Background
The Third Circuit recently ruled that an employee’s violation of workplace cyber policies does not amount to “unauthorized access” under the federal Computer Fraud and Abuse Act (CFAA). In NRA Group, LLC v. Durenleau, the company sued two former employees for sharing passwords and accessing systems in violation of company policy, arguing that this triggered CFAA liability. The Court disagreed, finding that the CFAA was intended to target true “hacking” of protected computers, not policy breaches by employees who already had system access. The Court explained that if mere policy violations triggered the CFAA, millions of everyday employees could be treated as criminals.
Why This Matters for Employers
This decision fits into a national trend of courts expressing reluctance to let employers stretch general statutes to address internal workplace disputes. The Court emphasized that employers should instead rely on practical and contractual measures to protect confidential information, rather than trying to turn policy violations into statutory claims. For employers, this case is a warning not to depend solely on federal laws like the CFAA to safeguard sensitive digital data.
What’s Next?
Employers should take the Court’s guidance to heart by strengthening internal enforcement of cyber policies and clearly managing employee expectations. Policies alone, however, are not enough to secure valuable business information. The most effective strategy is to pair robust cyber policies with strong contractual protections, such as non-disclosure agreements and other restrictive covenants where enforceable. Together, these measures provide employers with discernible remedies if confidential information is misused or mishandled by employees.
The Labor & Employment Group at Lindabury has substantial experience preparing and strengthening employers’ cyber policies and drafting employment contracts, non-disclosure agreements, and more specific restrictive covenants.