Third Circuit Narrows Scope of CFAA and DTSA Claims Against Former Employees

When faced with an employee who allegedly accesses a work computer to misappropriate trade secrets, many employers have turned to the Computer Fraud and Abuse Act (CFAA) and the Defend Trade Secrets Act (DTSA) as potential causes of action against the former employee. However, the Third Circuit’s recent decision in NRA Group, LLC v. Durenleau, 2025 WL 2449054 (3d Cir. Aug. 16, 2025), has set further limits on the application of both statutes in this common scenario, holding that violating an employer’s computer-use policy does not constitute a violation of the CFAA and that passwords are not considered trade secrets because they lack independent economic value. The court noted, however, that “there are many other causes of action—breach of contract, business torts, fraud, negligence, and so on—that provide a remedy for employers when employees grossly transgress computer-use policies.”

CFAA Background and the Van Buren Standard

Congress enacted the CFAA in 1986 as a criminal law statute in response to the nascent issue of computer “hacking.” 18 U.S.C. § 1030. The private cause of action was added a decade later. The Act prohibits unauthorized access or access that exceeds authorized access to computers. The CFAA defines “exceeds authorized access” as accessing “a computer with authorization and [using] such access to obtain . . . information in the computer that the accesser is not entitled to obtain,” while leaving “unauthorized access” undefined.

In United States v. Van Buren, 141 S. Ct. 1648 (2021), the Supreme Court interpreted this provision to cover “those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend,” but not “those who . . . have improper motives for obtaining information that is otherwise available to them.” The Court determined that the purpose of the individual in accessing the computer is not relevant to whether the individual exceeded authorized access. The Court adopted this interpretation based on “a gates-up-or-down inquiry—one either can or cannot access a computer system, and one either can or cannot access certain areas within the system,” as some areas are fully “off-limits.”

The Van Buren Court also cautioned that a mere violation of a workplace computer-use policy should not constitute a CFAA violation, since doing so “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” If this were not so, the “exceeds authorized access” language would apply to “every violation of a computer-use policy,” making “millions of otherwise law-abiding citizens criminals.” The Court provided a relevant example: “[e]mployers commonly state that computers and electronic devices can be used only for business purposes,” so if workplace policy violations were cognizable under the CFAA, “an employee who sends a personal e-mail or reads the news using her work computer has violated the CFAA.”

Application in Durenleau: Policy Violations Insufficient for CFAA Claims

In Durenleau, the defendant admitted to violating her employer’s computer use policy by emailing a spreadsheet containing passwords to a third party, the co-defendant, who was a co-worker. The passwords allowed the co-defendant to access those accounts as Durenleau. The plaintiff alleged that by doing so, the defendant violated the CFAA because she and the co-defendant accessed plaintiff’s computer system without authorization or in excess of authorization. The Third Circuit agreed with the district court’s conclusion that neither defendant violated the CFAA because an “employee is authorized to access a computer when his employer approves or sanctions his admission to that computer.” According to the court, “[n]o one hacked anything by deploying code to enter a part of [plaintiff’s] systems to which they had no access.” Applying Van Buren, “the gates were up, even if the road signs—[plaintiff’s] policies—all told the women to stop and turn around.” Since the CFAA is also a criminal statute, were the defendants civilly liable, “the same conduct could expose them, or others in the future who do the same to criminal prosecution. Put bluntly: [plaintiff] asks us to make the employees’ conduct a federal crime,” which the Court was clearly unwilling to do.

DTSA Analysis: Passwords Lack Independent Economic Value

In addition to the CFAA claim, plaintiff alleged that the passwords for third-party accounts that defendant provided via email in a spreadsheet to her co-defendant were trade secrets misappropriated in violation of the DTSA and the Pennsylvania Uniform Trade Secrets Act. Both statutes protect information that: (a) the owner has taken reasonable measures to keep secret, (b) derives independent economic value, actual or potential, from being kept secret, (c) is not readily ascertainable by proper means, and (d) if disclosed or used, would have economic value to those who cannot readily access it.

The court determined that whether the passwords qualified as trade secrets “hinged” on the independent economic value element. While acknowledging that “a compilation of data that has independent economic value can be protected as a trade secret”—a well-established principle—the court found that the passwords contained in the defendant’s spreadsheet were “certainly a compilation of data, but not a compilation of customer data or some other intellectual property of the owner.”

The court noted that authority regarding whether “password information that was bundled with other, more colorable trade secrets like raw customer information, pricing information, pricing schemes, strategy documents, and so on” qualified for protection was “thin.” While citing several district court cases that generally found “bundling” information with passwords may qualify as trade secrets, the court relied on State Analysis, Inc. v. American Financial Services Association, 621 F. Supp. 2d 309 (E.D. Va. 2009), which held that “a password is simply a series of random numbers and letters that is a barrier to other proprietary information. Although passwords may have economic value if they are integral to accessing proprietary information, they have no independent economic value in the same way a formula or customer list might have. Thus, when a plaintiff has not alleged that its passwords are the product of any special formula or algorithm that it developed, that passwords are not trade secrets.”

The court emphasized that plaintiff had “miss[ed] the point by arguing about the sensitivity and economic value of customer information” accessed, but failed to allege “that the passwords were the product of any special formula or algorithm.” Using an analogy to a website with pictures of “cute puppies,” the court explained: “Because the revealed content would have no economic value to [defendant], there is no serious claim the passwords would either. That is because it is what the passwords protect, not the passwords, that is valuable.” The court also noted that plaintiff “immediately remedied the problem by simply changing the passwords.” In conclusion, according to the court, passwords with no economic value are not trade secrets.

Durenleau Calls for a Nuanced Approach

Durenleau is consistent with the Supreme Court’s decision in Van Buren and also represents a narrow limitation on the broad categories of information that trade secret law protects. It further reflects the Third Circuit’s characterization of this case as one where “in the wrong hands, the law becomes a hammer in search of a nail.” More significantly, this decision underscores that employers should not rely exclusively on the DTSA and state trade secret acts to protect confidential information. Instead, practitioners should emphasize contract law remedies, particularly through well-drafted non-disclosure agreements. While the use of non-disclosure agreements (NDAs) alone may not be sufficient in all cases to meet the reasonable efforts requirement to qualify as a trade secret, it is often a critical feature of the trade secret owner’s efforts. Even if an employee cannot be sued for trade secret misappropriation because the plaintiff cannot prove that the information at issue qualifies for trade secret protection, the plaintiff might nonetheless be able to pursue a separate breach of contract action based on the defendant’s breach of the non-disclosure contract. This potential provides employers with multiple avenues for relief while avoiding the narrow statutory limitations highlighted in Durenleau. The decision counsels against reflexively pursuing CFAA and DTSA claims without a careful analysis of whether the conduct and information at issue truly fall within the scope of these statutes. Instead, a more nuanced approach considering the full spectrum of available remedies—including traditional contract, tort, and employment law claims—may prove more effective in protecting a client’s interests.

Image Source: Deposit Photos
Author: DmitriySk
Image ID: 460033308