Third Circuit Cabins CFAA to Code‑Based Hacking and Holds Passwords Are Not Trade Secrets

Introduction

In a precedential opinion with wide‑ranging consequences for computer‑misuse and trade secret litigation, the U.S. Court of Appeals for the Third Circuit in NRA Group LLC v. Durenleau (Aug. 26, 2025) affirmed summary judgment against an employer that sued two former employees under the Computer Fraud and Abuse Act (CFAA), the Defend Trade Secrets Act (DTSA), the Pennsylvania Uniform Trade Secrets Act (PUTSA), and several state tort theories.

The dispute arose after a compliance executive, Nicole Durenleau, fell ill with COVID‑19 and—lacking remote access—asked her colleague, marketing employee Jamie Badaczewski, to log into her office workstation and send her a spreadsheet titled “My Passwords.xlsx.” The document listed credentials for dozens of NRA systems and third‑party accounts (the spreadsheet itself contained no consumer PII). Separately, over several years, Durenleau had moved certain debt‑collection accounts into her workgroup in a way that increased her bonus eligibility; she maintained she believed she was entitled to the bonuses. Both women had filed complaints alleging pervasive sexual harassment at NRA; Durenleau resigned citing harassment, and Badaczewski was terminated shortly thereafter. NRA then sued them.

The key issues before the Third Circuit were:

• Whether employee violations of internal computer‑use policies (credential sharing, off‑premises restrictions, password storage) constitute “access without authorization” or “exceed[ing] authorized access” under the CFAA;
• Whether a list of passwords to protected systems, standing alone, qualifies as a “trade secret” under DTSA/PUTSA; and
• Whether state‑law civil conspiracy, breach of duty of loyalty, and fraud claims could proceed on the facts.

The District Court granted summary judgment to the employees on all of NRA’s claims; some of the employees’ separate harassment/retaliation counterclaims were stayed. The Third Circuit affirmed in full and certified the appeal under Rule 54(b).

Summary of the Judgment

• CFAA: The court held that, absent code‑based hacking, breaches of workplace computer‑use policies by current employees do not constitute access “without authorization” or “exceed[ing] authorized access.” The court adopted a practical definition of “authorization”: an employee is authorized when the employer approves or sanctions their admission to the computer (consistent with sister‑circuit authority). Applying Van Buren v. United States’s “gates‑up-or‑down” approach, the court rejected NRA’s attempt to criminalize policy breaches.
• Trade Secrets (DTSA/PUTSA): Passwords that function merely as barriers to systems are not trade secrets because they lack “independent economic value.” It is the data or strategy behind the gate—not the gate code itself—that may have protectable value, unless the passwords themselves embody a protectable formula or algorithm.
• State Torts: Civil conspiracy failed for lack of an underlying tort and lack of malice; breach of duty of loyalty failed because the employees neither competed with NRA nor diverted opportunities; fraud failed because NRA offered no evidence of scienter—only speculation.
• Jurisdiction (Rule 54(b)): Although the court expressed concern about potential retaliatory litigation given the harassment backdrop, it found the adjudicated claims legally distinct from the stayed employment claims and accepted certification.

Detailed Analysis

Precedents Cited and Their Role

• CFAA Framework
  • Van Buren v. United States, 593 U.S. 374 (2021): The Supreme Court interpreted “exceeds authorized access” to cover entry into technologically off‑limits portions of a computer (files/folders/databases) to which the user lacks access—in short, a “gates‑up-or‑down” inquiry. Importantly, the Court warned that treating mere policy violations as CFAA offenses would criminalize ordinary behavior.
  • WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc); LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009): Sister‑circuit cases limiting the CFAA to “hacking‑like” conduct and refusing to convert policy breaches into crimes or civil CFAA violations.
  • Teva Pharms. USA, Inc. v. Sandhu, 291 F. Supp. 3d 659 (E.D. Pa. 2018): Persuasive district‑court authority endorsing the definition of authorization as employer‑approved admission to a computer.
  • Leocal v. Ashcroft, 543 U.S. 1 (2004); United States v. Lanier, 520 U.S. 259 (1997): Canon of strict construction of criminal statutes applies equally in criminal/civil applications of the CFAA; ambiguous criminal statutes must be construed narrowly to ensure fair notice.
  • Rehaif v. United States, 588 U.S. 225 (2019): Cited for the proposition that courts often read scienter terms to modify entire statutory phrases—invoked in dicta regarding the CFAA’s “intentionally” requirement (though not necessary to the holding).
• Trade Secrets
  • Bimbo Bakeries USA, Inc. v. Botticella, 613 F.3d 102 (3d Cir. 2010): Third Circuit’s PUTSA guidance on protectable information and reasonable secrecy efforts.
  • Synthes, Inc. v. Emerge Med., Inc., 25 F. Supp. 3d 617 (E.D. Pa. 2014); Bro‑Tech Corp. v. Thermax, Inc., 651 F. Supp. 2d 378 (E.D. Pa. 2009): District‑court treatments of compilations of data (such as customer information) as potential trade secrets when they have independent economic value and are the owner’s intellectual property.
  • State Analysis, Inc. v. American Financial Services Ass’n, 621 F. Supp. 2d 309 (E.D. Va. 2009): Persuasive authority that passwords are mere “barriers” lacking independent economic value unless they embody a proprietary formula/algorithm; the Third Circuit embraced this reasoning.
  • Estate of Accurso v. Infra‑Red Services, Inc., 805 F. App’x 95 (3d Cir. 2020) (nonprecedential): Distinguished; that panel assumed without deciding that a password/ID could be a trade secret and addressed only “ownership,” not independent economic value.
  • Spring Steels, Inc. v. Molloy, 162 A.2d 370 (Pa. 1960): Cited for the principle that “customer lists” can be trade secrets when they reveal substantive, non‑public commercial information, not merely names or superficial identifiers.
• State Tort Claims
  • Thompson Coal Co. v. Pike Coal Co., 412 A.2d 466 (Pa. 1979): Civil conspiracy requires an underlying tort and malice—i.e., an intent to do an unlawful act (or lawful act by unlawful means) with the “sole purpose” to injure.
  • Scully v. US WATS, Inc., 238 F.3d 497 (3d Cir. 2001): “Proof of acts equally consistent with innocence” does not establish malice.
  • McDermott v. Party City Corp., 11 F. Supp. 2d 612 (E.D. Pa. 1998): Elements of breach of duty of loyalty under Pennsylvania law.
  • Reading Radio, Inc. v. Fink, 833 A.2d 199 (Pa. Super. Ct. 2003); Restatement (Third) of Agency §§ 8.04, 8.05: Employees owe a duty not to compete with, or misappropriate from, their employer.
  • Onorato v. Wissahickon Park, Inc., 244 A.2d 22 (Pa. 1968): The “no one can serve two masters” principle animating the duty of loyalty.
  • SodexoMAGIC, LLC v. Drexel Univ., 24 F.4th 183 (3d Cir. 2022): Elements of common‑law fraud, including knowledge of falsity or intent to deceive.
  • Wharton v. Danberg, 854 F.3d 234 (3d Cir. 2017): Speculation and conjecture cannot defeat summary judgment.
• Jurisdiction and Appellate Procedure
  • Elliott v. Archdiocese of New York, 682 F.3d 213 (3d Cir. 2012); Berckeley Investment Group, Ltd. v. Colkitt, 455 F.3d 195 (3d Cir. 2006): Rule 54(b) standards (finality and “no just reason for delay” with a five‑factor analysis).
  • Canada v. Samuel Grossi & Sons, Inc., 49 F.4th 340 (3d Cir. 2022): De novo review of summary judgment.

Legal Reasoning

The court’s reasoning proceeds from a careful textual and purpose‑driven reading of the CFAA, framed by Supreme Court guidance in Van Buren, and extends to a straightforward application of trade secret elements and state tort standards.

• 1) CFAA: Authorization and the “gates‑up‑or‑down” test
  • Defining authorization: The court formally adopts the widely used rule that “an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer.” Hiring plus credentials equals authorization; the statutory trigger is about entry, not about why or how one uses permitted access.
  • Exceeds authorized access: Under Van Buren, the statute targets crossing into technological areas that are “off‑limits” (e.g., breaking through authentication or code‑based barriers). Here, both employees entered an account for which the employer had granted overall access—no gates were down. Violating workplace rules (no sharing, no off‑premises access, no password spreadsheets) may be disciplinable or give rise to other civil claims, but it is not “exceeding authorized access.”
  • Without authorization: The court rejects an attempt to relabel policy violations as “without authorization.” Absent evidence of code‑circumvention (hacking), a current employee’s breach of use policies is not CFAA “without authorization.” This resolves a lingering post‑Van Buren question—at least within the Third Circuit—for current‑employee policy breaches.
  • Rule of lenity/fair notice: Because CFAA violations carry criminal penalties and the statute applies identically in civil and criminal contexts, ambiguity must be resolved narrowly. Allowing private policy manuals to define federal criminal exposure poses notice problems and risks federalizing ordinary workplace disputes. The court pointedly refuses NRA’s invitation to turn an urgent, CEO‑directed effort to resolve a licensing deadline into a federal crime.
  • Scienter note: Though unnecessary to the holding, the panel observes that even if one assumed unauthorized access, the term “intentionally” in § 1030(a)(2) would likely extend across “exceeds authorized access,” reinforcing the narrow construction of CFAA liability.
• 2) DTSA/PUTSA: Why passwords are not trade secrets
  • Independent economic value: To qualify as a trade secret, information must derive independent economic value from being secret. Passwords are “numbers and letters” that function as access barriers. The value lies in what they protect (customer data, pricing, strategies), not in the character strings themselves—unless the strings embody a proprietary algorithmic scheme or otherwise qualify as intellectual property in their own right.
  • Remediability underscores non‑secret status: NRA immediately cured any risk by changing the passwords. That immediate mitigability contrasts with quintessential trade secrets (e.g., a recipe or formula), where disclosure permanently destroys value. The court emphasizes that NRA’s conflation of sensitive back‑end data with the credentials guarding it “misses the point.”
  • “Customer list” theory rejected: To the extent NRA suggested the passwords identified customers, the court notes NRA itself pseudonymized names; in any event, a protectable customer list requires substantive commercial intelligence not present here.
• 3) State tort claims: No underlying wrong, no malice, no competition, no scienter
  • Civil conspiracy: Fails because (i) no underlying statutory violation survived; and (ii) no malice—the record supports a legitimate business purpose (solving an urgent licensing problem), and “proof equally consistent with innocence” cannot establish the required malicious intent.
  • Duty of loyalty: Pennsylvania’s duty centers on non‑competition, non‑diversion, and fidelity to the employer’s interests. Violating IT policies by making/using a password spreadsheet (to complete work tasks) is not competition and does not, without more, breach the duty.
  • Fraud: NRA’s bonus‑account theory founders on scienter; at most it shows ambiguity about eligibility and after‑the‑fact discipline. Asking “did I do something wrong?” does not evidence knowing falsity or intent to deceive. Speculation cannot stave off summary judgment.
• 4) Rule 54(b) certification
  • The panel acknowledged concern that the employer’s lawsuit might have been retaliatory against harassment complainants. Still, the adjudicated computer‑misuse and trade‑secrets issues were legally separable from the stayed harassment claims, satisfying finality and the “no just reason for delay” factors.

Impact and Implications

• Immediate doctrinal significance
  • CFAA narrowed to code‑based intrusions for current employees: Within the Third Circuit (PA, NJ, DE, VI), employers cannot use the CFAA to pursue current‑employee policy breaches absent proof of hacking or entry into technologically off‑limits areas. This aligns the Circuit with the Fourth and Ninth Circuits and provides clear guidance post‑Van Buren.
  • Credentials ≠ trade secrets: DTSA/PUTSA claims premised solely on leaked passwords will fail unless the passwords themselves embody protectable intellectual property or independent economic value. Plaintiffs must plead and prove the value‑bearing content—data, methods, strategies—not merely the keys.
  • State‑law guardrails: Employers retain robust state‑law tools—breach of contract, breach of confidentiality agreements, conversion/misappropriation of actual data, fiduciary‑duty claims where there is competition or diversion, and injunctive relief—but should not expect CFAA leverage for routine policy violations.
• For employers and counsel
  • Reassess litigation strategies that reflexively layer CFAA and DTSA counts onto internal‑policy cases; anticipate motions to dismiss/summary judgment demanding proof of code‑based circumvention or theft of value‑bearing information.
  • Harden systems with technical controls (least‑privilege access, MFA, monitored admin sessions, audit logs, remote‑work enablement) rather than relying on handbooks to deter misuse. The opinion implicitly rewards code‑based controls by making them the legal “gates.”
  • Draft confidentiality agreements that define protected information with specificity (customer analytics, pricing models, source code) and train employees accordingly. Prohibit password spreadsheets and provide secure enterprise password managers to reduce risky workarounds.
  • When investigating incidents, distinguish between (a) credential‑sharing and policy breaches and (b) extraction or misuse of protected content. Preserve forensic evidence of any code‑based circumvention and access to off‑limits repositories.
• For employees and compliance officers
  • The decision narrows the risk of being labeled a “hacker” for violating policy, but it does not immunize misconduct. Contractual, disciplinary, and other civil claims remain available to employers; criminal exposure may arise under other statutes if protected data is misused or exfiltrated.
  • Organizations should provide compliant ways to meet urgent business needs (e.g., approved remote access) to avoid risky workarounds that tempt policy violations.
• For trade secret litigators
  • Plead independent economic value with granularity. Identify the secret sauce (models, non‑public performance data, curated customer insights) rather than relying on access credentials or labels.
  • Expect courts to ask whether the harm was cured by a password reset; quick remediation will cut against characterizing leaked credentials as trade secrets.
• For prosecutors and regulators
  • The opinion cautions against using the CFAA as a catch‑all for internal policy violations and underscores fair‑notice concerns when criminal liability turns on private, often‑opaque policy manuals.

Complex Concepts Simplified

• CFAA “without authorization” vs. “exceeds authorized access”
  • “Without authorization”: You were never let past the gate—think outside intruders or former employees after access is revoked.
  • “Exceeds authorized access”: You had a key, but you picked a lock to a forbidden room (a technical barrier to specific files/folders/databases). Violating a rule about what you may do inside rooms you’re allowed to enter does not, by itself, trigger the CFAA.
• Code‑based vs. policy‑based limits
  • Code‑based: Firewalls, authentication gates, access controls. Circumventing these can trigger CFAA liability.
  • Policy‑based: Handbooks and contracts telling you not to share passwords or to use systems only for business. Breaking these is not CFAA hacking (though it may breach contracts or policies).
• Trade secret “independent economic value”
  • Information qualifies if its secrecy makes money or saves money because competitors cannot easily obtain it by proper means. The “value” must come from the information itself, not just from the inconvenience of needing a password to view it.
• Civil conspiracy (Pennsylvania)
  • You need an underlying legal wrong and malice (a purpose to injure). If your evidence fits an innocent explanation, you probably cannot show malice.
• Duty of loyalty (Pennsylvania)
  • Employees must not compete with their employer or divert its opportunities. Policy violations alone, without competition or misuse of the employer’s assets for personal/third‑party gain, do not necessarily breach this duty.
• Common‑law fraud
  • Requires a knowingly false statement or an intent to deceive, not mere confusion about vague internal eligibility standards.
• Rule 54(b) Certification
  • Allows immediate appeal of a final judgment on some claims while others remain pending, when there’s “no just reason for delay.” Courts weigh overlap, mootness risk, duplication of appellate work, potential setoffs, and practicalities like cost and delay.

Conclusion

NRA Group LLC v. Durenleau marks a clear doctrinal line in the Third Circuit: the CFAA is a hacking statute, not a tool to federalize violations of private computer‑use policies by current employees. By adopting an authorization standard tethered to employer‑granted access and embracing Van Buren’s “gates‑up-or‑down” approach, the court reduces the risk that ordinary workplace missteps will be recast as federal crimes. Complementing that narrowing, the court clarifies that passwords, standing alone, generally are not trade secrets—they are keys to value, not the value itself—unless the credentials themselves embody proprietary intellectual property.

The opinion steers employers toward state‑law remedies and better technical controls, warns litigants against overreaching CFAA and DTSA theories, and provides a pragmatic roadmap for distinguishing policy breaches from cyberintrusions. On the tort front, it reinforces familiar elements—malice for civil conspiracy, competition for duty‑of‑loyalty breaches, and scienter for fraud—and applies them rigorously at summary judgment. In a workplace context fraught with allegations of harassment and potential retaliatory litigation, the decision also models careful Rule 54(b) analysis while keeping the merits tightly cabined to legally distinct issues.

Bottom line: Within the Third Circuit, CFAA claims premised on policy violations by current employees face a high bar; trade secret plaintiffs must show independent economic value in the information itself; and state‑law theories still require their traditional, demanding elements. The case will likely shape pleading strategies, incident‑response playbooks, and the architecture of internal controls across the region and beyond.