The federal Computer Fraud and Abuse Act (CFAA) was intended to be an anti-hacking criminal statute to go after people who hack into databases and computer systems without authorization to misappropriate data. However, certain prosecutors have attempted to expand their powers under the Act and use the Computer Fraud and Abuse Act to prosecute people who were not intended to be covered by the law
In a federal criminal case out of California, prosecutors charged a defendant for violating the Computer Fraud and Abuse Act for violating certain computer-related policies of his employer. In this case, the defendant was an employee of an executive recruiting company named Korn/Ferry. He left the company to start a competing company. The defendant contacted some of his former co-workers who were still working at Korn/Ferry and asked them to download confidential information from the Korn/Ferry computer system to assist the defendant with his new company. The employees were allowed to access the Korn/Ferry computer database because they still worked there. However, Korn/Ferry’s policies did not allow them to use the information in the database to help a competing business.
The United States Attorney’s Office charged the defendant with violating the Computer Fraud and Abuse Act for aiding and abetting the Korn/Ferry employees in exceeding their access to the Korn/Ferry computer system to defraud the company. The criminal defense attorneys moved to dismiss the CFAA charges. They argued that the CFAA was intended to punish hackers who access computer databases without authorization, not people who have authorization to access a computer database but misuse the information in violation of company policy.