Gates Down: Third Circuit Says Breaking Employer Computer Access Policies Is Not Hacking

Posted on by Dissent

Daniel P. O’Meara, Jeffrey D. Coren, and Zachary V. Zagger of Ogletree, Deakins, Nash, Smoak & Stewart, P.C. write:

The U.S. Court of Appeals for the Third Circuit recently ruled that violations of employers’ computer access policies do not constitute violations of the federal Computer Fraud and Abuse Act (CFAA) and that account passwords are not company trade secrets. The ruling could have significant implications for employers’ ability to bring claims under the CFAA to protect against misuse of company computer systems.

Quick Hits

  • The Third Circuit recently ruled that violations of employer computer access policies alone do not amount to federal CFAA violations.
  • The ruling follows a “gates-up-or-down” approach, finding that employees do not exceed authorized access under the CFAA by accessing company systems, even if done for improper purposes or contrary to company policy, as long as employees are permitted to access those systems.
  • The court further determined that account passwords by themselves are not considered trade secrets under federal or Pennsylvania law.

On October 7, 2025, the Third Circuit issued an amended precedential decision in NRA Group LLC v. Durenleau, adopting a “gates-up-or-down” approach to CFAA violations. The court found that when employees access company systems they are normally authorized to access, even if they do so in ways or for purposes that are not allowed, they do not exceed authorized access under the CFAA unless they “hack” into systems they are not permitted to access.

The case involved the conduct of two former employees of debt collector NRA. While out sick, one employee needed to access a document to submit a company license renewal by an impending deadline. The employee asked another employee to log into her work computer in the office and send her a spreadsheet with her work account passwords. The actions violated the employer’s computer-use policies.

NRA filed suit against the employees, alleging they violated the CFAA, Defend Trade Secrets Act (DTSA), and the Pennsylvania Uniform Trade Secrets Act (PUTSA). The two employees counterclaimed for sexual harassment, retaliation, and hostile work environment. The U.S. District Court for the Middle District of Pennsylvania granted the employees summary judgment and dismissed the claims against them.

Read more at The National Law Review.


Related:

Category: HackInsiderLegislationU.S.