Third Circuit Narrows Computer Fraud and Abuse Act Employer Claim
p1ppppFind Your Next Job pp
ppThe US Court of Appeals for the Third Circuit recently ruled that violations of employers computer access policies do not constitute violations of the federal Computer Fraud and Abuse Act CFAA and that account passwords are not company trade secrets The ruling could have significant implications for employers ability to bring claims under the CFAA to protect against misuse of company computer systemsppOn October 7 2025 the Third Circuit issued an amended precedential decision in NRA Group LLC v Durenleau adopting a gatesupordown approach to CFAA violations The court found that when employees access company systems they are normally authorized to access even if they do so in ways or for purposes that are not allowed they do not exceed authorized access under the CFAA unless they hack into systems they are not permitted to accessppThe case involved the conduct of two former employees of debt collector NRA While out sick one employee needed to access a document to submit a company license renewal by an impending deadline The employee asked another employee to log into her work computer in the office and send her a spreadsheet with her work account passwords The actions violated the employers computeruse policiesppNRA filed suit against the employees alleging they violated the CFAA Defend Trade Secrets Act DTSA and the Pennsylvania Uniform Trade Secrets Act PUTSA The two employees counterclaimed for sexual harassment retaliation and hostile work environment The US District Court for the Middle District of Pennsylvania granted the employees summary judgment and dismissed the claims against themppThe Third Circuit affirmed the district court ruling relying on the Supreme Court of the United States decision in Van Buren v United States which involved a police officer who ran a license plate search in the police departments system exchange for a bribe In that case the Supreme Court adopted a gatesupordown inquiry to determine whether an employee exceeds authorized access and looked at whether the employee obtains information from particular areas in the computersuch as files folders or databasesto which their computer access does not extend rather than whether an employee misuses their access The Supreme Court thus held that although the police officer accessed the law enforcement database for an improper purpose and violated department policy he did not exceed authorized access in violation of the CFAAppSimilarly in Durenleau the Third Circuit ruled that the employees had not violated the CFAA because they accessed computer systems they were otherwise authorized to access even though their method for accessing the information might have violated company policies The appellate court found it significant that the employees did not take action to circumvent security barriers or hack systems to access the information In other words the gates of the access were up for both women the Third Circuit statedppIn reaching this conclusion the Third Circuit rejected arguments from the employer that the employees had violated the CFAA when one employee asked another employee to access her computer in violation of the employers workplace computeruse policy The appellate court pointed out that both employees had access to the employers computer system The gates were up even if the road signsthe NRA policiesall told the women to stop and turn around the court wroteppNotably the Third Circuit also found it significant that the CFAA imposes both civil and criminal penalties The court called the implications of NRAs argument breathtaking because it would allow employer policies to set the contours of federal criminal law and potentially expose millions of employees to criminal liability for technical violations of workplace policiesppInstead we hold that absent evidence of codebased hacking the CFAA does not countenance claims premised on a breach of workplace computeruse policies by current employees the Third Circuit stated The court suggested that such disputes are better handled through causes of action alleging breaches of contract or business torts fraud or negligenceppFurther the Third Circuit affirmed the district courts finding that the employees account passwords were not trade secrets under the DTSA and PUTSA because they did not have independent economic value The appellate court noted that the employer had not alleged that its passwords were the product of any special formula or algorithm that it developed The court reasoned that while the information or databases that the passwords protected might have contained protected trade secrets the passwords themselves did not include any information that could be considered a trade secretppThe Third Circuits decision in Durenleau reaffirmed that violations of workplace computeruse policies do not amount to violations of the CFAA and that employees who are permitted to access a companys computer system do not exceed their authorized access under the CFAA simply by violating company policies As a result employers may not be able to rely on the CFAA to protect their computer systems and databases from employee misuseppEmployers should consider periodically reviewing their information technology IT access protocols to prohibit employees from accessing systems and information that they do not need to access Such measures are consistent with cybersecurity best practices and are reasonable steps to safeguard the secrecy of trade secrets Because an employees compliance with computer access and usage policies still has significance for a variety of employment claims employers should consider ensuring that computer access and usage policies are communicated to and agreed to by employeesppAdditionally the Third Circuit decision indicated that passwords protecting proprietary business information are likely not considered trade secrets under federal or Pennsylvania law because they do not have independent economic value Still the proprietary information that is guarded by passwords can continue to qualify as a trade secret even if a protective password might notpp
ppMore Upcoming Eventspp ppSign Up for any or all of our 25 Newsletterspp ppYou are responsible for reading understanding and agreeing to the National Law Reviews NLRs and the National Law Forum LLCs Terms of Use and Privacy Policy before using the National Law Review website The National Law Review is a freetouse nologin database of legal and business articles The content and links on wwwNatLawReviewcom are intended for general information purposes only Any legal analysis legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice No attorneyclient or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms attorneys or other professionals or organizations who include content on the National Law Review website If you require legal or professional advice kindly contact an attorney or other suitable professional advisor ppSome states have laws and ethical rules regarding solicitation and advertisement practices by attorneys andor other professionals The National Law Review is not a law firm nor is wwwNatLawReviewcom intended to be a referral service for attorneys andor other professionals The NLR does not wish nor does it intend to solicit the business of anyone or to refer anyone to an attorney or other professional NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us ppUnder certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements Attorney Advertising Notice Prior results do not guarantee a similar outcome Statement in compliance with Texas Rules of Professional Conduct Unless otherwise noted attorneys are not certified by the Texas Board of Legal Specialization nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional CredentialsppThe National Law Review National Law Forum LLC 2070 Green Bay Rd Suite 178 Highland Park IL 60035 Telephone 708 3573317 or tollfree 877 3573317 If you would like to contact us via email please click hereppCopyright 2025 National Law Forum LLCp
ppThe US Court of Appeals for the Third Circuit recently ruled that violations of employers computer access policies do not constitute violations of the federal Computer Fraud and Abuse Act CFAA and that account passwords are not company trade secrets The ruling could have significant implications for employers ability to bring claims under the CFAA to protect against misuse of company computer systemsppOn October 7 2025 the Third Circuit issued an amended precedential decision in NRA Group LLC v Durenleau adopting a gatesupordown approach to CFAA violations The court found that when employees access company systems they are normally authorized to access even if they do so in ways or for purposes that are not allowed they do not exceed authorized access under the CFAA unless they hack into systems they are not permitted to accessppThe case involved the conduct of two former employees of debt collector NRA While out sick one employee needed to access a document to submit a company license renewal by an impending deadline The employee asked another employee to log into her work computer in the office and send her a spreadsheet with her work account passwords The actions violated the employers computeruse policiesppNRA filed suit against the employees alleging they violated the CFAA Defend Trade Secrets Act DTSA and the Pennsylvania Uniform Trade Secrets Act PUTSA The two employees counterclaimed for sexual harassment retaliation and hostile work environment The US District Court for the Middle District of Pennsylvania granted the employees summary judgment and dismissed the claims against themppThe Third Circuit affirmed the district court ruling relying on the Supreme Court of the United States decision in Van Buren v United States which involved a police officer who ran a license plate search in the police departments system exchange for a bribe In that case the Supreme Court adopted a gatesupordown inquiry to determine whether an employee exceeds authorized access and looked at whether the employee obtains information from particular areas in the computersuch as files folders or databasesto which their computer access does not extend rather than whether an employee misuses their access The Supreme Court thus held that although the police officer accessed the law enforcement database for an improper purpose and violated department policy he did not exceed authorized access in violation of the CFAAppSimilarly in Durenleau the Third Circuit ruled that the employees had not violated the CFAA because they accessed computer systems they were otherwise authorized to access even though their method for accessing the information might have violated company policies The appellate court found it significant that the employees did not take action to circumvent security barriers or hack systems to access the information In other words the gates of the access were up for both women the Third Circuit statedppIn reaching this conclusion the Third Circuit rejected arguments from the employer that the employees had violated the CFAA when one employee asked another employee to access her computer in violation of the employers workplace computeruse policy The appellate court pointed out that both employees had access to the employers computer system The gates were up even if the road signsthe NRA policiesall told the women to stop and turn around the court wroteppNotably the Third Circuit also found it significant that the CFAA imposes both civil and criminal penalties The court called the implications of NRAs argument breathtaking because it would allow employer policies to set the contours of federal criminal law and potentially expose millions of employees to criminal liability for technical violations of workplace policiesppInstead we hold that absent evidence of codebased hacking the CFAA does not countenance claims premised on a breach of workplace computeruse policies by current employees the Third Circuit stated The court suggested that such disputes are better handled through causes of action alleging breaches of contract or business torts fraud or negligenceppFurther the Third Circuit affirmed the district courts finding that the employees account passwords were not trade secrets under the DTSA and PUTSA because they did not have independent economic value The appellate court noted that the employer had not alleged that its passwords were the product of any special formula or algorithm that it developed The court reasoned that while the information or databases that the passwords protected might have contained protected trade secrets the passwords themselves did not include any information that could be considered a trade secretppThe Third Circuits decision in Durenleau reaffirmed that violations of workplace computeruse policies do not amount to violations of the CFAA and that employees who are permitted to access a companys computer system do not exceed their authorized access under the CFAA simply by violating company policies As a result employers may not be able to rely on the CFAA to protect their computer systems and databases from employee misuseppEmployers should consider periodically reviewing their information technology IT access protocols to prohibit employees from accessing systems and information that they do not need to access Such measures are consistent with cybersecurity best practices and are reasonable steps to safeguard the secrecy of trade secrets Because an employees compliance with computer access and usage policies still has significance for a variety of employment claims employers should consider ensuring that computer access and usage policies are communicated to and agreed to by employeesppAdditionally the Third Circuit decision indicated that passwords protecting proprietary business information are likely not considered trade secrets under federal or Pennsylvania law because they do not have independent economic value Still the proprietary information that is guarded by passwords can continue to qualify as a trade secret even if a protective password might notpp
ppMore Upcoming Eventspp ppSign Up for any or all of our 25 Newsletterspp ppYou are responsible for reading understanding and agreeing to the National Law Reviews NLRs and the National Law Forum LLCs Terms of Use and Privacy Policy before using the National Law Review website The National Law Review is a freetouse nologin database of legal and business articles The content and links on wwwNatLawReviewcom are intended for general information purposes only Any legal analysis legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice No attorneyclient or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms attorneys or other professionals or organizations who include content on the National Law Review website If you require legal or professional advice kindly contact an attorney or other suitable professional advisor ppSome states have laws and ethical rules regarding solicitation and advertisement practices by attorneys andor other professionals The National Law Review is not a law firm nor is wwwNatLawReviewcom intended to be a referral service for attorneys andor other professionals The NLR does not wish nor does it intend to solicit the business of anyone or to refer anyone to an attorney or other professional NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us ppUnder certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements Attorney Advertising Notice Prior results do not guarantee a similar outcome Statement in compliance with Texas Rules of Professional Conduct Unless otherwise noted attorneys are not certified by the Texas Board of Legal Specialization nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional CredentialsppThe National Law Review National Law Forum LLC 2070 Green Bay Rd Suite 178 Highland Park IL 60035 Telephone 708 3573317 or tollfree 877 3573317 If you would like to contact us via email please click hereppCopyright 2025 National Law Forum LLCp
