In June, the U.S. Supreme Court resolved an important issue under the Federal Computer Fraud and Abuse Act (CFAA), which has been used by companies as they battle hackers, rogue employees, and terminated employees. The CFAA imposes criminal and civil liability when a person accesses a computer “without authorization or exceeds authorized access.” Rogue employees who obtain company information without a business need often find themselves facing a suit that seeks, among other things, damages under the CFAA. A company that can invoke a federal statute — especially one that also could create criminal liability — can create significant leverage in litigation.
The Court held that one “exceeds authorized access” when they access a computer with authorization but then obtain information located in particular areas of the computer — such as files, folders, or databases — that are off limits from a security standpoint. In other words, the employee needs to hack into an internal database in order to exceed the access provided by the employer.