3rd Circuit Clarifies Scope of Computer Fraud Abuse Act With Employer's Policies

The U.S. Court of Appeals for the Third Circuit has issued a landmark decision clarifying the scope of the Computer Fraud Abuse Act (CFAA) in relation to employer policies. In a significant ruling, the federal appellate court affirmed that an employee's purported violations of workplace computer use policies cannot be criminalized under federal law as long as there is no evidence of hacking or violations of trade secrets.

The decision was made in the case of National Recovery Agency Group, Inc. v. Nicole Durenleau and Jamie Badaczewski, two former employees of a debt collection firm who were accused of violating the CFAA by breaching their employer's computer policies. The defendants allegedly sent Durenleau's passwords to Badaczewski to access her work computer while she was out sick and working remotely.

The case presented a significant question: can an employee be held criminally liable for violating their employer's computer use policies, even if there is no evidence of hacking or trade secrets breaches? The answer, provided by the Third Circuit, is no. The court ruled that as long as Durenleau and Badaczewski were acting within the scope of their employment and not engaging in any hacking or trade secret violations, they could not be held criminally liable under the CFAA.

"Indeed, there are many other causes of action—breach of contract, business torts, fraud, negligence, and so on—that provide a remedy for employers when employees grossly transgress computer-use policies," said Judge Thomas L. Ambro, who authored the decision and was joined by Judges Thomas Hardiman and Theodore McKee. "The CFAA is the wrong tool for NRA's project. With today's holding, we mean to turn future litigants to other causes of action so that we do not make 'millions of otherwise law-abiding citizens [into] criminals."

The decision is a significant victory for employees and employers alike, as it clarifies the scope of the CFAA and provides a clearer understanding of what constitutes a violation under federal law. By limiting the application of the CFAA to cases involving hacking or trade secrets breaches, the court has provided a much-needed safety net for employees who may unintentionally violate their employer's computer use policies.