A recent decision from the Eleventh Circuit highlights an ongoing issue under the Computer Fraud and Abuse Act (“CFAA”): the significance of policy-based restrictions when determining whether a person accessed a protected computer “without authorization” or “exceeded authorized access.”
In United States v. Rodriguez [PDF], the Eleventh Circuit upheld the criminal conviction of a Social Security Administration (“SSA”) employee, who, as part of his job duties, had access to SSA databases containing sensitive information about individuals. According to the Eleventh Circuit, Rodriguez exceeded his authorized access when he looked up personal acquaintances in the databases, in violation of agency policies that prohibited employees from obtaining database information without a business reason.
The internal policy at issue in Rodriguez was a restriction on access to information. However, courts appear to be divided on the significance of policies that impose limits on data use.
In the recent case of United States v. Zhang [PDF], for example, the defendant downloaded proprietary business documents shortly before quitting to join a rival company, in violation of a nondisclosure agreement, terms of use, and limited-use license agreement that forbade accessing confidential information for purposes other than furtherance of the business relationship. Because Zhang had permission to access the documents, the U.S. District Court for the Northern District of California found that the defendant had not exceeded his authorized access. The nondisclosure agreements, terms of use, and license agreements were simply private contracts governing use, not access. The court reached a similar decision in Accenture, LLP v. Sidhu [PDF] (“[A]ccess is not established by employers’ policies, but by the extent the employer makes the computer system available to the employee.”).
In contrast, the Fifth Circuit has stated that “the concept of ‘exceeds authorized access’ may include exceeding the purposes for which access is ‘authorized.’” The defendant in that case was authorized to view and print all of the information that she accessed, but she nonetheless exceeded authorized access when she violated company policy and misused that information to perpetuate fraud.
In short: careful analysis is required when a defendant’s alleged violation of company policy is the basis of the claim that he or she exceeded authorized access under the CFAA.