A New York federal judge rules that misuse of computer information gained through legal access does not violate the CFAA – Advanced Aerofoil Techs., AG v. Todaro, 2013 WL 410873 (S.D.N.Y. Jan. 30, 2013)
Judge Carter of the Southern District of New York joined a growing number of federal courts adopting a narrow interpretation of the Computer Fraud and Abuse Act (CFAA) that precludes liability for misappropriation under the Act. Several high-level personnel in the plaintiff companies (AAT) defected to a competing company, apparently taking with them AAT’s confidential and proprietary technology. AAT sued the ex-employees for, among other things, alleged violations of the CFAA.
An obstacle that AAT faced in pressing the CFAA claim was the fact that the ex-employees had “unfettered and unlimited access” to the information they took with them. Liability under the CFAA requires that the defendant have “access[ed] a computer without authorization.” Courts across the country are split on whether the CFAA is violated where a person legally accesses to a computer but misuses the information obtained with such access, such as what the former AAT employers allegedly did.
After noting that the Second Circuit has not decided the issue, and surveying decisions on both sides of the issue, including those written by his colleagues in the same district, Judge Carter answered the question in the negative. A CFAA violation occurs when one accesses a computer without permission. Judge Carter gave three reasons for his conclusion. First, the ordinary meaning of the word “authorization” refers to the absence of permission. Second, the legislative history of the CFAA indicates that the Act is directed primarily at access instead of misuse. Third, a violation of the CFAA could lead to criminal liability, the statute should be read narrowly, and ambiguities should be resolved in favor of the defendant. Because AAT had not revoked the defendants’ unlimited access to its system when they siphoned off the confidential and proprietary information, the court dismissed the CFAA claim.
LegalTXTS Note: I’ve blogged on this issue quite a bit. That indicates increased use of the CFAA in data misappropriation cases, or the uneasiness courts have in stretching the CFAA beyond its origin as an anti-hacking statute–or both. Here are my previous posts on similar cases.
Court Carves Back Oracle’s Computer Fraud and Abuse Act Claim Against Gray Market Reseller
One Is Not Like the Other: Access vs. Use Restrictions Under the CFAA