intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— . . . (C) information from any protected computer if the conduct involved an interstate or foreign communication . . . . 18 U.S.C. § 1030(a)(2). . . .or who
knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct18 U.S.C. § 1030(a)(4).
furthers the intended fraud and obtains anything of value . . . .
The issue was whether Brekka exceeded authorization during his employment by sending out company information to his personal account. The court of appeals, agreeing with the district court said he did not.
The court held that an employee's self-dealing is not "exceeding" authorization under the CFAA. Rather, a violation occurs only when the employee (1) does not have authorization to access the files or (2) accesses them after authorization is terminated.
This decision does not affect any state law violations or torts that the employer might bring. It underscores the need for employers to have in place effective policies and procedures for limiting computer access, particularly after employees depart.
The case is LVRC Holdings LLC v. Brekka and the opinion is here.