The Computer Fraud and Abuse Act: A Digital Hammer in Search of Digital Nail

The Computer Fraud and Abuse Act of 1986 (“CFAA”)^[1] addresses fraud and related activities in connection with computers, including prohibiting unauthorized access to “protected computers” and obtaining information through such access. The CFAA can impose civil and criminal liability on anyone who “access[es] a computer without authorization” or by “exceeding authorized access” to a “protected computer.”^[2] In several cases employers have tried using the CFAA to pursue ex-employees for alleged violations of workplace computer use policies. Depending on the facts, it has not worked out well for those employers.

In a recent case, NRA Group, LLC vs. Durenleau,^[3] the U.S. Court of Appeals for the Third Circuit had occasion to review a case in which the plaintiff (National Recovery Agency) alleged that two ex-employees had violated the CFAA and the federal Defend Trade Secrets Act (“DTSA”),^[4] among other allegations. The defendants counterclaimed with allegations including sexual harassment, negligent hiring and retention, and retaliation under state and federal law.

On cross-motions for summary judgment, the district court entered judgment for the employees, Durenleau and Badaczewski, on all claims against them, staying their remaining sexual harassment claims against NRA pending appeal.

In analyzing the CFAA, the Third Circuit considered the U.S. Supreme Court decision in Van Buren v. United States.^[5] In its opening paragraph, the Court states, “In the wrong hands, the law becomes a hammer in search of a nail. This is one such case.” In applying Van Buren, the Court held that “[u]nder Van Buren, the ‘gates’ of access were ‘up’ for both women—neither hacked into NRA’s systems. No doubt Durenleau and Badaczewski violated NRA’s policies, but as employees they had access to the systems: Durenleau by the fact of her employment, and Badaczewski with Durenleau’s credentials. No one hacked anything by deploying code to enter a part of NRA’s systems to which they had no access.” The Court adopted the definition of “authorization” under the CFAA used by the district court by finding “an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer.”

The Court went on to “hold that, absent evidence of code-based hacking, the CFAA does not countenance claims premised on a breach of workplace computer-use policies by current employees.” Affirming the district court’s grant of summary judgment for the ex-employees on all of NRA’s claims under the CFAA, it noted, “With today’s holding, we mean to turn future litigants to other causes of action so that we do not make ‘millions of otherwise law-abiding citizens [into] criminals.’ Van Buren, 593 U.S. at 394.”

In addressing the plaintiff’s DTSA claims, the Court stated that the statute protects information that, among other things, “‘derives independent economic value, actual or potential,’ from being kept secret.”^[6] The Court’s analysis focused on subpart (b) of 18 U.S.C. § 1839(3) and whether a password spreadsheet could have independent economic value to elevate it to the level of a trade secret. It held that “because the revealed content would have no economic value to NRA, there is no serious claim the passwords would either. That is because it is what the passwords protect, not the passwords, that is valuable.” The Court pointed out that “while the leak of actual trade secrets with independent economic value can endanger a business, NRA immediately remedied the problem by simply changing the passwords,” thereby blocking “the proprietary information that did have independent economic value: NRA’s business records and customer databases.” Bringing closure on the trade secret issue, the Court agreed with the district court and held that the passwords had no independent economic value and, as such, were not trade secrets under the DTSA.

In summary, the NRA Group, LLC, case underscores the need for businesspeople and their legal counsel to have a robust discussion when considering the appropriateness of bringing a CFAA claim. This includes consideration of the facts and how they align with the CFAA at that time. By way of example, without limitation:

• Did defendants engage in “unauthorized access” or exceed authorized access?
• Can the plaintiff demonstrate a qualifying loss exceeding $5,000 within a one-year period and which losses are related to the investigation, repair, or restoration of computer systems?
• Do the facts and applicable law support potential causes of actions other than the CFAA, such as breach of contract, business torts, negligence, fraud, etc., that may provide a remedy for employers when employees grossly transgress computer-use policies?

The bottom line is that employers and their legal counsel need to carefully consider claims they allege under the CFAA against ex-employees.

© 2025 Alan S. Wernick

1. 18 U.S.C. § 1030. ↑

2. See 18 U.S.C. § 1030(a). ↑

3. No. 24-1123, slip op. (3rd Cir. Oct. 7, 2025). ↑

4. 18 U.S.C. § 1836 et seq. ↑

5. 593 U. S. 374 (2021). ↑

6. NRA Group, LLC, slip. op. at 27 (quoting 18 U.S.C. § 1839(3)). ↑