Consider the following situation: An employee decides to leave a company in order to compete against it. Before announcing his departure, he copies confidential company information from company computers and then destroys the records. The next day, he announces his resignation.
Sadly, scenarios such as that described above occur regularly. Typically, an employer can assert any number of state law claims in an effort to remedy such misconduct. An often overlooked cause of action, however, is one under the federal Computer Fraud and Abuse Act (CFAA). Although primarily a criminal statute, the CFAA does provide for civil liability, giving the business another arrow in its quiver.
The 7th Circuit held in 2006 that the turncoat employee’s breach of his duty of loyalty ends his agency relationship with the company and its corresponding authorization to access the company computers. International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 421 (7th Cir.). Subsequently, the 9th Circuit held that a person uses a computer “without authorization” only when “the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009).
The 9th Circuit believes that “authorization” should be given its ordinary meaning (essentially, “permission”) because the CFAA does not define it. Id. at 1132-33. Nothing in the CFAA suggests that such permission disappears merely because an employee breaches a state law duty of loyalty to the employer. Id. at 1135. The criminal nature of the CFAA further suggests that under the rule of lenity, any ambiguity should be resolved in favor of the defendant. Id.