CFAA Does Not Bar Misappropriation when Employee Authorized

Thursday, September 27, 2012

David Navetta


Fourth Circuit Holds CFAA Does Not Bar Employee's Misappropriation of Business Information When Employee Was Authorized to Access Information Initially

The Fourth Circuit recently joined the Ninth Circuit in concluding that the Computer Fraud and Abuse Act (“CFAA”) does not permit a civil claim by an employer against a former employee for misappropriating information that the employee was initially allowed to access.  See WEC Carolina Energy Solutions LLC v. Miller, No. 11-1201, 2012 WL 3039213 (4th Cir. July 26, 2012).

In contrast, the CFAA only permits claims for accessing a protected computer “without authorization” and that a person “exceeds authorized access” “only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.”

The WEC case arose from the departure of one of WEC’s employees who joined a competitor.  While at WEC, the employee had broad access to confidential and trade secret documents stored on WEC’s computers.  WEC’s policies prohibited its employees from using WEC’s information without authorization or downloading it to a personal computer.

According to WEC, before the employee resigned, he downloaded a “substantial number of WEC’s confidential documents.” Shortly after quitting WEC’s employ, he made a presentation on behalf of his new employer to a potential WEC customer, ultimately securing the new business.  

WEC then sued the former employee, alleging a CFAA violation and nine state-law causes of action.  (WEC also sued the new employer and the employee’s assistant, but for ease of reference, we will focus on employee only).

WEC alleged that the employee was not permitted to download confidential information to a personal computer and, by doing so, breached his fiduciary duties to WEC; and, accordingly, either lost all access to the confidential information or exceeded his authorization.  

The employee then moved to dismiss, claiming that WEC’s policies regulated use of information, not access to that information; and that even if his purpose was improper, it would not establish a violation of the CFAA, which focuses on access.  The Fourth Circuit agreed.

In dismissing the CFAA claim, the Fourth Circuit joined the Ninth Circuit’s April 2012 en banc decision in U.S. v. Nosal, which we wrote about earlier this year. As noted in our prior post, the Fifth, Seventh, and Eleventh Circuits have taken an opposing view regarding CFAA claims.  

The Fourth Circuit briefly described the split of authority: 

"[T]wo schools of thought exist. The first, promulgated by the Seventh Circuit and advanced by WEC here, holds that when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it. Thus, for example, the Seventh Circuit held that an employee who erased crucial data on his company laptop prior to turning it in at the end of his employment violated the CFAA. It reasoned that his ‘breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship.’"   "The second, articulated by the Ninth Circuit and followed by the district court here, interprets ‘without authorization’ and ‘exceeds authorized access’ literally and narrowly, limiting the terms’ application to situations where an individual accesses a computer or information on a computer without permission.  Thus . . . the Ninth Circuit, sitting en banc, held that the defendant’s coconspirators, a group of employees at an executive search firm, did not violate the CFAA when they retrieved confidential information via their company user accounts and transferred it to the defendant, a competitor and former employee. It reasoned that the CFAA fails to provide a remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded."

WEC Slip Op., at 6-7 (internal citations omitted).   The Fourth Circuit agreed with the Ninth Circuit’s narrow view and explicitly rejected the Seventh Circuit’s cessation-of-agency theory, criticizing it as having “far-reaching effects unintended by Congress.” Following the Seventh Circuit’s logic to the limits, the WEC panel cited the possibility of an employee viewing Facebook in contravention of the employer’s computer use policy, and thereby being subject to the instantaneous cessation of his agency.  The court anticipated criticism of its opinion, explaining that WEC’s allegation of nine state-law causes of action demonstrates that an employer is not without a remedy for an employee’s misappropriation of confidential information.   The WEC case further deepens the rift between the circuits regarding the interpretation of the CFAA, suggesting that the Supreme Court may need to resolve the issue in the future.  Employers should monitor the situation and beware that they may not be able to rely on a CFAA cause of action if an employee steals confidential business information.  But as the court recognized, state law may provide a remedy in such a case.

Cross-posted from InfoLawGroup

Possibly Related Articles:
Enterprise Security
General Legal
Legal Compliance Insider Threats Access Control Employees Lawsuit Computer Fraud and Abuse Act Courts
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.