Your year is starting off better than Roberto Rodriguez's. A former employee of the Social Security Administration, Rodriguez has received 12 months in federal prison for using his work computer to look up information about his female acquaintances. To assist him in answering questions about social security benefits, Rodriguez was authorized to access a database containing individuals' personal information, but SSA policy prohibited access for non-business reasons. From time to time, Rodriguez would meet women in church study groups, among other places, and then use his work computer to obtain their personal information. Some women would then begin receiving gifts, flowers and "half-birthday" wishes from Rodriguez, despite having never given him their addresses or dates of birth.
Rodriguez was convicted of violating the federal Computer Fraud and Abuse Act and sentenced to 12 months imprisonment. On December 27, 2010, the Eleventh Circuit affirmed. The court reasoned that, although Rodriguez was authorized to access personal information in the database, he "exceeded authorized access" by accessing the women's information for non-business purposes, in violation of his employer's computer use policy. Moreover, although Rodriguez did not use the personal information for any criminal purpose, "his use of information is irrelevant if he obtained the information without authorization or as a result of exceeding authorized access."
Rodriguez is important to employers because, first, it highlights the importance of having a clearly-written, updated computer use policy that unambiguously sets forth the prohibited conduct. Second, Rodriguez has broader implications beyond the facts of the case. As discussed elsewhere, the Eleventh Circuit's rationale potentially could be applied in a variety of other circumstances. (Volokh Conspiracy) For example, it is not uncommon for a departing employee who is going to work for a competitor to access his employer's computer system and download confidential, proprietary information for future use at the new employer. Some employees also have been known to use company computers to access pornographic or other undesirable Internet websites during the work day. The Rodriguez court's broad interpretation of CFAA's "exceed authorized access" provision suggests that, assuming the employer has a well-written policy clearly prohibiting these actions, such conduct may violate the CFAA. Thus, because the statute contains a civil component, companies should consider the availability of CFAA civil actions or counterclaims in appropriate circumstances.
This GT Alert was written by Jay P. Lechner Questions about this information can be directed to your Greenberg Traurig attorney. ©2010 Greenberg Traurig, LLP. All rights reserved. This Greenberg Traurig Alert is issued for informational purposes only and is not intended to be construed or used as general legal advice.
Please contact the author(s) or your Greenberg Traurig contact if you have questions regarding the currency of this information.