Courts Increasingly Split On Whether Computer Fraud & Abuse Act Applies To Disloyal EmployeesLeslie Paul Machado
July 9, 2010 — 1,431 views
Originally enacted to combat hackers, the Computer Fraud & Abuse Act, 18 U.S.C. § 1030, et seq. (“CFAA”), is increasingly being asserted by employers against disloyal employees who were authorized to use a company computer, but accessed that computer to serve interests adverse to the company. Because a viable CFAA claim allows a plaintiff to bring the suit in federal court and increases the defendant’s exposure (because the CFAA is primarily a criminal statute with corresponding criminal penalties), it is important that employment attorneys are familiar with the law in this developing area. This article provides a brief background of the CFAA and highlights those courts that have endorsed – and those that have rejected – a CFAA claim against a disloyal employee.
The CFAA was passed by Congress in 1984 to combat hackers who accessed computers to steal information, as well as criminals who possessed the capacity to “access and control high technology processes vital to our everyday lives.” H.R. Rep. 98-894, 1984 U.S.C.C.A.N. 3689, 3694 (July 16, 1984). It provides that, whoever “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value” shall be punished. 18 U.S.C. § 1030(a)(4) (emphasis added). The CFAA carries the potential of criminal penalties and fines. 18 U.S.C. § 1030(c).
The statute also allows a private cause of action, providing that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C. § 1030(g). The CFAA has a two-year statue of limitations and requires a private party plaintiff to show that it suffered a “loss” of at least $5000 from the intrusion. “Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11).
Courts Allowing a CFAA Claim
An attorney intending to assert a CFAA claim against a disloyal employee will rely upon Intl. Airport Ctrs. LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), and other decisions following its reasoning. In Citrin, the employer loaned its employee a laptop to record data he collected in the course of his work. When the employee decided to open a rival company, he used the information on his laptop to benefit his new company.
The Citrin court held that, when the employee decided to act in his own interests instead of his employer’s interests, his “authority to access the laptop” ended “because the only basis of his authority had been that relationship.” Id. at 420-21. As such, the court held, he was “without authorization” as defined by the statute and the claim under the CFAA was proper. Id.
Numerous other courts have adopted Citrin’s reasoning. See, e.g., Boxes of St. Louis, Inc. v. Davolt, 2010 U.S. Dist. LEXIS 12482, *8 (E.D. Mo. Feb. 12, 2010) (rejecting defendants’ argument that CFAA does not apply to rogue employees who were granted access to employer’s computer network, but exceeded authorized use to download files to compete with employer); Lasco Foods, Inc. v. Hall & Shaw Sales, Marketing & Consulting, LLC, 2009 U.S. Dist. LEXIS 99535, *13-14 (E.D. Mo. Oct. 26, 2009) (holding that CFAA claim was cognizable against former employees who used access to computer network to download files and compete with employer); Ervin & Smith Adver. & Pub. Rels., Inc. v. Ervin, 2009 U.S. Dist. LEXIS 8096, *22-23 (D. Neb. Feb. 3, 2009) (“This Court concludes that while the Defendants ordinarily may have been authorized to access the information they appropriated from Plaintiff, that authorization was terminated when Defendants destroyed the agency relationship by accessing and appropriating the protected information for their own personal gain and against the interest of their employer”); Nilfisk-Advance, Inc. v. Mitchell, 2006 U.S. Dist. LEXIS 21993, *6-7 (W.D. Ark. Mar. 28, 2006) (holding that plaintiff stated a CFAA claim where it alleged that the employee “exceeded any authorization he had when he e-mailed the files to his personal computer with alleged purpose of misappropriating the information contained in them”).
Courts Rejecting a CFAA Claim
An attorney representing an employee against whom a CFAA claim has been asserted can argue that the claim should be dismissed because the employee’s access was “authorized” when the employer gave him/her access to the network. The leading case rejecting a CFAA claim is LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), where the employee e-mailed confidential company documents to his personal email account and used that information to compete with his employer. The court rejected the employer’s argument (and the Citrin court’s reasoning) “that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer’s intent.” Id. at 1133. Rather, it explained:
when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations. It is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or “without authorization.” Id.
Similarly, in Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008), an employee e-mailed numerous documents to his personal email account containing his employer’s confidential and proprietary information. He then began working for a competitor, using his former employer’s information. The court held that the employee could not have been “without authorization” when he accessed the confidential information because the employer had given him authorization to the files during his employment. Id. at 967.
Numerous other decisions hold that an employee is not “without authorization” when he/she was originally given authorization to access company information, even if the employee abuses that access to compete with the employer:
• Orbit One Communications, Inc. v. Numerex Corp., 692 F. Supp. 2d 373, 386 (S.D.N.Y. 2010) (“Numerex asserts that Ronsen, Rosenzweig, and Naden took its electronic proprietary information ‘prior to leaving the company’ for the purpose of competing with Numerex. As Numerex’s executives, they concededly were granted unfettered access to Numerex’s computer system and information residing on it. In consequence, Numerex has failed to adduce any evidence that they accessed its computer system without authorization or exceeded their authorized access in violation of the CFAA”).
• Consulting Professional Resources, Inc. v. Concise Tech. LLC, 2010 U.S. Dist. LEXIS 32573, *18 (W.D. Pa. March 9, 2010) (“While disloyal employee conduct might have a remedy in state law, the reach of the CFAA does not extend to instances where the employee was authorized to access the information he later utilized to the possible detriment of his former employer”).
• Bell Aerospace Services, Inc. v. U.S. Aero Services, Inc., 2010 U.S. Dist. LEXIS 19876, *9 (M.D. Ala. March 5, 2010) (“Because the seven employees who resigned had valid permission to utilize the Bell Aerospace computers, they were acting with authorization when they accessed the computers up until the time they each were escorted from the facility”).
• Remedpar, Inc. v. Allparts Medical, LLC, 683 F. Supp. 2d 605, 613 (M.D. Tenn. 2010) (granting motion to dismiss CFAA count because the Complaint made “it clear that Camacho was authorized to access all aspects of the ROCS application while he was engaged by RMP. RMP complains, not that Comacho went beyond his authorization to access information he was not entitled to see, but that he subsequently misused that information by sharing it with Allparts”).
• U.S. Bioservices Corp. v. Lugo, 595 F. Supp. 2d 1189, 1191-92 (D. Kan. 2009) (agreeing with defendants that “in committing the allegedly wrongful acts – obtaining confidential information on their work computers, e-mailing it to their personal emails, and later disclosing it to their new employer – they did not access plaintiffs’ computers without authorization . . . because they were authorized to access that particular information in their employment with plaintiffs”).
• Condux Int’l, Inc. v. Haugum, 2008 U.S. Dist. LEXIS 100949, *14 (D. Minn. Dec. 15, 2008) (holding that a company could not assert a CFAA claim against an employee who used his authorized access to transfer information to a competitor because the statute focuses on whether the employee “was permitted to access the information in the first place” and not “what the defendant did with the information after he accessed it”).
• Lockheed Martin Corp. v. Speed, 2006 U.S. Dist. LEXIS 53108, *11-25 (M.D. Fla. Aug. 1, 2006) (holding that an employee who has been granted authorization to view certain materials cannot be considered unauthorized when he formulates an intent contrary to his employer).
Ultimately, the split among the courts will have to be resolved by the Supreme Court or Congress. Until then, attorneys representing both employers and employees should continue to monitor developments in this interesting area.
The author, Leslie Paul Machado, can be reached at 202.659.6736 or [email protected].
Leslie Paul Machado
Mr. Machado concentrates his practice on employment litigation/counseling, media and communications, insurance coverage and litigation and complex/commercial litigation matters.