As readers of this blog know, there is a split among federal courts over the proper interpretation of the Computer Fraud and Abuse Act (CFAA). Some courts, like the Ninth Circuit Court of Appeals on the West Coast, believe that the law is narrow and only imposes criminal and civil liability for “hackers,” people who actually “break in” to a company’s computer system to access information. But other courts like the First Circuit based in New England think the law is broader and applies to disloyal employees as well. These are employees who, for example, were authorized to access a company’s confidential information as part of their job, but then used that information to compete with their employer.
In a recent article in The Atlantic, Orin Kerr and Lawrence Lessig argue that Congress is trying to make the CFAA worse by expanding its reach, not better by limiting its scope. As part of their argument, they explain why the CFAA needs reform in the first place. They say it has gotten “way out of hand” and has become a “sprawling mess” in part because “Congress has expanded the law several times, making its reach broader and its punishments more severe.” This, I think, helps explain why some courts have interpreted the law broadly. Judge Nathaniel Gorton of the District of Massachusetts said as much when he opined that “a narrow reading of the CFAA ignores the consistent amendments that Congress has enacted to broaden its application.” Guest-Tek Interactive Entm’t, Inc. v. Pullen, 665 F. Supp. 2d 42, 45 (D. Mass. 2009). Courts must interpret the laws, not make them, so when a law is a “sprawling mess,” courts are naturally going to have difficultly applying it.