When Circuit Breakers Trip: Resetting the CFAA to Combat Rogue Employee Access

ALB. L.J. SCI. & TECH. Vol. 21.3, 637 (2011)

40 Pages Posted: 22 Nov 2010 Last revised: 5 Apr 2015

See all articles by Obie Okuh

Obie Okuh

Case Western Reserve University School of Law

Date Written: July 21, 2010

Abstract

This article focuses on the narrow question of whether the Computer Fraud & Abuse Act (18 U.S.C. § 1030 et. seq) should be available to a private-sector employer as a vehicle to litigate classic employee misappropriation cases when such employee’s conduct does not result in damage to the employer’s electronic system, computer's circuitry or programming, or interruption of service. The current circuit split regarding the construction and application of the CFAA’s access authorization provisions to employment cases has meant that an employer’s likely recovery under the statute depends in most instances upon factors external to the employee’s alleged conduct and more on whether and to what extent the court in a particular jurisdiction is willing to voyage into the subjective mindset of the employee during the alleged conduct.

After examining legislative history of the CFAA, this article argues that the original intent of Congress was to target legislation against outside hackers, and employees of the company were not originally contemplated within the reach of the statute. However, as computer crimes became more sophisticated, Congress took steps to increase protection for owners of commercial information by factoring employee access into the CFAA provisions, albeit without crafting the amendments properly. Further, the article explains the theoretical underpinnings of the circuit split and argues that the split reflects divergent views on how to apply theories of contract, agency, and code-based approaches to the concept of “authorization” within the cyber security and computer information system context. While proffering a draft amendment to the statute, this article concludes by urging law makers or courts to 1) eliminate or exempt the “exceeding authorization” analysis when applying the statute to classic employee misappropriation cases; 2) end inquiries that focus on the employee’s subjective intent at the time of the access or the employee’s subsequent use of the information obtained; and 3) focus strictly on the unauthorized nature of the employee’s intrusion upon the employer’s protected computer information – this strict approach should render an employer’s inability to prove the employee’s breach of explicit contractual prohibition or a trespass of system code an automatic bar to recovery under the statute.

Suggested Citation

Okuh, Obiajulu C., When Circuit Breakers Trip: Resetting the CFAA to Combat Rogue Employee Access (July 21, 2010). ALB. L.J. SCI. & TECH. Vol. 21.3, 637 (2011), Available at SSRN: https://ssrn.com/abstract=1712950 or http://dx.doi.org/10.2139/ssrn.1712950

Obiajulu C. Okuh (Contact Author)

Case Western Reserve University School of Law ( email )

11075 East Boulevard
Cleveland, OH 44106-7148
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
102
Abstract Views
1,062
Rank
472,796
PlumX Metrics