The Computer Fraud and Abuse Act began as a federal criminal statute, but it has turned into an oft-used weapon in civil litigation.  See U.S.C. § 1030, et seq. (CFAA). Now, criminal and civil litigants await the Second Circuit’s decision on what exactly the CFAA covers.

Looking at the statute’s plain language, the CFAA applies when a defendant “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C).

How the statute applies to the real world is much more complicated. Does the CFAA apply when an employer gives an employee access to use computer files for work, but the employee uses those files to help a competitor? What happens when a police officer uses police databases for personal purposes even though department policy limits use for  government investigations? Is such access “without authorization” and does it “exceed[] authorized access”?

The Second Circuit has not ruled on these issues in the civil or criminal context. In May, however, the Second Circuit heard oral argument in United States v. Valle, 14-4396-cr, a case in which the Court has the chance to answer these questions.

In Valle, a police officer, referred to as the “Cannibal Cop” because of his use of certain Internet chat rooms, was convicted of violating the CFAA when he used the police department’s database to conduct his own personal searches. Did this violation of the department’s data use policy violate the CFAA?

The Second Circuit has the opportunity in Valle to clarify the scope of the CFAA. We will update you on the CFAA and the Cannibal Cop when the Valle decision comes out.