Supreme Court ruling favors employees, limits scope of cybersecurity law

September 2021 employment law letter

Authors:

Betsy Davis, Patrick Houston, and Vivi Besteman, Whiteford, Taylor & Preston, L.L.P.

Employers can no longer rely on their contracts, policies, or industry standards as grounds for pursuing a private lawsuit against employees under the Computer Fraud and Abuse Act of 1986 (CFAA). The U.S. Supreme Court recently decided the CFAA doesn’t regulate a person's authorized access to a computer for an improper purpose. The Court limited claims under the Act to persons who exceed their authorized access.

CFAA background

On June 3, 2021, the Supreme Court handed down a decision in a closely watched case involving the CFAA. While originally enacted to combat criminal computer hacking, the Act was expanded to allow civil remedies, opening the doors for companies to file suit when their computer and IT infrastructure were compromised.

Since then, employers have often sought to use the CFAA to pursue current and former employees for a variety of wrongful uses of computer-accessed information. The targeted conduct often has included the misappropriation of trade secrets, copyrighted materials, and other confidential information.

The CFAA has long been the subject of scrutiny, especially with the latitude several federal circuits have given to prosecutors and employers. Over the years, a circuit split developed between:

Whether liability was triggered by only accessing IT infrastructure without authorization; or
Whether accessing the infrastructure with an unauthorized purpose was enough to trigger liability under the statute.

Court’s decision

Continue reading your article with a HRLaws membership