ASAP
Third Circuit: Absent Hacking, Violating Employer’s Computer-Use Policy Cannot Support a Claim Under the Computer Fraud and Abuse Act
At a Glance
- The Third Circuit’s decision means employers pursuing claims in Delaware, New Jersey, Pennsylvania, and the U.S. Virgin Islands cannot premise claims under the Computer Fraud and Abuse Act solely on a violation of a computer-use policy, absent evidence the employee engaged in code-based hacking.
- The Third Circuit also concluded passwords to the employer’s systems were not trade secrets under state and federal law because there was no evidence the passwords were the product of any specific formula or algorithm and, therefore, did not have independent economic value.
- Although employers now have one less cause of action to pursue against employees for conduct that violates an employer’s computer-use policy, well-crafted confidentiality provisions and strong internal protocol can provide valuable protection when employers face similar circumstances.
On August 26, 2025, in NRA Group, LLC v. Durenleau et al., the U.S. Court of Appeals for the Third Circuit addressed an issue of first impression: whether violating an employer’s computer-use policy creates a claim under the Computer Fraud and Abuse Act (CFAA). The court also addressed whether passwords a defendant disclosed were trade secrets under state and federal law.
The court’s answer to both questions was “no,” concluding a current employee does not violate the CFAA by breaching an employer’s computer-use policies absent code-based hacking, and the passwords at issue were not trade secrets under state and federal law because they were not the product of a special formula or algorithm and, therefore, had no independent economic value.
While the Third Circuit’s holding will shrink the universe of claims employers in Delaware, New Jersey, Pennsylvania and the U.S. Virgin Islands may pursue against employees who violate company policies, employers still have many tools to protect their confidential information and business interests.
Background
On January 26, 2021, the defendant employee was out sick with COVID-19 when she learned a key license for her employer was expiring that day. She had no access to a company-issued laptop or the company’s systems, and forgot the password to the licensing platform.
The defendant provided her password to her co-defendant colleague and asked the co-defendant colleague to log in to her (the defendant employee’s) account and send her the password for the licensing platform. However, the password was in a spreadsheet with many other company system and account passwords. The co-defendant colleague copied the password from the spreadsheet and sent it to the defendant employee, and the defendant employee then texted her supervisor the password for the licensing platform so the supervisor could renew the license.
The following day, the co-defendant colleague again logged in to the defendant employee’s company account, and this time emailed the entire password spreadsheet to the defendant employee’s personal email address. This action violated the company’s policies prohibiting employees from sharing credentials and passwords, storing passwords in a manner that could be accessed by others, accessing information by imitating other users, and using company computers for non-work use.
The company sued the defendants for several claims, including violations of the CFAA, the federal Defend Trade Secrets Act (DTSA), and the Pennsylvania Uniform Trade Secrets Act (PUTSA).
The Third Circuit Defines the Scope of CFAA Claims
The company sued under the CFAA’s provisions that prohibit employees from accessing a computer without authorization and exceeding the authorized access. See 18 U.S.C. § 1030. These violations carry civil and criminal penalties. On summary judgment, the district court decided several issues, including whether the defendants acted without authorization and whether they exceeded their authorized access. The district court concluded the defendants did not, and the Third Circuit agreed.
The CFAA defines “exceeds authorized access” as “access[ing] a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.” 18 U.S.C. § 1030(e)(6). In Van Buren v. United States, the U.S. Supreme Court further defined when an employee exceeds authorization under the CFAA: “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” 593 U.S. 374, 396 (2021).
The Third Circuit had not previously defined “authorized access,” but it did so in this case, adopting the definition from a previous district court opinion: “an employee is ‘authorized to access a computer when his employer approves or sanctions his admission to that computer.’” The Third Circuit concluded this definition of “authorized access” harmonized with the Supreme Court’s definition of “exceed[ing] authorization” in Van Buren.
Applying these principles, the Third Circuit concluded the company authorized the defendants’ conduct and the defendants did not exceed that authorization. The defendants had access to NRA’s systems by virtue of their employment. The defendant employee’s access allowed her to log in to her computer, create spreadsheets with passwords, and email herself documents. The defendant employee asked her co-defendant colleague to do these things for her. She provided her company credentials to her co-defendant colleague, who was also a company employee with similar access to its systems. These actions, the Third Circuit reasoned, were within the defendants’ access to the company’s systems: “no one hacked anything by deploying code to enter a part of NRA’s systems to which they had no access.” The court explained, “the gates were up, even if the road signs—the [company] policies—all told the women to stop and turn around.”
The court concluded its analysis by defining the scope of cognizable claims under the CFAA: “we hold that, absent evidence of code-based hacking, the CFAA does not countenance claims premised on a breach of workplace computer-use policies by current employees.”
Two considerations informed the court’s holding. First, the court did not want to transform the CFAA, a law meant, in the court’s view, to target hackers, into a vehicle to criminalize employees who disregard policies. The fact that the CFAA carries criminal penalties caused the court to “tread carefully” and consider the implications of extending the statute too far beyond its text and what the court understood the statute’s purpose to be. Second, the court identified many alternative causes of action (i.e., breach of contract, business torts, fraud, negligence) that could allow employers to pursue claims for similar conduct. Together, these considerations assured the court that employers could protect their interests without turning “millions of law-abiding citizens [into] criminals.”
The Third Circuit Holds Passwords Were Not Trade Secrets Because They Did Not Originate from a Formula or Algorithm and Had No Independent Economic Value
In addition to addressing the scope of claims under the CFAA, the court also addressed trade secret claims under state and federal law. The DTSA and PUTSA prohibit individuals from misappropriating trade secrets. See 18 U.S.C. § 1839(3); 12 Pa. Cons. Stat. § 5302. Information is a trade secret if (1) the owner has taken reasonable measures to keep secret, (2) it “derives independent economic value, actual or potential,” from being kept secret, (3) it is not readily ascertainable by proper means, and (4) were it disclosed or used, it would have economic value to who cannot readily access it.
The Third Circuit affirmed the district court’s conclusion that the passwords were not trade secrets because there was no evidence the passwords were the product of any specific formula or algorithm. Instead, the passwords were merely “numbers and letters” that guarded information with independent economic value (i.e., the company’s business records and customer databases). Under those circumstances, the court concluded there was no evidence the passwords had independent economic value and, therefore, were not trade secrets under the DTSA or the PUTSA.
What Can Employers Do in Light of NRA Group, LLC v. Durenleau et al.?
The Third Circuit’s decision in NRA Group LLC means employers have one less cause of action at their disposal when they pursue claims against employees for conduct that violates an employer’s computer-use policy. Evidence short of employee hacking will mean a claim under the CFAA against a current employee for violating company policies is unlikely to be actionable, and evidence limited to a disclosure of a password, by itself, likely will not be sufficient under the DTSA and PUTSA.
However, as the Third Circuit observed, there are many causes of action available to employers, so the NRA Group LLC decision does not leave employers empty handed. If an employer finds itself faced with a similar fact pattern, contracts with tailored confidentiality provisions can still provide valuable protection for employers for employees who engage in this wrongful conduct. A well-crafted confidentiality provision can prohibit employees from disclosing passwords, logging into another employee’s account, and sending emails containing a company’s sensitive information to personal email addresses. Companies can also strengthen their internal protocols to reduce the opportunity for the exfiltration of sensitive company information. Employers should consult legal counsel to determine the best ways to protect their confidential information and business interests.