Courts Continue to Struggle with “Authorized Access” under CFAA

The Computer Fraud and Abuse Act (CFAA) continues to be a fertile ground for appeals as courts struggle with the scope of an employee’s authorization to access an employer’s computer system. The U.S. Court of Appeals for the Eleventh Circuit recently distinguished authorities from the Fifth and Ninth Circuits in affirming the criminal conviction of a former Social Security Administration employee under CFAA. United States v. Rodriguez [PDF].

Background
While employed at the Social Security Administration, Rodriguez used his computer to obtain sensitive personal information of 17 people, including his ex-wife, ex-girlfriends, and other romantic interests. He accessed their residential and familial information, social security numbers, SSA benefits, and annual income.

The SSA had a written policy prohibiting employees from accessing such data without a business reason. Even after the SSA informed Rodriguez it was conducting a criminal investigation into his use of its databases, Rodriguez continued his unauthorized use.

Convicted for violating CFAA and sentenced to 12 months in prison, Rodriguez appealed to the Eleventh Circuit. He argued that he did not exceed his authorized access to the SSA’s databases in violation of 18 U.S.C. § 1030(a)(2)(B) and that he did not use the information in furtherance of a crime or to gain financially. The Eleventh Circuit affirmed Rodriguez’s conviction.

In reaching its decision, the court distinguished authorities from the Fifth and Ninth Circuits. The Eleventh Circuit distinguished the Ninth Circuit’s decision in LVRC Holdings v. Brekka [PDF] because, unlike the SSA, the employer in that case did not have a specific policy prohibiting the conduct at issue.

Rodriguez argued that the Fifth Circuit’s decision in United States v. John[PDF] supported his contention that he could only “exceed” his authorization to use the SSA’s computer systems if he used the information for criminal purposes. He argued he did not defraud anyone or gain financially from his conduct. The Eleventh Circuit did not agree, noting: “[t]he problem with Rodriguez’s argument is that his use of information is irrelevant if he obtained the information without authorization or as a result of exceeding authorized access.”

Litigating the Gray Area
“Going forward, the litigation is going to be in this gray area of what is authorized versus unauthorized access by employees,” according to Kenneth C. Pickering, Worcester, MA, cochair of the ABA Section of Litigation’s Criminal Litigation Committee. Employers can bolster their chances of success in a criminal or civil prosecution “by clearly defining their employee policies, especially those concerning employees’ computer usage,” he says, “and by showing they actually enforced those policies.”

Conversely, employees should focus on an employer’s selective enforcement of a policy. “If an employee can show that everyone engages in the prohibited conduct, that the employer knew about it but failed to apply the policy consistently across the board, he will have a better case,” advises Aaron M. Danzig, Atlanta, cochair of the Cybercrimes Subcommittee of the Section of Litigation’s Criminal Litigation Committee.

One thing is certain, according to Danzig, it is “clearer and clearer” that the U.S. Supreme Court will have to take up one of these cases to resolve inconsistencies between circuit decisions.

Keywords: litigation, CFAA, computer fraud and abuse act, criminal litigation

Be the first to comment.

Copyright © 2012, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).