April 08, 2008
Although the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030 et seq., was enacted almost 25 years ago, some of its provisions still remain open to varying interpretation. Consequently, a fair amount of litigation has resulted and courts continue to decide how the statute applies to new factual scenarios in a rapidly and ever-changing computerized world.
Over the past several years, the issue of what constitutes "unauthorized access" under the statute, particularly as it relates to employer-employee relationships, has increasingly come under the judicial microscope, resulting in two distinct approaches in the federal courts.
This article will review the CFAA generally and discuss a number of recent federal court decisions that have grappled with defining unauthorized access as it relates to employee use of a company's proprietary data and whether and under what circumstances such access might violate the act.
In General
Among other things, the CFAA prohibits accessing a computer and obtaining information "without authorization" or by "exceeding authorized access." The statute lists many different types of criminal "hacking" conduct punishable by fines or imprisonment. In relevant part, §1030(a)(2)(C) provides: "[Whoever] intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains...information from any protected computer if the conduct involved an interstate or foreign communication...shall be punished," and in related statutory language, §1030(a)(4) prohibits similar behavior with an intent to defraud.
Although principally a criminal statute, the CFAA also provides for a private civil right of action, allowing for awards of damages and injunctive relief in favor of any person who suffers a loss due to a violation of the act.1 Most notably, the CFAA has been used increasingly in civil suits by employers to sue former employees and their new companies for misappropriation of information from the employer's computer system, beyond the standard state causes of action for trade secret misappropriation and breach of contract. Generally speaking, the employers' theory of liability is agency-related, namely, that an employee is only authorized to use company computers for purposes of conducting company business, and as such, computer access for a competitor's benefit is "unauthorized."
While passwords and other electronic means can limit the unauthorized dissemination of some confidential information in the employment arena, an employee who has not yet announced his or her departure is still able to access confidential information, ostensibly to perform work-related tasks. The employee can then easily transfer data onto an external memory device or send it to a personal account via e-mail, before leaving the company. Accordingly, with the availably of civil remedies and an entrée into federal court, employers have increasingly advanced CFAA claims, in addition to standard state causes of action for misappropriation and breach of contract. Many of these companies have aggressively pursued former employees and their newly formed enterprises that seek a competitive edge through the allegedly wrongful use of business information and trade secrets obtained from their former employer's computer system.
Although §1030(e)(6) of the statute defines the term "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter," the phrase "without authorization" is not defined by the CFAA. As a result, courts have split on the question of whether an employee with an improper purpose may be held civilly liable under the CFAA for acquiring computer information otherwise permitted to the employee in advance of his employment.
On the one hand, several courts, applying the principle that "[t]he authority of an agent terminates if, without knowledge of the principal, he acquires adverse interest...." Restatement (Second) of Agency §112 (1958), have found a CFAA violation in such a circumstance. But other courts have opted for a narrower view, holding that the phrase "without authorization" generally only reaches conduct by outsiders who do not have permission to access the plaintiffs computer in the first place. See Diamond Power Int'l Inc. v.Davidson, 2007 U.S. Dist. LEXIS 73032 at *46 (N.D. Ga. Oct. 1, 2007).
Expansive View
Recent decisions from the U.S. Court of Appeals for the Seventh Circuit serve as good examples of the application of agency principles to defining unauthorized access. In International Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), a departing employee transferred a secure-erase program to an employer-supplied laptop in order to securely delete the employer's data from the laptop. The appeals court held that the defendant violated the CFAA's "without authorization" provisions because his authorization to access the laptop terminated when, having already engaged in misconduct in violation of his employment contract, he resolved to destroy files that were the property of his employer in violation of the duty of loyalty that agency law imposes on an employee. Id. at 420-421.2 Noting that the difference between "without authorization" and "exceeding authorized access" is "paper thin," the court, relying in part on the Restatement of Agency, further emphasized that once an employee violates his duty of loyalty to his employer any authorized access is withdrawn.
Several months after Citrin, a district court within the Seventh Circuit, in Forge Industrial Staffing Inc. v. De La Fuente, 2006 U.S. Dist. LEXIS 75286 (N.D. Ill. Oct. 16, 2006), addressed the unauthorized access issue in a factually-similar situation. In Forge Industrial, the court found an employee's intentional deletion of data and files from his company computer to be actionable conduct under the CFAA. In following Citrin, the court ruled that the employee's access was unauthorized under the CFAA because his authorization ceased when he engaged in the alleged conduct which could constitute a breach of his duty of loyalty to the company. Id at *15-18.
Similarly, a case decided earlier this year presented the departing disloyal employee scenario,
but with a twist. While the Citrin court relied upon the employee's breach of a general duty of loyalty to the employer, the court in Modis Inc. v. Bardelli, 2008 U.S. Dist. LEXIS 4227 (D. Conn. Jan. 22, 2008), relied upon the specific language of the employee's agreement with the employer.3 The court held that a departing employee's access to her employer's data exceeded her authorized access because she had been subject to an employment agreement that limited database use to access "in furtherance of [the employer's] business." Id. at *9.
Narrow View
Courts that distinguish Citrin take a stricter position regarding what constitutes unauthorized access seemingly rely on a more "plain meaning approach" to the statute. The common thread running through the Citrin line of cases is a focus on the employee's motive for accessing a computer and his or her intended use of theinformation obtained. Courts espousing a narrower view have held that other courts have misinterpreted Congress' intent, misreading the statute as if the text read "exceeds authorized use" instead of "exceeds authorized access." Instead, these "narrow" courts have reasoned that the legislative history confirms that the CFAA was intended to prohibit electronic trespassing and hacking by outsiders, not the subsequent use or misuse of information by those authorized in the first place.
Furthermore, courts have distinguished Citrin on both legal and factual grounds. Arguably, Citrin is legally distinguishable because it involved a different subsection of the CFAA. In Citrin, an employer brought a claim under §1030(a)(5)(A)(i) against an employee who permanently deleted all the data on a laptop using an external program after resigning. That CFAA section prohibits "intentionally [causing] damage without authorization," while many other cases have involves §§1030(a)(2), (4), and (5)(A)(iii), which define violations in terms of accessing a protected computer without authorization. Factually, in most of the employer-employee CFAA cases, the claims involve wrongful use of company data, as opposed to the destruction of data that occurred in Citrin.
Among the first courts to address the statutory provisions in a "narrow" manner was a federal district court in Florida. In Lockheed Martin Corp. v. Speed, 2006 U.S. Dist. LEXIS 53108 (M.D. Fla. Aug. 1, 2006), the court held that departing employees who downloaded trade secret information from an employer's computer network were not civilly liable under the CFAA. The court granted the employees' motion to dismiss the employer's CFAA claims because the employer was unable to show that the employees either accessed the information "without authorization," or that they "exceeded authorized access." Rejecting the Restatement of Agency analysis, the Lockheed Martin court reasoned that because the employer permitted the employees to have access to its computer network, their access was "not without authorization" and that because the employer permitted them to have access to the trade secret information at issue, they did not exceed their authorized access. Id at. *11-25.
Similarly, in Diamond Power Int'l Inc. v. Davidson, 2007 U.S. Dist. LEXIS 73032 (N.D. Ga. Oct. 1, 2007), the court ruled that a departing employee, who copied proprietary files while still having full access to his employer's protected computer databases, did not access information"without authorization" or otherwise "exceed authorized access" under the CFAA. The court further noted that interpreting the phrase "without authorization" by defining authorization based upon the use of the computer information, rather than upon the presence or absence of initial permission to access the computer, is inconsistent with a plain reading of the act. Id at **47.
At least two district courts seemingly have adopted the narrow view set for in Lockheed Martin. In B&B Microscopes v. Armogida, 2007 U.S. Dist. LEXIS 70978 (W.D. Pa. Sept. 25, 2007) the court determined that a departing employee, who deleted his employer's files while still having full access to his employer's computers, did not "exceed authorized access" under the CFAA, yet was still liable for "unauthorized damage" to a computer under the act.4 The court granted summary judgment to the employer on its CFAA and related state claims, concluding that the employee is liable under the CFAA for causing "unauthorized damage" to a protected computer for deleting the employer's business files. Notably, however, the court found that the employee could not be liable under the CFAA based upon a theory of "unauthorized access" because the defendant had authorization to use the company laptop.
Most recently, the Arizona district court, in Shamrock Foods Company v. Gast, 2008 U.S. Dist.
LEXIS 15329 (D. Ariz. Feb. 20, 2008) ruled that a departing employee, who copied proprietary files while still having full access to his employer's protected computer databases, did not access
information "without authorization" or otherwise "exceed authorized access" under the CFAA. In granting the defendant's motion to dismiss the CFAA claims, the court found that the employee could not be liable under the CFAA where initial access to the company computers was permitted and the employee's level of authorized access included permission to obtain the specific data in question. Id at. *6-17.
Conclusion
As the Florida district court in Lockheed Martin Corp. v. Speed said, the expansive view
of the Seventh Circuit "has its allure -- it gets all of the wrongful accessers. Yet if that was the
intent of Congress, why would it bother with 'authorization' at all?" Lockheed Martin, 2006 U.S.
Dist. LEXIS 53108 at *20. Thus, the varying interpretations of unauthorized access under the CFAA will continue to be litigated until the Supreme Court resolves the issue or Congress clarifies the statute.
-----------------------------
1. 18 U.S.C. §1030(g); I.M.S. Inquiry Mgmt. Sys., Ltd. v.Berkshire Info. Sys. Inc., 307 F. Supp. 2d 521, 526 (S.D.N.Y.2004) (stating that § 1030(g) affords civil action for any violation of CFAA).
2. See also Shugard Storage Centers Inc. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000) (employer stated claim under CFAA against employee who had "full access" to employer's computers but allegedly misappropriated trade secrets for benefit of competitor); EF Cultural Travel BV v. Explorica Inc., 318 F. 3d 58 (1st Cir. 2003) (plaintiff likely to prove unauthorized access based on confidentiality agreement between the ex-employee and the plaintiff because the ex-employee's conduct seemed to rely on information about the employer to which the he was privy solely due to his employment with the company).
3. See also Hewlett-Packard Co. v. Byd:Sign Inc., 2007 U.S. Dist. LEXIS 5323 (E.D. Tex. Jan. 25, 2007) (employer's company policies prohibited employees from not only disclosing information, but from refraining from sending or accessing data on the computer systems for personal gain; court concluded that the employer alleged "actual access without or in excess of authorization," enough to defeat the defendants' motion to dismiss); Dudick v. Vaccarro, 2007
U.S. Dist. LEXIS 45953 (M.D. Pa. June 25, 2007) (allowing a CFAA cause of action in an employee misappropriation case).
4. See also Brett Senior & Assoc. v. Fitzgerald, 2007 U.S. Dist. LEXIS 50833 (E.D. Pa. July 13, 2007) (departing employee who copied client files while still having full access to his employer's computers did not "exceed authorized access" under the CFAA, despite the defendant's alleged breach of company policy).
Hartford Los Angeles New York Northern NJ San Francisco Shanghai Silicon Valley Washington, DC
Affiliated Sites
www.constructionweblinks.com |
www.technologylawupdate.com |
www.climatelawupdate.com
Copyright ©
