A recent opinion from the Ninth Circuit Court of Appeals (PDF) confirms that the Computer Fraud and Abuse Act (essentially a federal computer hacking statute) continues to be a significant resource for employers to protect against the loss and damage of mission critical information due to departing or rogue employees.
To add the Computer Fraud and Abuse Act (“CFAA”) to your tool-box, however, requires careful planning and potentially retooling your company’s computer use policy.
This is because in the context of the employment relationship, a violation of the statute turns on whether an individual “intentionally accesses a computer without authorization” or ”exceeds authorized access” 18 U.S.C § 1030(e)(6). The CFAA defines “exceeds authorized access” as accessing a “… computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The CFAA does not define the phrase “without authorization” and courts have reached conflicting interpretations as to both of these phrases when it comes to the employment relationship.
Acting adversely to Employer’s Interest May Trigger Computer Fraud and Abuse Act Violation
Some Courts take an employer friendly approach and recognize that “unauthorized” or “exceeding authorized” access” is established if an employee accesses the employer’s computer for a purpose adverse to the employer’s interests, i.e., violates a duty of loyalty. A common fact pattern in these cases involves an employee obtaining company or proprietary information from the employer’s computers for use in a competing venture or on behalf of a competitor. Such action has been found to establish “without authorization” or “exceeding authorization” under the Computer Fraud and Abuse Act. See International Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, (7th Cir. 2006) reversing dismissal of CFAA claims where employee went into business for himself and used “scrubbing” software to delete all of the files on his company-issued computer).
The Computer Fraud and Abuse Act is concerned with access, not subsequent use or misuse of information.
Another line of decisions distinguish between “exceeds authorized access’ and “exceeds authorized use.” What this boils down to is that employees are not acting “without authorization” in accessing company information when they have “permission to use” a company network even if that employee later misuses that information, e.g., to improperly compete against the former employer. See LVRC Holdings LLC v. Brekka (2009). This concept was explained in the case of U.S. v. Aleynikov (2010) where a New York Federal District Court dismissed claims against an employee and overturned his conviction under the CFAA for copying and removing software trading codes. The court reasoned that the statute should be restricted to prohibiting people from “hacking” into a computer system, not the subsequent use or misuse of information.
Violation of Computer Fraud and Abuse Act occurs when an employer’s express limitations for accessing company information are violated.
A third line of cases focus on an employer’s express limitations as to accessing company data/networks. An employee accessing the employer’s computer in excess of the express limitations violates the employer’s access restrictions, which may include the use of the computer or of the information contained in that computer. This situation was illustrated in the recent Ninth Circuit’s Opinion in U.S. v. Nosal (2011) (PDF), which concluded:
as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations. It is as simple as that.
Take away for Employers
Certainly there is a robust debate as to how the Computer Fraud and Abuse Act should, if at all, be applied to the employer/employee relationship. But there are important steps employers should take to improve the likelihood that, if necessary, the CFAA will be available to protect competitive advantages and defend against unfair competition.
The most important step is to review the employer’s computer use policy and what it restricts. If an employer lacks a computer use policy or it is deficient, then the employer will likely be left to rely upon Citrin and the line of cases where liability under the CFAA depends upon a violation of a “duty of loyalty.”
But if you ask me, the reasoning in Citrin and similar cases is inherently unworkable. This is because it overlooks that an employee’s authorization to access a particular document on the same computer may change throughout his or her employment (It pains me to say that Citrin got it wrong because it was authored by the venerable Richard Posner, a judge on the Seventh Circuit Court of Appeals and a favorite jurist of mine).
For example, an employee’s access rights to particular information would change if the employee began looking for employment. And in pursuing alternative employment if an employee accessed such information to assist in the job search – i.e., refreshing the employee’s memory about accomplishments or better describe skills and abilities on a resume or in an interview. Under Citrin, a violation of the CFAA arguably occurred because there was access for reasons adverse to the employer and thereby access without authorization. But if that same employee decided not to seek outside employment and accessed the same information for work related reasons, the employee’s interests would again be aligned with the employer and, therefore, access would be authorized.
The better strategy is to make sure the computer use policy expressly restricts employees from using, copying, and accessing any information on the company’s computer systems for personal gain. Such a provision allows employers to argue that any access for personal gain is without authorization and thereby keep in play the Computer Fraud and Abuse Act claims without having to resort to Citrin’s duty of loyalty reasoning.