The Computer and Internet Law Blog

The following is another news item sitting in my perpetual ‘time permitting’ stack, pertaining to the Computer Fraud and Abuse Act, and what it means to “exceed[] authorized access” (at least in some districts):

Last month, the District Court for the Western District of Tennessee issued a ruling in Black & Decker (US), Inc. v. Smith, No. 07-1201, 2008 WL 2757081 (W.D.Tenn. Jul. 11, 2008), dismissing several claims asserted by Black & Decker against a former employee under the Computer Fraud and Abuse Act (18 U.S.C. § 1030).

In Smith, the plaintiff employer provided the defendant former employee with access to confidential and proprietary documents as part of the latter’s employment. When the defendant resigned to work for a competitor, he copied documents from the plaintiff’s secure servers. The plaintiff discovered the copies, and brought an action against the defendant, alleging, among other things, violations of the Computer Fraud and Abuse Act.

The defendant moved to dismiss several claims, including the ones arising from the Computer Fraud and Abuse Act. The district court acknowledged the split in legal authorities concerning employees who misuse information legitimately obtained via authorized access to a computer system, and whether such misuse gave rise to an action under the Act. The court then looked to the plain language of the Act, and found that it targeted the unauthorized procurement or alteration of information, not the misuse of information that an employee is authorized to access.

Since the plaintiff had authorized the defendant to access the computer systems, the court dismissed most of the Computer Fraud and Abuse Act claims. However, the court permitted the plaintiff to proceed on several other claims, including one under Section (a)(5)(A)(i) of the Act for “knowingly caus[-ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[-ing] damage without authorization, to a protected computer.”