Published on:

Does Violating an Employer’s Computer Policy Violate the Federal Computer Fraud and Abuse Act?

The federal Computer Fraud and Abuse Act (CFAA) was intended to be an anti-hacking criminal statute to go after people who hack into databases and computer systems without authorization to misappropriate data. However, certain prosecutors have attempted to expand their powers under the Act and use the Computer Fraud and Abuse Act to prosecute people who were not intended to be covered by the law
In a federal criminal case out of California, prosecutors charged a defendant for violating the Computer Fraud and Abuse Act for violating certain computer-related policies of his employer. In this case, the defendant was an employee of an executive recruiting company named Korn/Ferry. He left the company to start a competing company. The defendant contacted some of his former co-workers who were still working at Korn/Ferry and asked them to download confidential information from the Korn/Ferry computer system to assist the defendant with his new company. The employees were allowed to access the Korn/Ferry computer database because they still worked there. However, Korn/Ferry’s policies did not allow them to use the information in the database to help a competing business.

The United States Attorney’s Office charged the defendant with violating the Computer Fraud and Abuse Act for aiding and abetting the Korn/Ferry employees in exceeding their access to the Korn/Ferry computer system to defraud the company. The criminal defense attorneys moved to dismiss the CFAA charges. They argued that the CFAA was intended to punish hackers who access computer databases without authorization, not people who have authorization to access a computer database but misuse the information in violation of company policy.

The appellate court determined that the CFAA did not apply to this scenario. The court noted that computers have become prevalent in today’s society and it would be very dangerous to allow a prosecutor to use the Computer Fraud and Abuse Act in situations where an employee merely violated a company’s computer policy. One could envision any number of ways an employee could violate company policy as it relates to a computer that could end up in federal charges if the CFAA was expanded to include fraud based on company policy violations. Fortunately, the appellate court was not inclined to expand the CFAA in that manner and indicated that prosecutors should use the CFAA to go after hackers who access computer systems without authorization as the computer Computer Fraud and Abuse Act was apparently intended.