Agency, Code, or Contract: Determining Employees’ Authorization Under the Computer Fraud and Abuse Act

The federal Computer Fraud and Abuse Act (“CFAA”) provides for civil remedies against individuals who have accessed a protected computer without authorization or in excess of their authorization. With increasing numbers of employees using computers at work, employers have turned to the CFAA in situations where disloyal employees have pilfered company information from the employer’s computer system. The vague language of the CFAA, however, has led courts to develop three different interpretations of “authorization” in these CFAA employment cases, with the result that factually similar cases in different courts can generate opposite outcomes in terms of employee liability under the statute. This Note examines the three alternative interpretations of authorization in CFAA employment cases and concludes that courts should generally employ a code-based interpretation as the default definition of authorization under the CFAA, with employment contracts that clearly outline the limits of employee computer access providing meaning to authorization in cases where courts in their discretion find it to be appropriate.