The Computer Fraud and Abuse Act: Considerations for Employers

  • United States
  • 11/09/2017
  • By Matt Heller (US) Norton Rose Fulbright LLP © 2017. All Rights Reserved.

Although the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030) is a federal statute that primarily protects against unauthorized computer access such as hacking, it can also impact employers in the realm of social media. Originally enacted in 1984, CFAA makes it illegal to access knowingly or intentionally a “protected computer” without authorization or in excess of authorized access.

Protected computers are defined broadly to include all computers that are used in or affect interstate commerce, and thus include most employer-owned computer systems.

Violations of CFAA may result in criminal penalties, and CFAA also permits individuals (and employers) to bring a civil action for damages or injunctive relief. Employees rarely sue their employers under CFAA, but employers should nonetheless consider CFAA in formulating their social media policies and determining how they will regulate employee use of social media.

Employers generally are permitted to access and view any public social media content without running afoul of CFAA, and CFAA may even protect an employer’s right to access public social media content. In a recent case, hiQ Labs, Inc. v. LinkedIn Corporation, No. 3:17-cv-03301, 2017 WL 3473663 (N.D. Cal. Aug. 14, 2017), the Federal District Court for the Northern District of California acknowledged that “CFAA was not intended to police traffic to publicly available websites on the internet—the Internet did not exist in 1984.” Importantly, context matters: while the court found that the use of password systems on social websites was an important factor, and despite the fact that LinkedIn had revoked hiQ’s authorization to view content, the court did not see any issues with hiQ accessing LinkedIn’s public social media profiles and content. As such, the court granted a preliminary injunction enjoining LinkedIn from blocking hiQ from accessing, copying, or using any of LinkedIn’s public profiles.

In contrast, employers may violate CFAA if they access employees’ private social media profiles without permission or if they delete any content in employees’ profiles, as “access” under CFAA is not limited to physical access of a computer, and social media profiles are typically password protected. Accordingly, employers should be cautious of accessing an employee’s private social media profile unless the employee consents or grants the employer permission to view the profile. Even then, employers must still be cautious of any state privacy laws, and an employer should only view an employee’s private social media content if the employee accesses the profile on a company computer or device, the employer’s policies allow for it, and the employee has consented to the employer’s policies.

In drafting their social media policies, employers should always be sure to state that employees have no expectation of privacy on company-owned computer systems, devices, networks, and internet and that any employee activities thereon are not private. With respect to CFAA, employers should declare that they reserve the right to view employees’ public social media profiles, and if employers would like to regulate any private social media activity on company computer systems, devices, and networks, their policies must explicitly state this as well, but employers must first carefully review any applicable state privacy laws. Employers should also have employees sign an acknowledgement or authorization for the social media policy.

As a final consideration, CFAA can also be used aggressively by employers as a tool against individuals who access computers or stored data without authorization. However, CFAA is not a substitute for the Defend Trade Secrets Act (DTSA), and CFAA does not always apply in cases involving misappropriations of trade secrets by former employees absent some form of unauthorized computer access. For example, the Ninth Circuit held in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. Sept. 15, 2009), that a former employee did not “exceed authorized access” in violation of CFAA by emailing himself documents before resigning. But employers may state a claim against former employees under CFAA if the former employee accessed the employer’s computer systems and transferred data without authorization after the termination of employment.

https://www.socialmedialawbulletin.com/2017/11/computer-fraud-abuse-act-considerations-employers/