Contributions

Hacking from the Inside-Out: Can the CFAA Impose Liability on Employees who Misuse Employer Data?

by Susanna Griffith 1

Today, some of the most severe threats to computer databases come from the inside. Employees who receive access to expansive employer databases and subsequently act contrary to the interests of their employer create a unique cyber-security threat. 2 But circuits are split as to whether and how the Computer Fraud and Abuse Act—the primary statute governing cyber crime and online fraud—should be applied in cases arising from employee misuse and misappropriation of data. Some adopt a broad interpretation of the operative phrases of the CFAA—“without authorization” and “exceeds authorized access”— choosing to use contract or agency principles to define “authorization.” 3 Others draw a narrow view and look for contravention of technological barriers or other explicit parameters governing access. 4 This article argues that the narrow, code-based view is the preferable approach. First, it is the only clearly constitutional reading, as alternate theories are void for vagueness and federalize traditionally state-governed issues. Second, it provides a consistent means of interpreting the terms “without authorization” and “exceeds authorized access” that comports with standards of excellence in the field of cyber-security and provides a way for employers to safeguard their data.

*****

The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, was enacted as an amendment to the Counterfeit Access Device and Computer Fraud and Abuse (Counterfeit Access Device) Act of 1984, the federal anti-hacking statute. 5 The CFAA imposes criminal liability on whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any department or agency of the United States.” 6

The circuits adopting a broad view of the CFAA articulate a contract-based and/or agency-based view. The former defines authorization according to contractual terms agreed upon between employer and employee, and the latter says that access that violates a fiduciary duty is unauthorized access. 7

The debate about the proper role of agency principles is not unfamiliar in the fraud context. Indeed, it parallels a recent debate in mail and wire fraud prosecutions about whether a breach of fiduciary duty is a de facto deprivation of a right to honest services. 8 In the mail and wire fraud context, circuit courts were split over the role of agency law in interpreting honest services wire fraud until the Supreme Court adopted a narrow view in Skilling v. United States. 9 Prior to Skilling, many courts found that a breach of fiduciary duty arising from an agency relationship was sufficient to constitute a deprivation of the “intangible right” to honest services. 10 However, this view turns the Restatement of the Law of Agency into federal criminal law, without any justification from Congress, and the Supreme Court correctly overruled it. 11

The same broadness concerns apply in the computer fraud context: application of agency principles to computer fraud prosecutions has the potential to drastically expand liability by criminalizing an unforeseeable range of employee activity. For example, an employee who checks personal email or browses the internet while on the clock may be acting in a manner contrary to the interests of her employer, but should she be criminally liable for it? The agency view potentially allows charges to be brought against any employee who “use[s] an employer’s computer for anything other than work related activities.” 12

The contract-based view creates additional concerns. First, an employer contract may ban certain types of speech or expression. Allowing a breach of that contract to lead to CFAA liability could have chilling effects on speech. 13 Second, as noted in the Ninth Circuit’s en banc decision in United States v. Nosal, the broad, contract-based reading of the CFAA “allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law. 14” Finally, as the court in Nosal described, a broader alternate reading, “would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.” 15 While employee misuse of electronic data is a concern for many employers, the CFAA cannot function as a security blanket for data breaches. Suits against disloyal employees can be brought at the state level and governed by contract law, tort law, and trade secret statutes. 16 A contract-based reading of the CFAA opens the floodgates to allow breach of contract claims into federal court. 17

Beyond contract- and tort-based claims, a legislative arsenal can and should provide additional tools for securing employer databases and protecting against employee misuse. In fact, Congress added a provision governing misuse to the CFAA, imposing felony liability on whoever “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.” 18 Because Congress has legislated in this space, courts should refrain from reading extra-legislative use restrictions into the CFAA’s provisions regarding access.

The broad interpretation of the CFAA is unsettling at best and likely unconstitutional on vagueness grounds. 19 There is, however, an alternative that is faithful to the purpose of the CFAA, consistent with the plain text, and effective in creating incentives for secure computer systems. This clear alternative is the code-based view. 20

Code-based restrictions put the impetus on the computer owner to customize and control access privileges to employee-users. As Professor Orin Kerr explains, “[Computer owners] assign privileges based on the particular account, limiting where the user can go and what she can do.” 21 By password protecting databases, employers can exercise control over the information available to each individual employee. 22 The code-based theory would impose CFAA liability on someone who illegally obtained a password or circumvented a technological barrier in order to gain, or expand, access to a database. 23

Critics of the code-based view argue that this standard will make it harder for employers to bring charges against employees who misappropriate company data. They may not be mistaken. As explained by scholars advocating the approach, “under the code-based theory, a user can only violate the CFAA by circumventing barriers and cannot violate the CFAA simply by acting contrary to his employer’s interests or breaching an employment policy.” 24 But while adopting a code-based view insulates those who misuse lawfully accessed data from being prosecuted under an anti-hacking statute, it does not free them from any liability whatsoever. 25 An employee may be found liable through state contract or tort claims.

Another critique is that the code-based theory is neither required by the text of the CFAA nor contemplated by its legislative history. However, the code-based theory is more faithful to both text and history. It makes sense of the wording of section 1030, which prohibits unauthorized “access” rather than unauthorized “use.” Furthermore, the code-based theory is consistent with Congress’ expressed desire to encourage computer owners to protect their own networks. 26

An additional advantage of the code-based view is that it aligns with cyber-security standards for management of data. Cyber-security scholars uniformly suggest that employers grant access only to the information employees need to do their jobs. 27 When someone is transferred or promoted, their access should be increased or decreased accordingly. 28 This practice shields companies from internal misappropriation of data as well as external hacks, which can lead to devastating security breaches. The code-based theory aligns with industry best practices for safeguarding employer databases by giving companies incentives to adopt ex ante safeguards by limiting access to the employees who need it. Simultaneously, it preserves ex post remedies by giving companies a civil cause of action against those who breach technological safeguards. 29

In summary, the code-based view is a better alternative to the broader interpretations of the CFAA. It respects Congress’ decision to criminalize “access” rather than “use,” while providing adequate means for employers to safeguard their own databases.

Notes:

  1. This Contribution reflects my experience in the 2016 Spong Moot Court Tournament, hosted by William & Mary Law School. The problem was about a former employee of the Center for Disease Control and Prevention who, in the course of his work as a data analyst, discovered information about a potentially dangerous pathogen. He proposed that the Center for Disease Control and Prevention (CDC) release the information to the public, and when his proposal was rejected and he was transferred to another department, he accessed and released the information anyway. The fact pattern raised the question of whether this employee—who accessed the information using validly obtained credentials, yet in violation of use restrictions and direct instructions from his employer—could be convicted under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, for accessing data “without authorization” or “exceed[ing] authorized access.”
  2. See Richard Power, Current and Future Danger: A CSI Primer on Computer Crime and Information Warfare 4, 6, 36, 3d ed. 1998, cited in Mary M. Calkins, Note, They Shoot Trojan Horses, Don’t They? An Economic Analysis of Anti-Hacking Regulatory Models, 89 Geo. L.J. 171, 175 n. 17 (2000).
  3. See, e.g., United States v. John, 597 F.3d 263, 273 (5th Cir. 2010) (holding bank employee liable for accessing customer account information and giving it to her half-brother for fraudulent purposes because the employee had “reason to know” that she was not authorized to access data or information in furtherance of a criminally fraudulent scheme); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 421 (7th Cir. 2006) (finding former employee acted without authorization when he breached his fiduciary duty to his employer by deleting data from a company laptop); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583–84 (1st Cir. 2001) (holding employee exceeded authorized access when he breached an employer confidentiality agreement by using proprietary information to support his own competing business).
  4. See, e.g., WEC Carolina Energy Sols. v. Miller, 687 F.3d 199, 207 (4th Cir. 2012) (holding employee did not exceed authorized access and thereby violate the CFAA, because the employer policy regulated use of information, not access); United States v. Nosal, 676 F.3d 854, 863–64 (9th Cir. 2012) (holding employee does not exceed authorized access just by violating employer use restrictions); LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1137 (9th Cir. 2009) (holding employee who sent company emails to his personal accounts for unauthorized purposes was not liable under the CFAA because he neither accessed the emails without authorization nor exceeded authorized access).
  5. See Counterfeit Access Device and Computer Fraud and Abuse (Counterfeit Access Device) Act of 1984, Pub. L. No. 98-473, 98 Stat. 2190; HR. Rep. No. 98-894, at 3706 (1984). See also Briggs v. State, 704 A.2d 904, 911 (Md. 1998) (“The purpose of the bill is to deter individuals from breaking into computer systems.” (internal citations omitted)).
  6. 18 U.S.C. § 1030(a)(2)(B) (2012) (emphasis added).
  7. See, e.g., Dresser-Rand Co. v. Jones, 957 F. Supp. 2d 610, 615 (E.D. Pa. 2013) (describing three categories of interpreting the CFAA: agency-based authorization, code-based authorization, and contract-based authorization).
  8. Compare United States v. Brumley, 116 F.3d 728, 735 (5th Cir. 1997) (holding that section 1346 only prohibits conduct barred by separate state law), with United States v. Martin, 195 F.3d 961, 966–67 (7th Cir. 1999) (finding that a broad breach of fiduciary duty is sufficient to establish a section 1346 violation). See also United States v. Sun Diamond Growers of California, 138 F.3d 961, 973 (D.C. Cir. 1998), aff’d, 526 U.S. 398 (1999) (“Aware of the risk that federal criminal liability could metastasize, we held . . . that not every breach of a fiduciary duty works a criminal fraud.” (internal quotations omitted)).
  9. 561 U.S. 358 (2010).
  10. See Martin, 195 F.3d at 965–67 (citing 18 U.S.C. § 1346).
  11. See Julie R. O’Sullivan, Honest-Services Fraud: A (Vague) Threat to Millions of Blissfully Unaware (and Non-Culpable) American Workers, 63 Vand L. Rev. En Banc 23 (2010).
  12. Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1634 (2003). See also Patricia L. Bellia, Defending Cyberproperty, 79 N.Y.U. L. Rev. 2164, 2255–58 (2004) (advocating for a narrow reading of the CFAA to avoid “creat[ing] . . . statutory anomalies” and criminalization of “a broad range of conduct, even an employee’s use of a computer for personal activities in violation of an employer’s policy.”).
  13. Kerr, supra note 12, at 1659.
  14. Nosal, 676 F.3d at 860.
  15. Id. at 857.
  16. See Stephanie Greene & Christine Neylon O’Brien, Exceeding Authorized Access in the Workplace: Prosecuting Disloyal Conduct Under the Computer Fraud and Abuse Act, 50 Am. Bus. L.J. 281, 283–84 (2013). See also Nosal, 676 F.3d at 860 (“Employer-employee . . . relationships are traditionally governed by tort and contract law.”).
  17. See, e.g. Sarah Boyer, Computer Fraud and Abuse Act: Abusing Federal Jurisdiction?, 6 Rutgers J. L. & Pub. Pol’y 661, 662 (2009) (“[T]he issues of ‘unauthorized use’ or ‘damage or loss’ . . . should be construed narrowly in order to keep this type of employer/former employee action out of federal court. Otherwise, the federal court system will be overrun with claims by employers against their former employees.”).
  18. 18 U.S.C. § 1030(a)(5)(A).
  19. See, e.g., Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561, 1582 (2010) (“Only a narrow construction of the statute can save its constitutionality.”). See also United States v. Valle, 807 F.3d 508, 527 (2d Cir. 2015) (reversing a CFAA conviction on grounds that it violates the rule of lenity); Miller, 637 F.3d at 206 (rejecting broad construction of the CFAA based on the rule of lenity).
  20. See generally Kerr, supra note 12, at 1644.
  21. Id. (citing Lawrence Lessig, Code and Other Laws of Cyberspace 66–78 (1999) (discussing ability of computer owners to use code to regulate user access)).
  22. Kerr, supra note 12, at 1644.
  23. Id.
  24. See Kelsey T. Patterson, Note, Narrowing it Down to One Narrow View: Clarifying and Limiting the Computer Fraud and Abuse Act, 7 Charleston L. Rev. 489 (2013) (citing Kerr, supra note 12, at 1644–45).
  25. See United States v. Aleynikov, 737 F. Supp. 2d 173, 194 (S.D.N.Y. 2010) (dismissing CFAA charges against a defendant charged with misappropriating source code belonging to his former employer, while declining to dismiss charges under the Economic Espionage Act of 1996 and the National Stolen Property Act).
  26. See 146 Cong. Rec. S10, 916 (daily ed. Oct. 24, 2000) (statement of Sen. Leahy).
  27. See Lessig, supra note 21. See also Victoria C. Wong, Cybersecurity, Risk Management, and How Businesses Can Effectively Fulfill Their Monitoring Role, 15 U.C. Davis Bus. L.J. 201 (Spring 2015) (citing Creating a Culture of Awareness, Nat’l Cyber Security Alliance, http://staysafeonline.org/re-cyber/creating-a-culture-of-awareness (last visited Mar. 15, 2016 8:27 PM)).
  28. Id.
  29. The 1994 amendment to the CFAA added a civil cause of action. 18 U.S.C. § 1030(g).