Applies to: Employers with Employees in DE, NJ, PA and U.S. Virgin Islands
Effective: August 26, 2025
Quick Look
- The Third Circuit ruled that employees who violate internal computer-use policies, but do not engage in code-based hacking, do not violate the CFAA, narrowing the scope of claims employers can bring under the statute.
- The court also held that shared passwords lacked the characteristics required to qualify as trade secrets under federal and Pennsylvania law.
DISCUSSION
In NRA Group, LLC v. Durenleau, the Third Circuit addressed whether an employee’s violation of internal computer-use policies could give rise to a claim under the Computer Fraud and Abuse Act (CFAA), and whether passwords shared between employees constituted trade secrets under federal and Pennsylvania law. The case arose from a situation where an employee, who was out sick with COVID-19, asked a colleague to access her company account and retrieve a password needed to renew a license. This led to the colleague emailing a spreadsheet of company passwords to the employee’s personal email, which constituted a violation of company policy but did not involve any code-based hacking.
The Third Circuit held that such conduct did not violate the CFAA. It clarified that the CFAA is intended to target external hacking and unauthorized access through technical means, not policy violations by employees who already have access to company systems. The court emphasized that the statute should not be stretched to criminalize breaches of workplace rules, especially given its criminal penalties. Notwithstanding, although the CFAA may no longer be a viable tool for pursuing civil or criminal claims against employees who misuse their access, employers are not without recourse. Instead, the court pointed to alternative legal avenues such as breach of contract, business torts, and negligence, which may still apply depending on the facts. As a result, this ruling narrows the scope of CFAA claims employers can bring against employees in the Third Circuit, limiting them to cases involving actual hacking rather than internal misuse of access.
The court also addressed trade secret protections under the Defend Trade Secrets Act (DTSA) and the Pennsylvania Uniform Trade Secrets Act (PUTSA), ruling that the passwords shared between employees were not trade secrets. The passwords lacked the necessary characteristics to qualify for protection, such as being derived from a formula or algorithm or having independent economic value. For employers, this ruling underscores the importance of distinguishing between the tools that protect valuable business information and the information itself. Passwords may guard trade secrets, but they are not inherently trade secrets unless they meet specific legal criteria.
Overall, this decision limits the reach of federal computer crime laws in the employment context, instead encouraging employers to strengthen their internal governance to protect sensitive information and respond effectively to policy violations.
ACTION ITEMS
- Review data protection policies and strategies.
- Implement internal controls, employee training, and contractual safeguards to prevent employee misuse.
- Consult with legal counsel on specific situations involving violations of data protection policies.
Disclaimer: This document is designed to provide general information and guidance concerning employment-related issues. It is presented with the understanding that OneDigital is not engaged in rendering any legal opinions. If a legal opinion is needed, please contact the services of your own legal adviser. © 2025 OneDigital
This content is restricted to subscribers. If you are an existing user, please log in.
