Update: Following its original decision, the Third Circuit granted a panel rehearing in NRA Group, LLC v. Durenleau et al., vacated its August 26, 2025 opinion, and issued an amended opinion on October 7, 2025 (NRA Group, LLC v. Durenleau, 2025 WL 2835754, (3d Cir. Oct. 7, 2025) (amended opinion)). The judgment was not disturbed, and the Court declined en banc rehearing. The analysis and holdings below reflect the Court’s reaffirmed conclusions in the amended opinion.
On August 26, 2025, in NRA Group, LLC v. Durenleau et al., the U.S. Court of Appeals for the Third Circuit addressed an issue of first impression to decide whether an employee’s violation of an employer’s computer-use policy can give rise to a claim under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. The Court answered unequivocally — no. A current employee does not violate the CFAA merely by breaching an employer’s internal computer-use policies absent unauthorized “hacking” or code-based intrusion. The Court also held that passwords disclosed by an employee were not trade secrets under state or federal law because they lacked independent economic value and were not the product of a special formula or algorithm.
Background
The case arose after an employee of National Recovery Agency (“NRA”) assisted a coworker in logging into her work account and emailed a password spreadsheet from her work email to her personal email address. NRA terminated both employees and brought claims under the CFAA, the Defend Trade Secrets Act (“DTSA”), and Pennsylvania’s Uniform Trade Secrets Act (“PUTSA”). The company alleged that the employees exceeded their authorized access to company systems and that the passwords constituted trade secrets.
The district court dismissed the claims, finding that the employees had authorization to access the system at the time of the conduct and that the passwords did not qualify as trade secrets. NRA appealed.
The Third Circuit’s Decision
The Third Circuit affirmed. The Court explained that the CFAA’s plain text distinguishes between unauthorized access and misuse of authorized access. Because the employees were authorized users when they accessed and emailed the spreadsheet, their conduct did not constitute unauthorized access under the statute.
Relying on the Supreme Court’s reasoning in Van Buren v. United States, 593 U.S. 374 (2021), the Court emphasized that the CFAA targets “hacking-type” activity, not violations of employer policies. As the Court put it, the Act “does not criminalize the misuse of information one is otherwise authorized to obtain.” Expanding the statute to cover internal policy breaches, the Court warned, would transform a wide range of ordinary workplace behavior into potential federal offenses, contrary to both legislative intent and due process.
The Court further rejected NRA’s trade secret claims under the DTSA and PUTSA, holding that the passwords in question were not the result of a unique process or algorithm and thus lacked independent economic value. While the passwords provided access to NRA’s systems, that access alone did not imbue them with trade secret protection. The Court observed that passwords, unlike formulas, designs, or proprietary code, are not themselves “products of intellectual effort,” and therefore fall outside the statutory definition of a trade secret.
Conceptual Implications
The Durenleau decision underscores the limits of federal and state remedies for internal policy violations involving computer systems. Under the Third Circuit’s reasoning, an employee who has authorized access cannot be held liable under the CFAA merely for misusing that access, even if the misuse violates company policy or confidentiality obligations. Employers must instead rely on contractual remedies, disciplinary action, or other civil claims such as breach of duty of loyalty or misappropriation of confidential information.
Importantly, the Court’s trade secret analysis reinforces that not all sensitive digital credentials are entitled to statutory protection. To qualify as a trade secret, the information must derive independent economic value from being secret and result from some degree of creative or analytical effort, not simply serve as a gatekeeping tool.
Employers should therefore ensure that:
- Computer-use policies and confidentiality agreements clearly define the scope of authorized access and consequences for misuse;
- Passwords and security protocols are supplemented by broader confidentiality protections when they safeguard proprietary systems or data; and
- Internal controls and monitoring mechanisms are implemented to detect and deter improper use.
The Durenleau decision reflects a growing judicial consensus that the CFAA is a narrow anti-hacking statute and not a catch-all for workplace misconduct. Employers are encouraged to review their information security practices, employee agreements, and trade secret protocols in light of this decision.
Please contact an NFC team member if you have any questions or seek further assistance.