Pages

Tuesday, September 2, 2025

Third Circuit on Computer Fraud and Abuse Act for Employees

New and interesting decision from the Third Circuit in NRA Group, LLC v. Durenleau and Badaczewski.

The Computer Fraud and Abuse Act (CFAA) prohibits "access[ing] a computer without authorization" and "exceeding authorized access." It imposes both civil and criminal liability. 

Here, the employer initiated CFAA actions against two former employees based on violations of the employer's computer use policies. As summarized by the Court:

Not official use.

While employed . . . Nicole Durenleau was out sick. She urgently needed a work document, but she had no way to access it. Her friend and colleague, Jamie Badaczewski, logged in to Durenleau’s computer from the office, accessed the document—a spreadsheet with Durenleau’s passwords—and emailed it to Durenleau. She did so with Durenleau’s express permission, but the pair’s actions, including Durenleau’s creation of the spreadsheet, breached workplace computer-use policies.

This violated numerous workplace rules, including sharing credentials, not maintaining exclusive control of IDs and passwords, storing login information in a "readable form" (the spreadsheet), accessing information the employee was not responsible for, etc.

Because the CFAA provides for both civil liability and criminal penalties, the Court cast the claims as the employer "ask[ing] us to make the employees' conduct a federal crime." The Third Circuit held "for the first time" that "the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, does not turn these workplace-policy infractions into federal crimes." Further, "we hold that, absent evidence of code-based hacking, the CFAA does not countenance claims premised on a breach of workplace computer-use policies by current employees."

Now, that is not to say that employers are left without any remedies for employee misuse of their computer systems. As the Court noted:

Indeed, there are many other causes of action—breach of contract, business torts, fraud, negligence, and so on—that provide a remedy for employers when employees grossly transgress computer-use policies.

This case has a ton of other issues (some of which were stayed pending the appeal). One additional interesting holding from this decision: "the passwords were not trade secrets" because they did not have "independent economic value." Put differently, "it is what the passwords protect, not the passwords, that is valuable." 

Posted by Philip K. Miles at 8:00 AM
Labels: , Print Friendly and PDF

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)