Emerging Markets Law

Unauthorized Computer Access, Without Service Interruption, May Be Cause for Action

In a case of first impression, the Eleventh Circuit has held that an employer need not show an interruption of service to prove actionable harm under the Computer Fraud and Abuse Act (CFAA) and other federal laws. This is good news for employers and potentially for others who suffer computer intrusions.

In Brown Jordan Int'l, Inc. v. Carmicle, 2017 WL 359651 (11th Cir. Jan. 25, 2017), Mr. Carmicle was a former employee who had committed several violations of the employer's policy. After repeated offenses, management considered terminating Mr. Carmicle. During the time that Mr. Carmicle's fate was being evaluated, the company switched to a new email system and issued a master password to employees for test purposes. Mr. Carmicle, somewhat predictably perhaps, used that master password to monitor the email accounts of other employees. He was not authorized to do so.

The Court held that the unauthorized access to company email was actionable. This was true even though Mr. Carmicle didn't compromise or crash the network: he merely exceeded his authority. The Court found violations of both the CFAA and the Stored Communications Act.

The Court protected the employer even in the absence of "harm" such as financial loss. This is a very good result for companies in the Eleventh Circuit, whether the unauthorized access is committed by an insider or by someone unconnected with the company. Recognizing that the company is injured merely by someone intruding is a common sense and helpful reading, and is congruent with a public policy that protects private property from snooping and trespass. 

Having said that: it is notable that the access here was done under a "master" password. Consider not using such mechanisms, and also consider having "test" passwords expire after a very short period of time or after the first use.

Stay Connected

Subscribe to blog updates via email