A recent decision by the 4th Circuit serves to caution employers regarding available recourse against disloyal employees. WEC Carolina Energy Solutions LLC v. Miller, considered application of the federal Computer Fraud and Abuse Act of 1986 (CFAA) and determined that a former employee’s misappropriation of the company’s information did not violate the CFAA because the employee did not act “without authorization.”

The CFAA, primarily a criminal statute, was designed by Congress to combat computer hacking. It allows, however, for a private party “who suffers damage or loss by reason of a violation of [the statute]” to bring a civil action “to obtain compensatory damages and injunctive relief or other equitable relief.” Relevant to the case, the CFAA prohibits:

  1. Intentionally accessing a computer without authorization or exceeding authorized access, and thereby obtaining information from any protected computer
  2. Knowingly and with intent to defraud, accessing a protected computer without authorization, or exceeding authorized access, and by means of such conduct furthering the intended fraud and obtaining anything of value; or
  3. Intentionally accessing a protected computer without authorization, and as a result of such conduct, recklessly causing damage or causing damage and loss.

WEC brought suit against Miller, Miller’s assistant and Miller’s new employer, Arc (a competitor of WEC), after Miller used information accessed in his final days at WEC to make a presentation to a potential customer on behalf of Arc. Miller or his assistant, who also went to work for Arc, downloaded a “substantial number” of WEC’s confidential documents to a personal computer and emailed them to a personal email address. The customer ultimately awarded two projects to Arc.

WEC argued that the defendants violated the CFAA because “under WEC’s policies they were not permitted to download confidential and proprietary information to a personal computer,” thereby breaching their fiduciary duties to WEC and, via that breach, “either (1) lost all authorization to access the confidential information or (2) exceeded their authorization.”

The district court determined that WEC failed to state a claim under the CFAA because the defendants violated policies regarding use of information rather than access to the information. The 4th Circuit agreed.

In reaching its decision, the 4th Circuit considered decisions of other circuits and highlighted a split that remains ripe for resolution by the Supreme Court. Certain courts have held that when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it.

In contrast, other courts have interpreted “without authorization” and “exceeds authorized access” literally and narrowly, limiting the terms’ application to situations where an individual accesses a computer or information on a computer without permission. These courts have ruled similarly to the 4th Circuit, finding “that the CFAA fails to provide a remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded.”

Employers are encouraged to take note of this decision, its potential effect on situations involving disloyal employees, and the differing interpretations of the CFAA.