Per
http://computerfraud.us/articles/suing-employees-for-computer-fraud-gets-easier
The 3d Circuit’s decision in U.S. v. Tolliver, 2011 WL 4090472 at *1 (3d Cir. Sept. 15, 2011), made clear that company policies, such as those relied upon in Nosal, are not the only way to prove that an employee accessed the company computer “without authorization.” The court upheld the CFAA conviction of Regina Tolliver, a former bank teller for Citizens Bank who provided confidential customer account information to “check runners” who “cashed fraudulent checks against the accounts of seven Citizens Bank customers in branches in upstate New York, western Pennsylvania, and Delaware.” Id. Without reference to any bank policies the court held that “there was sufficient evidence” upon which “the government established that Tolliver exceeded her authorized access” because “she did not have a business purpose” to access the customers’ accounts. Id. at *5.
While Tolliver actually removed data from her employer’s computer to facilitate the writing of fraudulent checks, the employee in U.S. v. Teague, 646 F.3d 1119 (8th Cir. 2011),
only viewed data in the computer, did not remove it and did not use it. Yet the 8th Circuit applied the CFAA to these facts and, in doing, upheld the criminal conviction of Sandra Teague, an employee of a government contractor for the U.S. Department of Education, for accessing President Obama’s record in the National Student Loan Data System.
She had been convicted of violating the CFAA for exceeding unauthorized access to a computer in violation of 18 U.S.C. 1030 (a)(2)(B).
This section of the CFAA makes it a crime to intentionally exceed authorized access to a computer and obtain information from the computer. Based solely on her viewing the Obama student loan data, the court found the government had proved the critical CFAA element of having obtained information.