carte blanche for employee misbehavior, including that which is disloyal to

the employer.In the conte xt of CFAAcases, the agency-based interpretation of authorization

is perhaps best illustrated in the Seventh Circuit’s decision in Int’l Airport Ctrs., L.L.C. v.Citrin,

440 F.3d 418, 420–21 (7th Cir. 2006), discussed infra Part II, in which the court ruled the

employer/employee agency relationship terminated when the employee violated a duty of

loyalty by failing to disclose his adverse interests. See Matthew Kapitanyan, Beyond WarGames:

How the Computer Fraud and Abuse Act Should Be Interpretedin the Employment Context, 7 I/S: J.L.

&P

OL’Y FOR INFO.SOC’Y405, 423 (2012) (discussing Citrin as “the marquee case for the

agency-based interpretation of authorization”).

6See, e.g., Shurgard Storage Ctrs., Inc. v.Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121,

1122 (W.D. Wash. 2000) (listing plaintiff’s allegations, which included, in addition to

2013 / Exceeding Authorized Access in the Workplace 283