Employers have increasingly turned to the Computer Fraud and Abuse Act (CFAA), 18 USC §1030, for a cause of action against disloyal employees who allegedly misappropriated confidential or proprietary information from company computers. Originally enacted to combat the problem of computer hacking, the CFAA criminalizes unauthorized access to a private computer and also provides for private parties suffering harm from such conduct to bring civil actions for relief in federal court.
Recently, however, in WEC Carolina Energy Solutions v. Miller, 687 F.3d 199 (4th Cir. 2012), the U.S. Court of Appeals for the Fourth Circuit held that the CFAA may not be used to impose liability on an employee who is given lawful access to an employer’s electronic information but later improperly uses that information. With this narrow interpretation, the Fourth Circuit followed in the footsteps of the U.S. Court of Appeals for the Ninth Circuit, but departed from the broader interpretation adopted by the First, Fifth, Seventh and Eleventh circuits, which have held that the CFAA covers employee misappropriation or other violations of employers’ computer use policies. This month’s column discusses this deepening circuit split over whether the CFAA is available for employers against rogue employees.
The CFAA was enacted in 1984 as a criminal statute to protect data on federal computers and deter hackers. Over time, the CFAA evolved to include a private right of action for any person who suffers a loss because of a violation of the act. Employers have more and more taken advantage of the CFAA’s civil remedies to seek both monetary and injunctive relief against employees they believe have misappropriated information from company computers, especially in the context of non-compete and trade secrets litigation. A number of state law causes of action, including breach of a restrictive covenant, misappropriation of trade secrets and breach of fiduciary duty, may potentially provide relief to employers in this context, but there are several benefits to claims under the CFAA. First, the CFAA allows for federal question jurisdiction in cases that often lack another basis for federal jurisdiction. In addition, the CFAA does not require the employer to prove that the information at issue is actually a trade secret. Moreover, the CFAA ups the ante in the case by opening up the possibility of converting a civil defendant into a criminal one.
To establish a civil action against an individual under the CFAA, an employer must prove that the individual: (1) intentionally accessed a “protected computer,” (2) “without authorization” or “exceed[ing] authorized access,” and as a result (3) caused damage or loss of at least $5,000 in value during any one-year period. 18 USC §§1030(a)(2), 1030(c)(4), 1030(g). Because “protected computer” is broadly defined to include any computer used in or affecting interstate commerce, almost all computers are covered by virtue of the internet. The crux of the circuit court split pertains to the interpretation of two important phrases, namely “without authorization” and “exceeds authorized access.” Because the CFAA originally targeted third-party offenders, it is unclear whether or not an employee who has authorized access to a computer, but then engages in the misuse or misappropriation of confidential information obtained from the computer, has acted without authorization or exceeded authorized access in violation of the statute.
The Fourth Circuit’s July 26, 2012, decision in WEC Carolina Energy Solutions held that an employer did not state a CFAA claim against its former employee who had lawful access to sensitive data stored on the company’s servers but allegedly misused that information in violation of the employer’s computer use policy. The former employee had resigned from WEC and then made a presentation to a potential WEC customer, ultimately winning the projects from the customer. WEC alleged that before leaving, the former employee downloaded confidential documents from the company’s servers and emailed them to his personal email address. WEC had policies prohibiting the misuse of company information, including restrictions on the ability to download that information to personal computers; however, the company imposed no restrictions on the defendant’s ability to access the information.
In affirming dismissal of the CFAA claim, the Fourth Circuit held that unauthorized access does not “exten[d] to the improper use of information validly accessed.” Instead, the CFAA’s phrases “‘without authorization’ and ‘exceeds authorized access’…apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.” Because the former employee was authorized to access the confidential documents at issue, his employer could not state a CFAA claim.
In reaching its conclusion, the Fourth Circuit invoked the rule of lenity, which states that when two plausible interpretations of a criminal statute exist, the court should choose the less harsh alternative. In other words, the court found that Congress must speak clearly to criminalize activity, and the CFAA does not clearly extend to the violation of an employer’s computer use policy.
With this narrow view, the Fourth Circuit followed the lead of the Ninth Circuit in its April 10, 2012, en banc ruling in United States v. Nosal, 676 F3d 854 (9th Cir. 2012), which cautioned against turning the CFAA “from an anti-hacking statute into an expansive misappropriation statute” or “sweeping Internet-policing mandate.” In Nosal, a former search firm executive convinced his former coworkers to download and transfer to him confidential information from the search firm’s network (in violation of the firm’s computer use policy) to help him start a competing business. The government indicted David Nosal, for among other things, aiding and abetting violations of the CFAA.
The Ninth Circuit’s en banc panel dismissed the CFAA claims, reasoning that the statute’s phrase “without authorization” contemplates the “outside hacker,” or an individual without authorization to access the protected computer in the first instance, and the phrase “exceeds authorized access” contemplates the “inside hacker,” or one who has limited access to the protected computer but accesses information outside the scope of his or her authorized access. Because the former executive’s accomplices had permission to access the company database and obtain the information at issue, the en banc Ninth Circuit found the CFAA charges failed to meet the “without authorization” or “exceeds authorized access” element. The Nosal court further expressed concern that broadly interpreting the CFAA to prohibit unauthorized use of protected computers (as opposed to unauthorized access) could effectively criminalize a wide range of “minor dalliances” by employees, such as Internet shopping, posting Facebook messages and other activities routinely prohibited by employers’ computer use policies.
On the other side of the split, the First, Seventh, Fifth, and Eleventh circuits have interpreted the CFAA more broadly.
In EF Cultural Travel v. Explorica, 274 F3d 577 (1st Cir. 2001), the U.S. Court of Appeals for the First Circuit upheld the issuance of a preliminary injunction on a tour company employer’s CFAA claim, finding the tour company was likely to prove a former employee “exceeded authorized access” to the tour company’s website within the meaning of the CFAA. The former employee, who had a confidentiality agreement with the tour company, created a “scraper” program used to systematically retrieve pricing information from the tour company’s website to develop a competing entity with lower prices. Although pricing information was accessible to the public on the tour company’s website, the court found the former employee’s use of confidential information to create the scraper program “reeks of use—and, indeed, abuse—of proprietary information that goes beyond any authorized use” of the former employer’s website.
In Int’l Airport Centers v. Citrin, 440 F3d 418 (7th Cir. 2006), the U.S. Court of Appeals for the Seventh Circuit held that when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and any authority he has to access the computer or information contained on it. In Citrin, the employee decided to quit his job and start a competing business, in violation of his employment contract. The employee allegedly deleted crucial data on a company laptop prior to turning it in at the end of his employment. Finding the employee’s action violated the CFAA, the Seventh Circuit reasoned that his authorization to access the laptop terminated when, having decided to quit in violation of his employment contract, he resolved to destroy files that were the property of his employer, in violation of the duty of loyalty.
In United States v. John, 597 F3d 263 (5th Cir. 2010), the Fifth Circuit upheld the CFAA conviction of a former account manager at a bank who provided customers’ bank account information to her half-brother, enabling her half-brother to incur fraudulent charges on several customers’ checking accounts. In response to her conviction for exceeding authorized access to the bank’s computers in violation of the CFAA, the former bank employee contended the CFAA does not prohibit unlawful use of material that she was permitted to access through authorized use of a company computer. However, the Fifth Circuit affirmed her conviction, holding the phrases “without authorization” and “exceeds authorized access” encompass unauthorized use of information validly obtained from a company computer, at least if the use is in furtherance of a crime.
Unlike the facts of John, no crime was involved in United States v. Rodriguez, 628 F3d 1258 (11th Cir. 2010), but the Eleventh Circuit affirmed a CFAA conviction. In Rodriguez, a former employee of the Social Security Administration violated the administration’s computer use policy by accessing female acquaintances’ personal identifying information for non-business reasons. The administration’s policy is that use of databases to obtain personal information is authorized only when done for business reasons. The former employee argued he did not violate the CFAA because he accessed only databases he was authorized to use in connection with his job duties, but the Eleventh Circuit held that his breach of the administration’s policy foreclosed such an argument.
The U.S. Court of Appeals for the Second Circuit has not squarely addressed whether an employer may bring a CFAA claim against an employee who misuses information obtained from a company computer. However, district courts within the Second Circuit are split on this issue, with some cases taking the narrow view of the Fourth and Ninth circuits and others adopting a broader view.
For example, in University Sports Publications v. Playmakers Media, 725 FSupp.2d 378 (SDNY 2010), the court discussed the circuit split and found the narrow view more persuasive. Thus, the court rejected the employer’s argument that a former employee, who was authorized to access the company’s database, violated the CFAA by using the database to misappropriate confidential information. See also Orbit One Commc’ns. v. Numerex, 692 FSupp2d 373, 385 (SDNY 2010).
On the other hand, in Calyon v. Mizuho Securities U.S.A., No 07 Civ 2241, 2007 WL 2618658 (SDNY Sept. 5, 2007), the court denied a former employee’s motion to dismiss a CFAA claim, where before leaving for a competitor, the employee emailed proprietary company information (which he was otherwise authorized to access) to his personal email account, in violation of his company email policy. The court found “exceeds authorized access” under the CFAA includes an employee accessing documents on a computer system which that employee had to know was “in contravention of the wishes and interests of his employer.”
The Appellate Division, First Department, also weighed in, and recently adopted the Ninth Circuit’s view that the CFAA does not “encompass [an employee's] misappropriation of information that he lawfully accessed while working for [the employer] or misuse of work computers in violation of their computer policies.” MSCI v. Jacob, 96 AD3d 637 (1st Dept. 2012).
The Supreme Court has yet to address application of the CFAA to employee violations of computer use polices. Although many hoped it would do so on certiorari from the Ninth Circuit’s Nosal decision, the Justice Department decided not to pursue an appeal of the decision. Until the Supreme Court resolves the split in the circuits, prudent employers should ensure that computer use policies are precisely worded and that access to confidential data is narrowly controlled.
John P. Furfaro is a partner at Skadden, Arps, Slate, Meagher & Flom. Risa M. Salins is a counsel at the firm. Madeline Stavis, an associate at the firm, assisted in the preparation of this article.