A recent decision from the Eleventh Circuit highlights an ongoing issue under the Computer Fraud and Abuse Act (“CFAA”): the significance of policy-based restrictions when determining whether a person accessed a protected computer “without authorization” or “exceeded authorized access.”
In United States v. Rodriguez [PDF], the Eleventh Circuit upheld the criminal conviction of a Social Security Administration (“SSA”) employee, who, as part of his job duties, had access to SSA databases containing sensitive information about individuals. According to the Eleventh Circuit, Rodriguez exceeded his authorized access when he looked up personal acquaintances in the databases, in violation of agency policies that prohibited employees from obtaining database information without a business reason.
The internal policy at issue in Rodriguez was a restriction on access to information. However, courts appear to be divided on the significance of policies that impose limits on data use.
In contrast, the Fifth Circuit has stated that “the concept of ‘exceeds authorized access’ may include exceeding the purposes for which access is ‘authorized.’” The defendant in that case was authorized to view and print all of the information that she accessed, but she nonetheless exceeded authorized access when she violated company policy and misused that information to perpetuate fraud.
In short: careful analysis is required when a defendant’s alleged violation of company policy is the basis of the claim that he or she exceeded authorized access under the CFAA.