The Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act ("CFAA") provides a powerful tool in private litigation for persons or businesses injured by former employees, hackers, spammers, and many others.   The CFAA generally prohibits (1) the unauthorized accessing (2) of a "protected" computer (3) with the intent either (a) to obtain information, (b) to further a fraud, or (c) to damage the computer or its data. The CFAA criminalizes, and provides a civil remedy for such criminal violations, for a variety of actions involving computers.   Section 1030(a)(2) provides that it is a crime (1) to obtain information (2) by intentionally accessing (3) a protected computer (4) without authorization.

Section 1030(g) expressly provides the civil remedy for violation of the CFAA to any person who suffers "damage or loss" from a violation of the CFAA. The aggrieved party may obtain compensatory damages and injunctive relief or other equitable relief.

The U.S. District Court for the Western District of Oklahoma held that an employee who downloaded shareware from the Internet in violation of company policy may be liable under the CFAA for using the downloaded software to obtain confidential company documents. In Musket Corp. v. Star Fuel of Oklahoma LLC, the court held that anyone who is authorized to use a computer for certain purposes but goes past those limitations is considered to have "exceeded authorized access" under the CFAA. Thus, the employer is entitled to compensatory damages and injunctive relief.

An employee likely loses his/her status as an "authorized" user of a computer when he/she acts as an agent of a competitor or is no longer acting in the interests of the employer.   The court in Shurgard Storage Centers, Inc. v. Safeguard Self Storage Inc. addressed such a situation.   There, the key employees of plaintiff were hired away by defendant, Safeguard. The plaintiff alleged that some of the key employees e-mailed trade secrets to defendant while still employed by plaintiff. The court held that the employees may have ceased to be authorized users when they began acting for the benefit of another.

The U.S. District Court in Pennsylvania recently held, however, that an employer who hired former employees from a competitor could not be held liable under the CFAA for viewing and editing the competing company's documents that he received via email from the employees because the employer viewed the documents on its computers.   In Dresser-Rand v. Jones,the Court held that "authorization" meant that an employee who was given access to a work computer was authorized to access that computer regardless of his intent to misuse information and any policies regulating the use of information.   The Court held that the employees were authorized to access their work laptops, and therefore, could not be liable under the CFAA for downloading documents to external storage devices even if they later misused those documents to compete against the company.

The courts are split between what is cast as a broad versus a narrow interpretation of the term "without authorization" under the CFAA. Under the narrow view, an employee given access to a work computer is authorized to access that computer regardless of his or her intent to misuse information and any policies that regulate the use of information. Under the broad view, if an employee has access to information on a work computer to perform his or her job, the employee may exceed his or her access by misusing the information on the computer, either by severing the agency relationship through disloyal activity, or by violating employer policies and/or confidentiality agreements.

Although the CFAA has far-reaching effects as it relates to criminal penalties, such as the newly drafted CFAA would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions or if you violate the terms of a service on a website, it provides another layer of protection for employers to protect themselves from theft of their trade secrets and other proprietary information.



5301 Spring Valley Rd.

Suite 200

Dallas, Texas 75254





Shauna A. Izadi practices in the areas of commercial litigation, products liability, construction litigation, consumer law, and business law. She received her B.A. in Journalism from the University of Oklahoma in 2000, and received her J.D. from the University of Oklahoma School of Law in 2003. Ms. Izadi was admitted to practice law in Texas in 2003, and admitted to practice law in Oklahoma in 2005.

She is also admitted to practice before the United States District Courts for the Northern, Eastern, and Western Districts of Texas, and the Northern and Western Districts of Oklahoma. Ms. Izadi is an active member of the Dallas Bar Association, serving as a volunteer for the Dallas Volunteer Attorney Program. Ms. Izadi is also a member of the Texas Bar Association, Oklahoma Bar Association, and the Dallas Association of Young Lawyers.




Business Law, Commercial Litigation, Construction, Products Liability, Real Estate