As I have previously written, several courts have allowed employers to assert claims against former employees under the Computer Fraud & Abuse Act (CFAA), 18 U.S.C. § 1030. That statute, which was originally enacted to combat computer hackers, imposes civil and criminal penalties when someone accesses a person’s computer “without authorization” or in excess of “authorized access.” It is a favorite of employers because it provides federal court jurisdiction and potentially exposes employees to criminal penalties.
Courts allowing a CFAA claim against disloyal employees have reasoned that, when a soon-to-be former employee accesses company information for his or her personal gain (or to benefit his or her soon-to-be new employer), any rights that person had to access the information ended, so that the access is “without authorization or exceeds authorized access,” thereby giving rise to liability under the CFAA. This has been described as the “broad” view of CFAA liability.
However, other courts have adopted a “narrow” view of the statute and rejected claims on virtually identical facts, reasoning that, if a person has a right to access certain documents, that access, even for improper reasons, is not “without authorization or exceeding authorized access” and thus cannot support a claim under the CFAA.
The Fourth Circuit (which covers Maryland, North Carolina, South Carolina, Virginia, and West Virginia) recently adopted a “narrow” interpretation and held that the CFAA could not be used against the disloyal former employee. WEC Carolina Energy Solutions, Inc. v. Miller, 687 F.3d 199 (4th Cir. 2012).
The Miller facts are typical of these types of cases: when Miller worked for his former employer (WEC), it provided him a laptop and allowed him to access confidential company documents stored on company servers, including pricing terms, projects and technical capabilities. WEC had a policy that prohibited using the information without authorization or downloading it to a personal computer, but it did not restrict access to the information.
WEC alleged that, just prior to resigning his position with WEC, Miller emailed confidential information to his personal email address. (Another way in which documents are often purloined is via flash drive; indeed, there’s even a handy step-by-step process on the Internet). It alleged that Miller then left WEC, joined a competitor and, just 20 days after leaving WEC, used the WEC information to make a successful presentation to a client on behalf of his new employer.
WEC sued Miller, alleging that, when he sent the confidential information to his personal email address, this was in violation of his duties to WEC and, as a result, his conduct was “without authorization” or exceeded authorization.
After surveying the split in the courts (the First, Fifth, and Seventh Circuits and several districts have adopted the “broad” view while the narrow view has been adopted by the Ninth Circuit and several other district courts), the Fourth Circuit joined the Ninth Circuit in adopting a narrow view (undoubtedly a result that has not occurred very often!).
According to the court, an employee “accesses a computer ‘without authorization’ when he gains admission to a computer without approval.” The employee “exceeds authorized access,” the court held, “when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access.”
Because Miller had permission to access to the material, and did not obtain or alter information outside the scope of his approved access, the Miller court held that he had not accessed the information “without authorization” or in excess of “authorized access.” Although Miller’s use of the information was improper, that did not give rise to liability under the CFAA, the court held, because the statute prohibits unauthorized “access,” not improper “use.”
The court recognized that its decision would remove an important weapon often deployed by employers against disloyal employees:
Our conclusion here likely will disappoint employers hoping for a means to rein in rogue employees. But we are unwilling to contravene Congress’s intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy.
For employers who are in the Fourth Circuit (or, for that matter, the Ninth Circuit), all is not lost. They still likely have claims against disloyal employees for misappropriation of trade secrets, conversion or tortious interference. And state statutes, like the Virginia Computer Crimes Act, might provide a remedy. Finally, given the burgeoning circuit split, it is inevitable that the Supreme Court will have to weigh in and, when it does, it could adopt the broader interpretation.