Circuits Split Over Application of Computer Fraud Law

Ever since John McCain's aides tattled on her after the 2008 election, Sarah Palin has tried to make "going rogue" something to be admired. But the issue of "rogue workers," or employees using company assets to advance their own agendas, is something no employer wants to be associated with.

Now in its decision in LVRC v. Brekka, the 9th Circuit has made life even more difficult for companies that believe an employee used digital company material for noncompany purposes.

The case pitted LVRC Holdings, a Nevada-based residential treatment center for addicts, against Christopher Brekka, whom the company hired for Internet-related marketing activities for the company. Brekka lived in Florida and owned two businesses in Florida and Nevada that engaged in work similar to his work at LVRC. After he obtained an administrative log-in for LVRC's Web site, Brekka had access to company material on the computer that he used at LVRC headquarters. He e-mailed some of this material to his and his wife's personal e-mail addresses.

Brekka had been in negotiations to purchase an ownership stake in LVRC, but negotiations broke down and he left the company. Believing that Brekka had accessed company information after leaving, LVRC sued him, alleging civil violations of the Computer Fraud and Abuse Act of 1984 (CFAA) while he was an employee and afterward.

Judge Sandra Ikuta, writing for the three-judge 9th Circuit panel, upheld on Sept. 15 a federal district court's summary judgment in Brekka's favor. Both courts found Brekka was an employee of LVRC who had company authorization to access the information he e-mailed to himself and his wife. The district court ruled that LVRC had presented no evidence that could
reasonably demonstrate to a jury that Brekka had obtained company information after he left the firm.

"Certainly in the 9th Circuit, it makes it more difficult for employers to use the act to defend against rogue employees who download material before leaving employment and use it for nonbusiness purposes," says David Enzminger, a partner at O'Melveny & Myers.

Employers view CFAA, a criminal statute with a private right of action, as a supplement to state laws against theft of trade secrets, Enzminger says. A trade secrets case requires proof that the company had made reasonable efforts to keep proprietary information secret and that the information had value because it was secret. Congress aimed CFAA at computer hackers operating outside the company, but it provides employers with a potential weapon when cases don't meet the requirements of trade secret laws.

"You don't have to prove it was valuable; you don't have to prove it was a secret," Enzminger says.

Citrin Conflict

But under terms of CFAA, an employer does have to prove that an employee was unauthorized to download the information or exceeded authorization, the 9th Circuit ruled, and LVRC had no employee policy prohibiting Brekka from e-mailing company material to himself. "In this case, there is no dispute that Brekka had permission to access the computer; indeed, his job required him to use the computer," Judge Ikuta wrote.

In discussing the concept of "authorization" in CFAA, the 9th Circuit expressly declined to follow guidance the 7th Circuit outlined in International Airport Centers v. Citrin, which considered the motivation of the employee. Citrin concerned a disloyal employee of International Airport Centers (IAC) who decided to go into business for himself. Before he quit IAC, he deleted company material from his laptop, including evidence of his improper behavior as an employee. IAC sued under CFAA.

The 7th Circuit, in an opinion authored by Judge Richard Posner, held that the employee's authorized access to a company computer, as defined by CFAA, was automatically voided when his actions violated his common law duties to loyal service as an agent of the company.

Setting Posner's ruling aside, the 9th Circuit held in Brekka that "authorization depends on whether the employee had permission to access the computer or computerized data, rather than why he was accessing it or how he used it," says Christine Lyon, a partner at Morrison & Foerster.


Policy Provisions

Robert Fischer, a partner at Jackson Lewis, believes Posner got it right in Citrin and that the conflict between the two circuits bears watching. "There is no question there is a conflict," he said. "Citrin says that once you're disloyal, you have ended the basis on which you gained access, which makes sense."

But whether or not the Supreme Court resolves the circuit conflict over employee intent (see "Loyalty Language"), clear internal policies are vital.

"Brekka underscores the importance of technology-use policies that clearly define the purposes for which the employer's computer and communications facilities may and may not be used," says Charles Kennedy, of counsel at Morrison & Foerster. Fischer recommends translating the Citrin duty of loyalty standard into the company policy.

"Employees should be specifically prevented from using computers or any other employer equipment for any purpose other than their good faith, loyal work for the employer," he says.

Bill Barnhart

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.