Ninth Circuit Limits Federal Anti-Hacking Law

Brekka was an employee of LVRC Holdings, LLC. While employed, he was fully authorized to use the employer's network. He emailed several confidential documents to his personal email account during his employment. The employer discovered this activity after Brekka left LVRC. The employer sued Brekka under the federal Computer Fraud and Abuse Act. The CFAA provides for criminal penalties and a civil action against those who:

intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— . . . (C) information from any protected computer if the conduct involved an interstate or foreign communication . . . . 18 U.S.C. § 1030(a)(2). . . .
or who

knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct
furthers the intended fraud and obtains anything of value . . . .
18 U.S.C. § 1030(a)(4).

The issue was whether Brekka exceeded authorization during his employment by sending out company information to his personal account. The court of appeals, agreeing with the district court said he did not.

The court held that an employee's self-dealing is not "exceeding" authorization under the CFAA. Rather, a violation occurs only when the employee (1) does not have authorization to access the files or (2) accesses them after authorization is terminated.

This decision does not affect any state law violations or torts that the employer might bring. It underscores the need for employers to have in place effective policies and procedures for limiting computer access, particularly after employees depart.

The case is LVRC Holdings LLC v. Brekka and the opinion is here.