TAKEAWAYS: If your company intends to limit its employees access to certain information on the company network, (1) make sure appropriate technological restrictions are in place and are working; and (2) make sure there are appropriate policies or other documentation in place to show the employees subjectively knew it was off limits.
When an employer intends to keep a network folder restricted from employees, but fails to (1) objectively communicate this intention or (2) secure the folder from general access, an employee who accesses the folder and takes data from it does not violate the Computer Fraud and Abuse Act (CFAA), even if he does so for an improper purpose.
Why policies are critical–explained HERE
In Tank Connection, LLC v. Haight, 2016 WL 492751 (D. Kan. Feb. 8, 2016), the court granted the former employee’s motion for summary judgment against the employer’s CFAA claim. The employer had argued that the folder in question was supposed to be restricted from the employee’s access with technological barriers in the form of restricted user account privileges. However, “during a server migration there was a security breach” that made the folder accessible to the employee and, at that time the employee accessed the folder and obtained the data.
The court found two distinct problems with the employer’s argument:
- Regardless of how it may have intended to restrict the folder on the network, it did not do it. The folder was openly available for the employee to access.
- The employer had no objective evidence to support its claim that employees knew the folder was off limits. It had no policies, no manuals, no training materials, no emails, or anything else that could corroborate its claim that the employees knew they were not authorized to access the folder.
In its order, the court applied the following reasoning in reaching its holding:
When an employee has been granted general authority to access a particular area of a computer or server, as was Haight, the fact that his employer had an unexpressed desire or intent to limit his access to a portion of that area does not establish unauthorized access within the meaning of § 1030. Tank Connection authorized Haight to access information in the shared folders. It cites no evidence that it ever conveyed to Haight or to others that they were restricted from accessing any information in the shared folders generally or from Horton’s folder in particular. The fact that Tank Connection inadvertently provided Haight with access to the folder did not restrict or limit his authority. Cf. United States v. Valle, 807 F.3d 508, 525 (2nd Cir. 2015) (invoking the rule of lenity and observing that “the legislative history consistently characterizes the evil to be remedied – computer crime – as ‘trespass’ into computer systems or data, and correspondingly describes ‘authorization’ in terms of the portion of the computer’s data to which one’s access rights extend.”). Nor does the fact that Haight apparently accessed these folders for purposes contrary to Tank Connection’s interests amount to evidence that he exceeded “authorized access.” Case law makes clear that the relevant question is whether he was authorized to access the area or the information, not whether he did so with an improper purpose in mind. Cf. Valle, 807 F.3d at 527. 7 See also Lugo, 595 F.Supp.2d at 1194 (“The court follows the line of cases that have rejected a reading of the CFAA by which the defendant’s intent may determine whether he has acted without authorization or has exceeded his authorized access.”). Under the uncontroverted facts, Tank Connection has failed to show a genuine issue as to whether Haight “exceed[ed] authorized access” within the meaning of § 1030(a)(2).
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.