The stars are coming into alignment for a cert grant at the U.S. Supreme Court on a statute of interest to all employers: the Computer Fraud and Abuse Act (CFAA), which contains civil and criminal penalties when someone accesses a person’s computer “without authorization or exceeds authorized access. . . .”
What exactly do these seemingly simple phrases mean? The answer is of import to employers when an employee swipes confidential information stored in its computer system and hustles with it over to a competitor.
The 4th U.S. Circuit Court of Appeals recently wrestled with the issue in WEC Carolina Energy Solutions LLC v. Miller, et al. In its July 26 opinion, the court sketched out the following: A WEC employee allegedly tapped into the company’s computer system, located confidential information and sent it to his private email address, all in violation of company policies. As alleged, the employee resigned to join a cross-town rival and used the swiped information in a presentation to a potential client. WEC sued.
The 4th Circuit laid out the competing schools of thought on the authorization issue. The 7th Circuit has said in International Airport Centers LLC, et al. v. Citrin (2006) that there is an arguable CFAA violation because, even though an employee who accessed the information was entitled to do so, he lost the privilege because the access was for an unauthorized purpose. By breaching his duty of loyalty to his employer, the employee terminated his agency relationship and with it his authority to access the computer system.
But the 9th Circuit took a literal approach to the idea of authorization in United States v. Nosal (2012). If an employee was authorized to access the information, he was authorized to access the information regardless of his intent. The employee’s right to access lasted until the right was rescinded. The 9th Circuit also looked at the CFAA’s legislative history and determined that Congress was trying to address the issue of hacking, not provide a remedy for misappropriation of trade secrets.
The 4th Circuit adopted the 9th Circuit’s reasoning and affirmed the trial court’s decision to dismiss the CFAA cause of action for failure to state a claim. Its language was direct: “Our conclusion here likely will disappoint employers hoping for a means to rein in rogue employees. But we are unwilling to contravene Congress’s intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a [company] use policy.”
Texas lawyers should know that the 5th Circuit prefers the 7th Circuit’s approach to authorization. In United States v. John (2010), the 5th Circuit focused on conduct that “exceeds authorized access” and reasoned that merely giving access to an employee is not an unlimited right of access for any purpose at any time. So, an employee exceeded the authorized access if he or she used that access to steal a company’s valuable information. For a case applying this holding in the misappropriation of trade secrets scenario, read the U.S. District Court for the Northern District of Texas’ opinion in Meats By Linz v. Dear (2011).
Also, taking information, even for uses that are not criminal, still violates the CFAA because it “exceeds” authorized access. Read the 11th Circuit’s spooky opinion in United States v. Rodriguez (2010), in which a U.S. Social Security Administration employee allegedly exceeded his authorized access when he tapped into the Social Security system’s computers to get personal information on former girlfriends and potential paramours so that he could send them flowers or show up at their homes.
So what exactly are the damages an employer can recover for a violation? Not much, it turns out. The latest word is from a July Southern District of New York case, Schatzki v. Weiser Capital Management. The court said that the only damages recoverable are economic damages (damages that flow from an injury to the computer system itself) and not consequential damages from the alleged theft of the information, such as lost profits.
Here is the drill: Did the unlawful access damage the data or the system itself? CFAA covered. Did the unlawful access require the company to identify evidence of the breach and determine the need for remedial measures to the network? CFAA covered. Did the unlawful access require the company to hire consultants and lawyers to get the information back from the employee who allegedly took it? Not CFAA covered.
The opinion ran down these scenarios, with the last being the allegations before it. So, motion to amend complaint denied, and CFAA claim dismissed.
The U.S. Supreme Court eventually will resolve the authorization issue. There is a well-developed body of authority on both views. And, the CFAA imposes criminal liability, not just civil. U.S. attorneys across the country need to know whether to prosecute. Because of the criminal aspect, I predict a 9-0 vote siding with the reasoning of the 4th and 9th Circuits. If an employee may end up in the penitentiary, the legal prohibition must be clear, not open to differing interpretations.
In the meantime, if an employer wants to go to federal court in Texas, the CFAA is its ticket, but it should be sure to attach on supplemental state claims. The ticket won’t last much longer. As my mother told me when I disputed some chore she gave me, “Don’t make a federal case of it.” True with ma; true with the CFAA.