Wired reports that a recent federal court decision would make it possible for a private-sector employee to be found in violation of the the Computer Fraud and Abuse Act for simply violating their employer’s data policies, without any real “hacking” having occurred. This not only applies to data access, like grabbing data via a non-password-protected computer, but also to unauthorized use, such as emailing or copying data the employee might otherwise have permission to access.
On face, this doesn’t seem entirely unreasonable. Breaking and entering is a crime, but so is casually walking into a business or home and taking things that aren’t yours, so it seems like data theft, even without any “hacking,” should be a crime. For the law to be otherwise would create a “but he didn’t log out” defense for would-be data thieves.
But what about unauthorized use? Is there a physical property equivalent of this? Could I be criminally liable for using the corporate car to drag race my against my neighbor, or would I only be fired and potentially sued in civil court? Does this new interpretation CFAA simply expand the scope of this law into realms already covered, perhaps more appropriately, by statutes that specifically address trade secrets or other sensitive information in a broader way that doesn’t involve computing technology?
Judge Tena Campbell noted in the dissent that under the ruling, “any person who obtains information from any computer connected to the internet, in violation of her employer’s computer-use restrictions, is guilty of a federal crime.” So, perhaps this is a case of the court overreaching in an incredibly dramatic fashion.
I hope my lawyerly co-bloggers can weigh-in on this issue.
HT: Ryan Lynch