Recent CFAA Decision Deepens Circuit Split; SCOTUS Resolution on the Horizon
By John Michels
Last month, the Sixth Circuit ruled that the Computer Fraud and Abuse Act (“CFAA”) does not apply to employees who misuse company data that they were authorized to obtain. The decision,
The Royal case involves two former employees of Royal Truck & Trailer (“Royal”), whom Royal hired as part of the company’s sales team. Both individuals received a company handbook which, among other things, prohibited the “unauthorized use, retention, or disclosure” of Royal’s resources or property. At some point, the two individuals resigned from Royal and began working for one of Royal’s competitors. Meanwhile, Royal discovered that the individuals had forwarded confidential company sales information to their personal email accounts prior to their resignation.
Royal filed suit in the Eastern District of Michigan, alleging that the two former employees had “exceeded” their “authorized access” to company information by using it in violation of company policy, and therefore had violated the CFAA. When the district court held that the CFAA did not apply to the employees’ behavior, Royal appealed to the Sixth Circuit.
The Sixth Circuit affirmed the district court, holding that individuals who are authorized to access a computer do not exceed their authorized access by violating an employer’s restrictions on how that information may or may not be used. The court explained that the provisions of the CFAA demonstrate that the statute is aimed at preventing computer hacking, rather than the misuse of corporate information. In addition, because the CFAA has both criminal and civil implications, the court noted that any decision to the contrary would have “the odd effect of allowing employers, rather than Congress, to define the scope of criminal liability by operation of their employee computer-use policies.”
The decision highlights a longstanding circuit split on the issue of whether the CFAA applies to employees who violate employment policies. Through its decision in Royal, the Sixth Circuit joins the Second, Fourth, Sixth, and Ninth Circuits in adopting a narrow interpretation of the statute—one where the CFAA does not reach an employee’s violation of company policies. In contrast, the First, Fifth, Seventh, Eight, and Eleventh Circuits have rejected that interpretation, holding instead that the CFAA’s prohibition on “exceed[ing] authorized access” encompasses situations where an employee has authorization to access company information, but then uses that information in violation of company policy.
The Royal decision follows in the wake of the Supreme Court’s grant of certiorari in