Liability for Improper Use of Database

Many professionals have access to online databases that store information not readily available to members of the public.  These databases are a valuable tool for professionals who need additional information about a person for litigation purposes or for other lawful use within the course and scope of their professional practice.  While these databases are only intended to be used for professional use, it is generally possible to access them for non-work-related purposes.  This improper use of otherwise legitimate databases raises potential civil and criminal repercussions for the professionals.

In United States v. Valle the Second Circuit considered the circumstances under which an employee may be held criminally and civilly liable for accessing company computer information with improper intent.  The defendant was an officer in the New York City Police Department who had no criminal history but was part of an online network that discussed engaging in criminal acts.  The officer’s wife discovered the activity on the officer’s laptop and notified federal authorities. The officer was subsequently arrested and charged with improperly accessing a computer and obtaining information in violation of the Computer Fraud and Abuse Act (CFAA).  Specifically, the officer was alleged to have accessed databases intended to be used only for official work purposes to obtain personal information about other individuals for a non-work purpose.  While the officer was permitted to access these databases in his official duties, he was accused of violating the Act because his access was not related to an authorized use.

The officer was found guilty and sentenced to 12 months’ imprisonment.  On appeal, the Second Circuit noted that the CFAA imposes penalties on persons who exceed authorized access on a computer and obtain information from a US department or agency.   The court continued that the statute turned on the meaning of “exceeds authorized access” which is defined as accessing a computer with authorization to obtain information that the user is not entitled to.

The officer conceded that he violated the terms of his employment when he used his authorized computer access for personal use, but denied that this was a violation of the statute because he did not obtain any information that he was not entitled to if he was acting in his official duty.  The government countered that the access was unauthorized because he did not use it for a work purpose.

In resolving this dispute, the court stated that the statute could be interpreted either way and that several circuit courts have held that exceeding authority is a violation of the Act.  Nevertheless, applying the rule of lenity, the court deviated from these decisions and held that the statute should be interpreted in the manner that was favorable to the defendant. The court thus reversed the trial court’s conviction.

While the Second Circuit determined that the CFAA was ambiguous, professionals must have clear policies in place for how employees use databases that provide access to personal information.  Using these websites for a purpose that exceeds authority could give rise to civil liability against the employee and the firm alike, and may even implicate criminal liability depending on the jurisdiction.