Chancery Adopts Narrow Interpretation of the Computer Fraud and Abuse Act
The federal Computer Fraud and Abuse Act (“CFAA”) carries both civil and criminal penalties for unauthorized access to protected computers. The Court of Chancery recently decided an issue of first impression in Delaware regarding the CFAA’s scope in connection with a suit by AlixPartners against a former partner for allegedly misusing the company’s confidential information and trade secrets.
Plaintiffs were two entities making up AlixPartners, a global restructuring firm, and the defendant was managing partner of the Paris office before joining a competitor. Defendant allegedly downloaded confidential client information onto his personal data device, both before and after his discharge, and later provided it to his new employer. Litigation ensued and the defendant sought dismissal of the plaintiffs’ claim under the CFAA. Dismissal of that claim turned on whether the defendant was potentially liable under the CFAA for: (i) misusing information obtained from a computer he was authorized to access (the “Broad Approach”); or (ii) unauthorized access to the plaintiffs’ computers (the “Narrow Approach”).
No authority from the Third Circuit, the Delaware district court, or the Delaware state courts exists on the issue. And the federal courts within the Third Circuit that have addressed the issue diverge. With no clear precedent, the Court of Chancery looked to the statute’s plain language and legislative history for guidance and concluded that both favored the Narrow Approach, previously adopted by the Ninth, Second, and Fourth Circuits, and the prevailing trend. The CFAA’s legislative history revealed a congressional intent to combat both foreign and local computer attacks, but, as federal courts have articulated, also a concern for criminalizing actions not clearly warranted by the text, such as an employee’s unauthorized access of information for purposes of working from home. Applying the Narrow Approach in this case, the Court dismissed part of the plaintiffs’ CFAA claim challenging the defendant’s access to information prior to his discharge, because he was still authorized to access the plaintiffs’ computers during that time, but upheld the claim with respect to the information he accessed after leaving, when his access likely was no longer authorized.Share