A recent case from the U.S. District Court for the District of New Hampshire highlights the split between the District of New Hampshire and the District of Massachusetts over the proper interpretation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, in particular the phrase “exceeds authorized access.” Under various provisions of the CFAA, an individual can be liable if certain conditions are met for exceeding his or her authorized access to information in a computer. The District of New Hampshire has taken a narrower view of “exceeds authorized access,” concluding that the phrase does not include violations of computer use restrictions (as opposed to computer access restrictions). The District of Massachusetts, on the other hand, has taken a broader view, ruling that an individual can be liable for misusing another’s confidential information, even when the individual was permitted to access that information. Both courts, as trial courts within the First Circuit, had to contend with the appellate decision EF Cultural Travel BV v. Explorica, Inc. to draw their respective conclusions.
In the New Hampshire case, the court determined that the Ninth Circuit’s decision in United States v. Nosal (which I’ve written about here) was persuasive and that the First Circuit’s decision in Explorica was really about exceeding authorized access rather than exceeding authorized use. In that case, the defendant used a “scraper tool” to obtain pricing data from a competitor’s website and used confidential information obtained from a former employee of the competitor in violation of the employee’s confidentiality agreement with the competitor to do so. The First Circuit held that the defendant likely violated the CFAA by exceeding its authorized access to the website. The New Hampshire court determined that the Explorica decision was better understood as focusing on the unauthorized access to the website gained by the defendant rather than the defendant’s unauthorized use of the website. Because certain of the defendants in the New Hampshire case allegedly only violated computer use restrictions, the New Hampshire court granted summary judgment for them.
But as I’ve previously written, the District of Massachusetts has interpreted the Explorica case differently, focusing on the First Circuit’s statement “that the former employees’ reliance on [plaintiff]’s pricing information reeked of use—and indeed, abuse—of proprietary information that goes beyond any authorized use of [plaintiff]’s website.” This is language from Explorica that the District of New Hampshire decided was “dicta,” i.e., language that is not binding on lower courts. Yet the District of Massachusetts concluded thatExplorica shows that the First Circuit “advocated a broader reading” of the CFAA than the Ninth Circuit.
It’s easy to see how the CFAA could affect an employee who leaves his employer and takes information with him, and these cases show the difficulties federal courts have faced interpreting the CFAA and how it might apply to employees. Even district courts within the same circuit, interpreting the same case, have come to competing conclusions. With the Solicitor General’s recent decision not to pursue review of the Nosal decision by the Supreme Court, where authoritative guidance for all the circuits might have been produced, the difficulties are likely to continue in the foreseeable future.