July 30, 2012

Court Narrows CFAA

By Mark Wiletsky

In today’s digitized workplace, it is easier than ever for employees to steal information.  Whether through a thumb drive, external hard drive, e-mail, or other means, employees can easily transfer reams of information in mere seconds, often without detection until it is too late.  Because such information is often incredibly valuable–and potentially harmful when improperly used by a competitor or another–organizations sometimes are forced to sue an employee and/or the employee's new employer for misappropriating such information.  At times, law enforcement may be involved.  But often, it is up to the employer to initiate a civil action.

Although a variety of claims may be asserted in such circumstances, employers sometimes turned to the Computer Fraud and Abuse Act (or CFAA) for relief.  The CFAA is a federal statute that provides civil and criminal penalties when an employee, among other things, intentionally accesses a computer without authorization, or exceeds authorized access to a computer and obtains anything of value or causes damage.  On its face, the statute appears to prohibit an employee from using his or her access to a computer to misappropriate his employer’s trade secrets or other confidential information.  A recent decision by the Fourth Circuit Court of Appeals, however, concluded otherwise. 

In WEC Carolina Energy Solutions LLC v. Miller, the employee (Miller) allegedly downloaded WEC’s proprietary information, at the direction of a competitor, and then used the information to help the competitor solicit a customer.  WEC sued Miller under a variety of theories, including conversion, tortious interference with contractual relations, civil conspiracy, misappropriation of trade secrets—and violation of the CFAA.  The district court dismissed the CFAA claim and remanded the remaining claims to state court.  On appeal, the Fourth Circuit affirmed the dismissal of the CFAA claim.

Because the CFAA contains criminal penalties, the Fourth Circuit adopted a narrow interpretation of the CFAA.  It distinguished situations in which an employee exceeds his access to information—which may violate the CFAA—from those in which the employee merely uses his authorized access to misappropriate information.  For example, an employee “accesses a computer ‘without authorization’ when he gains admission to a computer without approval” and he “‘exceeds authorized access’ when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access.”  In WEC, the court concluded that Miller had authorization to access to the information at issue, despite WEC’s policies preventing the improper use of such information.  Thus, even though Miller had no authority to download and/or transfer it for another’s use, he was not liable under the CFAA.  The court noted that a contrary interpretation could result in criminalizing otherwise innocent conduct, such as when an employee violates a policy against downloading information so that he can work at home.

Interestingly, the Fourth Circuit sided with the Ninth Circuit on this issue, adding to the Circuit split.  The Seventh Circuit previously reached a contrary result.  It held that an employee may be liable under the CFAA when he accesses a computer or information on a computer in a way that is adverse to his employer, as doing so terminates his agency relationship and any authority he otherwise has to access such information.  Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006). 

The Fourth Circuit’s narrow interpretation of the CFAA, if adopted by other courts or, eventually, by the Supreme Court, is disappointing to those who seek to hold rogue employees accountable for misappropriating confidential or proprietary information.  The CFAA allows employers access to federal courts in these types of situations, which at times may be the preferred venue, and contains other stiff penalties.  Still, and as noted in WEC, employers have other options at their disposal, including a variety of state law claims that can be very effective. 

Practical Tips 

Even though the Fourth Circuit held that Miller did not violate the CFAA by his actions, it is a good idea to review and potentially update your computer use policies, especially if you have not done so in a while.  Technology changes so rapidly that policies may be out-of-date soon after they are issued.  At a minimum, be clear about the confidential and sensitive nature of information available on your systems, and permissible uses of such systems.  If employees have limited access to certain databases or areas, be sure to emphasize such limitations and the potential penalties for violating those limitations.  Also, don’t forget to remind employees that they have no expectation of privacy when using or accessing your organization’s computer resources.  You may not always be able to prevent an employee from misappropriating confidential or proprietary information, but strong policies and practices are a good deterrent and a strong tool to use if you have to sue an individual who engaged in such conduct.