Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
Roberto Rodriquez tried to impress female acquaintances with an almost creepy knowledge of their personal information. He sent flowers on Valentine’s Day to one acquaintance who had never revealed her home address to him and called to wish her a happy half-birthday even though she never had revealed that fact to him either. He sent mail to another female acquaintance at her home address even though she directed all of her mail to a post office box, and he jotted her middle initial on the envelope even though she had not used her middle initial since grade school. He gave a female employee at a restaurant that he frequented a pair of earrings on her birthday even though she had not shared her birthday with him.
What was the source of Rodriguez’ apparent omniscience? Databases at the Social Security Administration (SSA), to which Rodriguez had access as a TeleService representative. In 2008 and 2009, Rodriguez accessed those databases for nonbusiness reasons on hundreds of occasions to view sensitive personal information of more than one dozen women. Rodriguez was a serial violator of an SSA policy that prohibited employees from obtaining information from SSA’s databases without a business reason. Mandatory training on the policy, notices posted in SSA’s office, and daily banners that appeared on Rodriguez’ computer did not stop him. Ultimately, Rodriguez was indicted and convicted for obtaining information from the federal government through unauthorized access to a computer in violation of the Computer Fraud and Abuse Act (CFAA).
Rodriguez tried to escape his conviction on appeal by arguing that he had accessed only databases that he was authorized to access as a TeleService representative. Rejecting this argument, the Eleventh Circuit explained (pdf) that the CFAA outlaws not only unauthorized access to a computer system but also access in excess of authorization. The court reasoned that SSA’s policy established the scope of Rodriguez’ authorized excess. By accessing SSA’s databases for purely personal reasons, Rodriguez violated that policy and thus had exceeded his authorized access.
The case is significant because it is the first federal appellate court decision to hold that an employer can use a policy to establish the scope of authorized access for purposes of the CFAA. Private employers have increasingly invoked the CFAA’s civil remedies to support claims against disloyal employees who steal or delete information stored on their employer’s computer system. However, the Ninth Circuit recently created some doubt as to the viability of these claims in LVRC Holdings, LLC v. Brekka. In Brekka, the Ninth Circuit held that an employee did not violate the CFAA by e-mailing to his personal account confidential business information that he was authorized to access even though he did so with the intent of using the information to advance his personal interests. In the Rodriguez case, the Eleventh Circuit distinguished Brekka on the ground that the employer in that case had no policy expressly informing employees that they could not access confidential business information for nonbusiness purposes.
The upshot for employers seems straightforward. Stating in a policy the permissible scope of an employees’ authorization to access information stored on the employer’s computer system should support a CFAA claim in the Eleventh Circuit and possibly would give the employer a leg to stand on in the Ninth Circuit. How the employer would fare in other federal circuit courts is yet to be seen. However, it cannot be gainsaid that having a policy that specifies the permissible scope of access — as well as training employees on that policy and reminding them of it through different forms of notice — would put the employer in a stronger position than having no policy at all.
Photo credit: contour99