4th Circuit limits application of Computer Fraud and Abuse Act

Court declines to extend CFAA penalties to employees who violate computer-use policies at work

Twenty days after leaving his job as a project director for WEC Carolina Energy Solutions Inc., Mike Miller made a presentation to a prospective client on behalf of Arc Energy Services Inc., a competing provider of specialty welding services. According to WEC, Miller, with the help of his assistant, stole proprietary information from WEC by emailing it from his office email account to his personal Gmail account. Miller then allegedly used that information to lure customers away from WEC for Arc.

WEC sued Miller, his assistant and Arc under the Computer Fraud and Abuse Act (CFAA). That statute, which Congress enacted in 1986, makes it illegal to intentionally access a computer without authorization or to exceed authorized access to a computer to obtain information. Individuals who violate the act can be held liable for any consequential damages and may be subject to criminal penalties including fines and up to 10 years in prison. WEC claimed that Miller and his assistant violated the CFAA because WEC’s employee computer- use policy did not permit employees to download confidential or proprietary information to their personal computers.

Emerging Split

Since Congress updated the CFAA in 2007, employers have been using the statute as a hook to bring disputes with former workers into federal court rather than rolling the dice litigating traditional employment torts in less predictable state court venues. As more of these cases make their way to the federal appeals courts, there is an emerging circuit split over whether it’s appropriate to extend the CFAA to employment disputes.

Adele Nicholas

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.