The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030, is primarily a criminal statute aimed at computer hacking, but the law also creates a private cause of action in certain narrowly defined circumstances. With the prospect of additional legal remedies and an entrée into federal court, companies are asserting CFAA claims against disloyal employees who have misappropriated company data to use in a competing venture. In recent years, courts have been split about the reach of the CFAA: Is it intended only to cover computer hackers and electronic trespassers, or does it also apply to employees who abuse computer access privileges and misuse company information? While Congress is debating several bills that would clarify the scope of the CFAA, the U.S. Supreme Court has yet to consider the issue, so for now, companies will plead broad CFAA claims against disloyal employees, and trial courts are left to wrestle with the issue.
This article will discuss the CFAA generally and the definition of “unauthorized access” under the statute as it relates to employee misappropriation, as well as the use of novel CFAA theories to seek redress from the transmission of unwanted data to mobile phones and communication systems.
The CFAA prohibits a number of different computer crimes, the majority of which involve accessing computers “without authorization” or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to destroying computer data. See 18 U.S.C. §1030(a)(1)-(7). The statute, in relevant part, provides a private federal cause of action against a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer.” 18 U.S.C. §1030(a)(2). Although principally a criminal statute, the CFAA also provides for a private civil right of action, allowing for awards of damages and injunctive relief in favor of any person who suffers a loss due to a violation of the act. See 18 U.S.C. §1030(g).
Companies routinely plead CFAA claims (in addition to state law causes of action for misappropriation and breach of contract) against former employees who seek a competitive edge through the use of information copied from their former employer’s computer network. An employee who has not yet announced his or her departure is typically still able to access a company’s network and then transfer data onto an external memory device or send it to a personal email account before leaving the company.
Faced with this situation, an employer might claim that its departing employee acted “without authorization” or “exceeded authorized access.” Section 1030(e)(6) of the statute defines the term “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” A number of courts have construed the definition of “exceeds authorized access” to apply to a person who uses a limited level of initial access authority to obtain other, more highly protected information that he or she is not entitled to access—that is, an authorized user who crosses boundaries set by the system owner. See, e.g., Orbit One Commc’ns v. Numerex, 692 F. Supp. 2d 373, 385 (S.D.N.Y. 2010).
However, the phrase “without authorization” is not defined by the CFAA, leading to differing interpretations. As a result, courts have split on the question of whether an employee who accessed a computer network with an improper purpose acted “without authorization” and may be held liable under the CFAA.
The minority view interprets the CFAA broadly to encompass use of a computer for an improper purpose, even if the access itself was lawful. These courts, including at least two circuit courts, have applied agency law principles to find that an employee who accesses company data for an improper purpose inconsistent with the employer’s interest or contrary to a company usage policy violates the CFAA. See, e.g., Int’l Airport Ctrs. v. Citrin, 440 F.3d 418 (7th Cir. 2006) (“[The employee's] breach of his duty of loyalty terminated his agency relationship and with it his authority to access the laptop, because the only basis of his authority had been that relationship”); United States v. John, 597 F.3d 263 (5th Cir. 2010) (employee exceeded her authorized access when she accessed confidential customer information in violation of her employer’s computer use restrictions and used that information to commit fraud); Musket v. Star Fuel of Oklahoma, 2012 WL 3595048 (W.D. Okla. Aug. 21, 2012) (ex-employee that downloaded shareware against company policy and then used it to copy proprietary files contrary to a non-disclosure agreement for a new position at a competitor may have “exceeded authorized access” under the CFAA).
The majority of courts, however, have held that the CFAA does not encompass an employee’s misuse or misappropriation of information that was lawfully accessed. In a noteworthy decision espousing the majority view, the Ninth Circuit found that a departing employee who emailed company documents to his personal computer did not access the network “without authorization” or “exceed authorized access.” LVRC Holdings v. Brekka, 581 F.3d 1127 (9th Cir. 2009). The appeals court found no language in the CFAA that suggests authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer’s interest. The court clarified that a person uses a computer “without authorization” when that person has not received permission to use the computer for any purpose (e.g., a hacker) or when the employer has rescinded permission to access the computer and the employee thereafter accesses the company network.
Thus, courts following Brekka have held that to read “without authorization” or “exceeds authorized access” as prohibiting misuse or misappropriation would grossly expand the statute’s reach because, among other reasons: (1) the statute was designed primarily to deter computer hacking, not misappropriation of lawfully accessed information; and (2) the CFAA is principally a criminal statute, so the rule of lenity requires courts to interpret it narrowly and resolve any ambiguity in a defendant’s favor. Regardless, an employer seeking a remedy against a disloyal employee is presumably left with state claims, including misappropriation, breach of contract and fiduciary duty, conversion, and tortious interference.
Echoing Brekka, the Fourth Circuit issued an important decision adopting a narrow view of the CFAA. In WEC Carolina Energy Solutions v. Miller, 2012 WL 3039213 (4th Cir. July 26, 2012), the court found that the CFAA failed to provide a remedy for misappropriation of trade secrets or violation of company policy by an employee where network authorization had not been rescinded at the time of the alleged misappropriation. The court found that, based upon the ordinary meaning of “authorization,” an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer and only acts “without authorization” when an employee gains admission to a computer without approval.
Similarly, the court noted that an employee “exceeds authorized access” when he has approval to access a computer, but uses access to obtain or alter information that falls outside the bounds of approved access. Given that the defendant allegedly downloaded proprietary data while still fully employed, the court concluded that the CFAA did not reach the improper use of information validly accessed.
In closing, the court expressed the frustration of employers seeking relief under federal law: “Our conclusion here likely will disappoint employers hoping for a means to rein in rogue employees. But we are unwilling to contravene Congress’s intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy.” Id. at *7.
In the criminal context, courts within the Ninth Circuit have also taken a nuanced view of the statute over the past several years. For example, in one well-reported case, United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009), the defendant and her daughter created a fictitious MySpace profile of a boy who expressed interest in a teenage acquaintance of her daughter, all in a scheme to taunt the teenage girl. After receiving hateful messages from the fictitious boy, the teenage girl committed suicide and the government brought criminal CFAA charges based upon the defendant’s violation of the MySpace terms of service in creating a fake profile to be used for cyberbullying. The case raised the novel issue of whether violations of a website’s terms of service can constitute a crime under CFAA §§1030(a)(2)(C) and 1030(c)(2)(A) for accessing a computer without authorization in furtherance of a tortious act.
After the jury convicted the defendant on a misdemeanor CFAA charge, the court overturned the conviction, holding that a misdemeanor violation based upon the conscious violation of a website’s terms of service runs afoul of the void-for-vagueness doctrine because of actual notice deficiencies and the absence of minimal guidelines to govern law enforcement. Notably, the court reasoned that if a website’s terms of service controls what is “authorized” and what is “exceeding authorization”—which in turn governs whether an individual’s conduct is criminal or not—the statute would be unacceptably vague because “it is unclear whether any or all violations of terms of service will render the access unauthorized, or whether only certain ones will.” Id. at 464.
This past spring, the Ninth Circuit, echoing Brekka and Drew, took a narrow position on the reach of the criminal provisions of the CFAA. In United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc), the appeals court ruled that under the criminal provisions of the CFAA, a departing employee who accessed his employer’s databases to help start a competing business did not “exceed authorized access” of the computer system even if such use of the proprietary materials violated the employer’s computer use policy. The Ninth Circuit rejected the government’s broad interpretation of the statute that would have “transform[ed] the CFAA from an anti-hacking statute into an expansive misappropriation statute.” Clarifying the two-prongs of the CFAA’s prohibitions, the court stated:
“[W]ithout authorization” would apply to outside hackers (individuals who have no authorized access to the computer at all) and “exceeds authorized access” would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files).
Id. at 858. Construing the statutory language narrowly, the appeals court found that a broad interpretation of the CFAA would turn minor online dalliances by employees using company computers into federal crimes and that significant notice problems would arise if criminal liability turned on the vagaries of corporate computer use polices that are “lengthy, opaque, subject to change and seldom read.”
CFAA Transmission Claims
Beyond CFAA “authorization” claims, parties have also sought to use the CFAA in cases involving unauthorized “transmissions” of information that cause damage. To state a transmission claim, a plaintiff must allege that the defendant “knowingly cause[d] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause[d] damage without authorization, to a protected computer.” 18 U.S.C. §1030(a)(5)(A). Some courts have rejected transmission claims as vague and fanciful, while other courts have sustained such claims.
For example, in Czech v. Wall Street on Demand, 674 F. Supp. 2d 1102 (D. Minn. 2009), the plaintiff commenced a putative action against the defendant after receiving unwanted text messages on her mobile phone, alleging that unwanted text messages from the defendant consumed limited resources on her mobile phone, thereby constituting “damage” under the CFAA.
The court ruled that the damage allegations were conclusory and dismissed the complaint. It found that absent an allegation of interruption of telephone or messaging services, the receipt of an unwanted text message, even if such a transmission were to consume limited electronic resources, did not constitute damage under the CFAA. The court commented that such a theory would necessarily extend “damage” to include the receipt of even wanted messages (which conceivably consume the same amount of a phone’s capacity). According to the court, damage under the CFAA does not occur simply by “any use or consumption of a device’s limited resources,” but rather damage must arise from an impairment of performance “that occurs when the cumulative impact of all calls or messages at any given time exceeds the device’s finite capacity so as to result in a slowdown, if not an outright ‘shutdown,’ of service.” Id. at 1117.
Examining allegations of such a “slowdown,” the Sixth Circuit allowed a CFAA transmission claim to go forward related to impairment to a communication network. In Pulte Homes v. Laborers Int’l Union of North America, 648 F.3d 295 (6th Cir. 2011), a company suffered impairment to business operations due to the defendant’s campaign to bombard the company with thousands of emails and voicemails. The appeals court reversed the lower court’s dismissal of the plaintiff’s CFAA transmission claim, finding that the email campaign prevented the plaintiff’s employees from accessing or sending emails and voicemails, which could be deemed “damage” under the statute, and that the defendant acted with a conscious purpose to impair the plaintiff’s computer systems. The court, however, affirmed the dismissal of the plaintiff’s CFAA unauthorized access claims because the defendant’s calls and emails did not enter the plaintiff’s networks “without authorization” since the company used unprotected public communications systems, much like a public website.
Richard Raysman is a partner at Holland & Knight and Peter Brown is a partner at Baker & Hostetler. They are coauthors of “Computer Law: Drafting and Negotiating Forms and Agreements” (Law Journal Press).