shutterstock_361749602The Computer Fraud and Abuse Act (“CFAA”) gives rise to an actionable claim if someone “knowingly access[es] a computer without authorization or exceed[s] authorized access.” 18 U.S.C. § 1030(a)(1). The term “exceeds authorized access” is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). In recent years, plaintiffs have attempted to argue that someone “exceeds authorized access” under the CFAA when they access work related information on their employer issued computer for non-work related reasons. In Georgia, courts appear to be divided on whether such an allegation gives rise to a valid CFAA claim.

For example, in United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010), the Eleventh Circuit adopted a broad view of the definition “exceeds authorized access,” holding that when an employer has a policy limiting an employee’s computer access to that done for business purposes, an employee who accesses that information for non-business purposes exceeds authorized access. In Rodriguez, the defendant worked for the Social Security Administration, which had a policy that the use of its databases to obtain personal information was authorized only when done for business reasons. 628 F.3d at 1263. The defendant conceded that his access of personal information at issue was not done in furtherance of his duties as a teleservice representative. Id. As such, the court ruled that the defendant had exceeding his authorized access under the CFAA.

The following year, the Northern District of Georgia applied Rodriguez’s broad interpretation of “exceeding authorized access,” holding that an employee’s e-mailing of confidential employer information to herself without a business purpose exceeded any authorized computer access and, therefore, violated the CFAA. See Amedisys Holding, LLC v. Interim Healthcare of Atlanta, Inc., 793 F.Supp.2d 1302, 1315 (N.D. Ga. 2011) (“[T]here is no question that [an employee] exceeded any authority she had when she sent [documents] to herself after accepting a position at [another company] for use in competing with [the plaintiff].”)

Since Rodriguez and Amedisys, however, several district courts in the Eleventh Circuit, including in at least one in Georgia, have applied a more narrow definition of “exceeds authorized access,” concluding that if a defendant has full administrative access to a computer, a claim for unauthorized access cannot be stated under the CFAA. See, e.g., Power Equip. Maint., Inc. v. AIRCO Power Servs., Inc., 953 F.Supp.2d 1290, 1297 (S.D. Ga. 2013); Enhanced Recovery Co. LLC v. Frady, No. 3:13-cv-1262-J-34JBT, at *26 n.7 (M.D. Fla. Mar. 31, 2015).

The Power Equip. decision is particularly instructive on the issue, explaining that:

the CFAA focuses on an individual’s unauthorized access of information rather than how a defendant used the accessed data. More specifically, the proper inquiry is whether an employer had, at the time, both authorized the employee to access a computer and authorized that employee to access specific information on that computer. 953 F.Supp.2d 1290, 1295 (S.D. Ga. 2013) (emphasis in original).

The court further held that the CFAA

does not confer upon employers the ability to sue their employees in federal court for violations of company policy regarding computer usage… [It] does not speak to employees who properly accessed information, but subsequently used it to the detriment of their employers: either one has been granted access or has not. Employers cannot use the CFAA to grant access to information and then sue an employee who uses that information in a manner undesired by the employer.

Id., at 1296 (emphasis added). Other courts in the Eleventh Circuit have held the same. See Trademotion, LLC v. Marketcliq, Inc., 857 F.Supp.2d 1285, 1291 (M.D. Fla. 2012) (concluding that plaintiff failed to state a claim under CFAA because plaintiff admitted that defendant had “full administrative access” to plaintiff’s computer system).

Takeaway

When deciding whether to assert a cause of action under the CFAA based on “exceeding authorized access,” the safest course of action in Georgia is to only do so when the facts demonstrate that the individual in question did not have permission to access the information in question. If the individual was given access to the information in question, but you believe accessed that they accessed that information for a non-work related purpose, consider relying on alternative theories of liability, such as conversation, breach of contract, or misappropriation.