Previously, we mentioned that the case against a former New York police officer had been decided in his favor with respect to a charge under the federal Computer Fraud and Abuse Act.
At present, the exact meaning of exceeding authorized access is not agreed upon by the courts. Cases in which this language is used typically involve company or government insiders—often employees—who have access to a protected computer but use that access for nefarious purposes. The problem is, when can an employee be deemed to have exceeded authorized access to a protected computer? Courts would agree that using that access to engage in hacking would qualify as a violation of the Computer Fraud and Abuse Act, but what about less nefarious activities, like booking flights or use of social media?
Some courts have held that employees or insiders can be prosecuted under the Computer Fraud and abuse Act whenever they violate restrictions on their use of employer computers. Other courts, though, have held to a more lenient interpretation of the law by which employees may not be prosecuted for violating limitations on the use of a computer, but only for violating limitations on access.
The latter interpretation of the law is what formed the basis for the court’s decision in the case of the former officer. The case, as we noted last time, ended up being decided in his favor due to ambiguities in the law. In other words, the decision did nothing to help resolve the split.
It remains to be seen whether lawmakers will eventually step in and clarify the matter at some point, or whether a Supreme Court appeal is coming down the pipeline. Unless and until these things happen, the courts are likely to continue their disagreement over the proper interpretation of the statutory language.