As we all know, data breaches and cyberattacks have unfortunately become all too common in recent years, and the problem seems to be getting worse. Hardly a day goes by that we fail to hear of yet another financial institution, corporation or governmental entity whose data has been compromised by criminals seeking unauthorized access for their own personal gain. Colonial Pipeline. Facebook. Capital One. Easyjet. Marriott. Uber. Solar Winds. eBay. Home Depot. Yahoo. Experian. Microsoft. The list goes on and on and on. While high profile data breach incidents have been in the headlines as of late, the problem of people gaining access to data without authorization is a problem as old as computers themselves.
Recognition by Congress of the growing problem of unauthorized computer access was the impetus for the enactment of the Computer Fraud and Abuse Act (CFAA) in 1986. CFAA is a federal statute that prohibits and imposes civil and criminal penalties upon anyone who accesses a computer or computer network (1) “without authorization,” or (2) in a manner that “exceeds authorized access.”
The data breaches and cybercrimes mentioned above – when a stranger gains access to or tampers with a computer network and/or data – fall within the first category of acts prohibited by CFAA; what many courts refer to as “outside hacking.” Outside hacking is always unlawful under CFAA. With respect to the second category – “inside hacking,” in which an employee or other person with limited authority to access parts of a computer network exceeds that authority, the situation is less clear.
More specifically, over the course of the past 30-plus years since CFAS’s enactment, a split developed among the Federal Appellate Courts as to exactly what constitutes inside hacking. Some courts, including those in the Second Circuit where my office is located, have taken a narrow approach to CFAA, holding that the law is only violated when an employee gains access to data or computers that they were not authorized to view or use. An example of this might be a data entry clerk stealing his supervisor’s password and using it to gain access to client records stored in an off-limits area of the computer network. Other courts have taken a more expansive view of CFAA, finding that a violation occurs when data is accessed without authorization or when data or equipment the employee was otherwise authorized to use is used for an unauthorized purpose.
In the example above, if it was the supervisor who accessed the client records, there would be no CFAA violation since the supervisor is authorized to view those records using her password. If however the supervisor were to copy those records and take them to her new job with a competitor, under the more expansive interpretation of CFAA there would be a violation as the employee would be using the data for an unauthorized purpose.
Recently, the U.S. Supreme Court resolved this split in favor of the narrower interpretation, holding that an employee does not “exceed authorized access” when he gains access to data available to him as part of his duties and then misuses that data. The Court characterized the necessary analysis as a “gates-up-or-down” inquiry for CFAA purposes – either someone has access to data (in which case whatever he or she does is not a CFAA violation), or someone does not have access (in which case whatever he or she does is a CFAA violation). In other words, if your supervisor downloads data entrusted to her and takes it to a competitor, you can’t sue her in federal court under CFAA (although as is discussed below there are other state law remedies available). If a stranger were to hack into your system from the outside and download the same data, CFAA has been violated.
The case in question is Van Buren v. United States, in which the Court reversed a decision by the Eleventh Circuit upholding the conviction of a former police officer who was charged with having conducted a license plate search in exchange for money. While the act clearly constituted an impermissible use of the police department’s database, the question before the Court was not whether the act was wrong, but rather whether it constituted a violation of CFAA. In a 6-3 decision, the Court concluded it did not because the officer had been granted access to the data, and what CFAA criminalizes is unauthorized access to data and/or computer systems. The case has been remanded to the lower court (which imposed an 18-month prison term following a jury trial) for further proceedings.
CFAA has long been criticized for ambiguities in its statutory language. “Exceeds authorized access” is loosely defined in CFAA and “without authorization” is not defined at all. As a result, the statute is capable of being interpreted in an overbroad manner. For example, under the broader interpretation the Court rejected, an employee arguably “exceeds authorized access” within the meaning of CFAA when she uses her company computer to send a personal e-mail, sneak a peek at a YouTube video, or do some online shopping in violation of a company policy prohibiting such activities. While an employer is certainly free to discipline or fire an employee who violates company rules, the Court did not feel such activities should subject an employee to possible prosecution under a computer crimes statute such as CFAA.
Why then, you may be asking, should an employee be free to misuse data entrusted to him without violating CFAA? Again, CFAA is a computer crimes statute whose scope is limited to addressing instances in which data and/or computer systems are accessed without authorization. It is not a general-purpose statute intended to address any and every type of employee wrongdoing involving a computer or data. When an employee misuses or steals data entrusted to him there are remedies available to the employer under state law, including claims for fiduciary breach, misappropriation, and tortious interference.
In conclusion, the best way to avoid outside hacking is to make your computer system and data as secure as possible. This involves taking such security measures as installing firewalls, encrypting sensitive data, using strong passwords (and changing them frequently), backing data up on a regular basis, and regularly installing security patch updates.
Avoiding inside hacking likewise requires undertaking affirmative security measures. While written agreements prohibiting use of confidential and/or proprietary information are a good start, they are exceptionally difficult to enforce. Better practices include monitoring employee computer usage (there are software programs that do this), informing employees that they may be monitored and should have no expectation of privacy when using company computers, limiting access to data to only those employees who require such access to perform their duties, and password protecting any sensitive data.