An appeals court has ruled that a former employee who took company data with him for his own business did not violate the Computer Fraud and Abuse Act, despite his unethical actions. This outcome pits the court against itself as to whether disloyal computer use counts as unauthorized access. This surely gives some relief to people who are planning insider attacks on an organization.
The "unauthorized access" provision of the Computer Fraud and Abuse Act (CFAA) has turned out to be quite an asset to those looking to prosecute people for all manner of actions involving computers, even though it was originally meant to target hackers. The Ninth Circuit Court of Appeals has ruled, however, that it cannot be used to prosecute someone for being disloyal with company info after quitting—a decision that is being applauded by CFAA critics who want to limit the statute.
The decision came after a company named LVRC Holdings filed a lawsuit against a former employee, Christopher Brekka, his wife, Carolyn Quain, and their independent consulting business. LVRC had accused Brekka of using company computers "without authorization" in order to e-mail himself LVRC client files in order to use that information for his personal business after leaving the company.
Based on that description, one might assume that Brekka had used his or someone else's credentials to break into the network after he quit, but that's not exactly the case. As it turns out, Brekka had e-mailed the documents to his home PC while he was still an employee at LVRC, using login information that the company admin had sent to him. The documents he e-mailed included a financial statement for the company, LVRC’s marketing budget, and admissions reports for patients, among other things. Not so coincidentally, Brekka apparently did this while he was in talks to acquire part of LVRC. Those talks eventually broke down and Brekka left the company.
Brekka subsequently used the data to help his own consulting business, which he runs with his wife. You could argue that his actions were unethical and downright slimy, but LVRC brought charges under the CFAA, saying that he had gained unauthorized access to LVRC machines in order to get the data. LVRC had argued that Brekka's intent at the time of access determined whether or not he was authorized—basically, the company said he was committing a "thought crime." More