Back in September, we wrote a pair of posts on the Computer Fraud and Abuse Act, looking specifically at efforts by the Department of Justice to expand the scope of the federal law to make it easier for prosecutors to target employees who make use of employer computers to engage in nefarious activity.
The issue was highlighted in a recent decision by the Second U.S. Circuit Court of Appeals in the case of a former New York City police officer accused of using his access to restricted law enforcement databases to obtain information about parties who became the subject of his violent online chat room fantasies. One of the charges the officer faced was a violation of the federal Computer Fraud and Abuse Act, specifically with respect to its language regarding “exceed[ing] authorized access” of a protected computer.
The federal courts are currently split on the issue of exactly how the statutory language should be applied in cases where an employee or insider exceeds authorized access to a protected computer. Some courts have held that employees can be prosecuted under the law simply for violating restrictions on their use of employer-owned computers, but other courts have held that only access restrictions may become the subject of prosecution under the law. The difference would be between prosecuting an employee for entering a computer or network he or she shouldn’t have entered in the first place and prosecuting an employee based whether his or her specific use of a computer or network he or she had has authorization to access.
In the case mentioned above, the appeal was decided in favor of the police officer on the more narrow reading of the law, that it only targets violations of access restrictions. The decision did little to clarify the ambiguity in the law, though. In fact, the court based its decision on the so-called “rule of lenity,” under which a criminal case is to be decided in favor of the defendant when there are legal ambiguities.
For now, the lack of clarity regarding the law remains. It remains to be seen whether a Supreme Court appeal or legislative clarification will clarify the matter.
Sources:
Reuters, “2nd Circuit ‘cannibal cop’ opinion deepens appellate rift on anti-hacking law,” Alison Frankel, Dec. 3, 2015.