The Department of Justice has decided not to appeal the Ninth Circuit's decision in U.S. v. Nosal, where the Court held that the CFAA only applies to hackers, as opposed to employees who misuse their corporate computer access. Thus, in the Ninth Circuit, the CFAA would not apply to an employee who steals corporate information and provides it to a competitor or an employee who intentionally deletes information from his or her employer's computer systems. Our prior summary of the Ninth's Circuit's opinion in U.S. v. Nosal can be found here.
The refusal of the DOJ to appeal to the Supreme Court results in a circuit split where the Fourth and Ninth Circuit explicitly forbid CFAA claims against employees, whereas the Fifth, Seventh, and Eleventh Circuits explicitly permit such claims against employees. Although there are other state claims an employer could pursue against employees who misuse their computer access, these state claims deal more with employee disloyalty, breach of contract, or trade secret theft as opposed to the misuse of the computer. For this reason, CFAA claims are preferred as computer access can be easily traced and the information an employee is authorized to access should be known. A further benefit of suing under the CFAA is that employers have the option to bring actions in federal, as opposed to state, court.
When faced with a situation where a company wishes to pursue an action against an employee for stealing, altering or destroying company data, it is important to check not only if your circuit allows for a CFAA claim against employees, but also the requirements for a CFAA claim in your circuit. For instance, even within the Third Circuit, there is a no definitive answer as to whether the employee must actually damage the computer systems or if the costs associated with the responding to the misuse of a company's computer systems is enough to meet the damage or loss element to the CFAA. For those employers who live in a jurisdiction where the CFAA can be brought against employees, it is a valuable tool that should be used against former employees who misuse corporate computer data.