Reprinted with permission from the October 13th edition of The Legal Intelligencer. (c) 2025 ALM Media Properties. Further duplication without permission is prohibited.
In NRA Group LLC v. Durenleau, the United States Court of Appeals for the Third Circuit eliminated the Computer Fraud and Abuse Act (18 U.S.C. § 1030)(“CFAA”) as a weapon in post-employment litigation against departing employees. Employers have used the statute in litigation against departing employees where the employer alleges that the departing employee left with employer documents in the form of electronic files. This powerful threat, which included the threat of criminal sanctions, is eliminated. In the absence of actual hacking, under the Third Circuit’s holding, the employer cannot state a claim under the CFAA. The Third Circuit also concluded that passwords are not “trade secrets” under Pennsylvania or federal law.
The defendants in NRA Group LLC were both former employees of NRA Group who claimed to have been sexually harassed and discriminated against on the basis of their gender. Nicole Durenleau resigned and then Jamie Badaczewski, her co-defendant was terminated. Throughout their employment, the employees complained about sexual harassment, and alleged that their concerns were never adequately addressed. In late 2021, Durenlau and NRA had a dispute regarding certain commissions that NRA claims were improperly paid to her. Durenlau accessed NRA records to change some of the commission credit, and NRA claimed this was in violation of NRA policy. About a month later, Durenlau was out of the office with COVID. She asked Badaczewski to log in to NRA’s computer using Duranleau’s credentials in order to address an emergency. Durenlau asked Badaczewski to send her a password she needed to access an account to address the emergency. Badaczewski did so. She then emailed the password list to Durenlau at her work and personal email accounts. This conduct with regard to the password list was also a violation of NRA’s policies.
NRA sued both employees under the CFAA, and also alleged claims under the Defend Trade Secrets Act (18 U.S.C. 1836, et seq.), the Pennsylvania Uniform Trade Secrets Act (12 Pa. C.S. § 5301 et seq.), and common law claims for breach of the duty of loyalty and conspiracy. The employees filed counterclaims for sexual harassment. The United States District Court for the Middle District of Pennsylvania granted summary judgment in the employee’s favor, and the Third Circuit affirmed, holding that the CFAA “does not turn these workplace-policy infractions into federal crimes,” and that “passwords that protect proprietary business information are not themselves trade secretes under federal or Pennsylvania law.”
The Third Circuit was guided in its opinion by the fact that a violation of the CFAA exposes a defendant to both civil and criminal liability. The Third Circuit observed that the potential for criminal liability requires a stricter construction of the statute. The Court identified its goal in affirming the District Court’s grant of summary judgment, quoting the United States Supreme Court’s opinion on the same statute in Van Buren v. United States, 593 U.S. 374 (2021): “we mean to turn future litigants to other causes of action so that we do not make ‘millions of otherwise law-abiding citizens [into] criminals.’” The Third Circuit refused to “criminalize” contract law.
The Third Circuit examined the statute’s requirement that in order to state a claim, or impose criminal liability, the use by the employee must be unauthorized or exceed the authority provided to employees. NRA argued that the defendant employees’ violations of NRA’s clear computer use policies “exceeded their authorized access” to NRA’s computer systems, and violated the CFAA. The Court rejected this argument, applying a “gates-up-or-down” analysis employed by the Supreme Court in Van Buren. The Third Circuit observed employees can have access or they cannot – in other words, an employee is authorized to access a computer when his employer approves or sanctions his access to that computer or server. The employee’s purpose in accessing “authorized” areas is irrelevant – if the employee had authority to access a certain area, the employee has not engaged in unauthorized use or “exceeded” the authority provided in violation of the CFAA.
The Court concluded that absence evidence of code-base hacking, the CFAA does not “countenance claims premised on a breach of workplace computer-use policies by current employees.” Coupled with the Court’s holdings that the employee’s passwords were not trade secrets under federal or state law, the Third Circuit removed a tool from an employer’s arsenal in post-employment disputes. Employers often include CFAA claims, along with trade secret claims, in litigation designed to enforce restrictive covenants. Employers often conduct forensic analysis of the departing employees access to their computer systems, and have a wealth of data to use to identify a policy violation that can form the basis of a CFAA claim. This threat is meaningful, as the Third Circuit observed, because of the potential for criminal liability. With this decision, the Third Circuit expressly found that this is not a proper use of the CFAA in the absence of actual hacking.
Despite the elimination of this threat in post-employment disputes, employees should continue to adhere to workplace policies regarding their access to electronic systems. While such conduct might not create civil or criminal liability under the CFAA, trade secret claims remain viable. Departing employees should be counseled to leave their employment without any information of any kind belonging to their former employers. And, employers, should continue to implement and monitor compliance with computer-use policies.
The Third Circuit’s decision levels the playing field in post-employment disputes, removing the threat of claims that carry the more existential threat of criminal liability, and requiring employers to prove that they are entitled to civil relief, and that the information allegedly taken actually constitutes trade secrets. The decision returns computer-use violations to what they actually are: grounds for discipline or termination, or evidence of contract violations in appropriate cases.
Patricia C. Collins is a Partner and Employment Law Chair with Antheil Maslow & MacMinn, LLP, based in Doylestown, PA. Her practice focuses primarily on employment, commercial litigation and health care law. Patricia Collins can be contacted at 215.230.7500 ext. 126.