Computer Fraud and Abuse Act

May 2010Alerts Litigation Department Alert

A recent federal case in the Middle District of Tennessee highlights a split among federal circuit courts over the interpretation of the Computer Fraud and Abuse Act's (CFAA) civil cause of action for access of a protected computer without authorization or that exceeds the scope of permitted authorization. In ReMedPar, Inc. v. AllParts Med., LLC, No. 3:09-cv-00807 (M.D. Tenn. Jan 4, 2010), plaintiff filed a civil CFAA claim against an independent contractor who, after being given access to the plaintiff's computers, unique proprietary software and source codes, allegedly helped a competitor develop a comparable software system using confidential information to which he was exposed. The court dismissed the claim, holding that the contractor's alleged conduct was not without or exceeding authorization (as is required for a civil claim under the CFAA) because the contractor accessed the computers, software and code with the plaintiff's permission.

In making the distinction between exceeding authorization and misusing accessed information, the court acknowledged a split that exists among the federal circuits in their respective interpretations of the CFAA. The Middle District of Tennessee joins other courts, like the 9th Circuit, in holding that, by virtue of the plain meaning of the statute, CFAA civil claims should be limited to situations where the access at issue truly exceeds or is without authorization, such as hacking, and not to situations where authorization is misused. Notably, the District Court for the Eastern District of Pennsylvania agreed with this approach last year in the opinion for Bro-Tech Corp. v. Thermax., Inc., 651 F.Supp.2d 378 (E.D. Pa. 2009). To the contrary, other courts, such as the 1st and 7th Circuits, hold that civil claims are permitted under the CFAA whenever a person misuses access in a way that is adverse to the authorizer's interests.