Consider the following situation: An employee decides to leave a company in order to compete against it. Before announcing his departure, he copies confidential company information from company computers and then destroys the records. The next day, he announces his resignation.
Sadly, scenarios such as that described above occur regularly. Typically, an employer can assert any number of state law claims in an effort to remedy such misconduct. An often overlooked cause of action, however, is one under the federal Computer Fraud and Abuse Act (CFAA). Although primarily a criminal statute, the CFAA does provide for civil liability, giving the business another arrow in its quiver.
An interesting question has developed in such cases: Is the employee acting “without authorization” for purposes of the CFAA? The answer may depend upon the court in which the case is brought. For example, according to the 7th Circuit, the disloyal employee loses his status as an agent when he decides to turn on the company, thereby rendering any subsequent access of company computers “without authorization.” Conversely, the 9th Circuit narrowly construes the CFAA to find that employees who have had permission to access company computers do not lose that permission by becoming turncoats.
The CFAA, 18 U.S.C. §1030, makes criminal assorted acts with respect to “protected computers” that individuals access “without authorization” or while “exceeding authorized access.” For example, Section 1030(a)(2)(C) states that “[w]hoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer shall be punished as provided in subsection (c) of this section.” Section 1030(g) provides for a civil action by any person who suffers “damage” due to particular CFAA violations.
The CFAA can be used to gain subject matter jurisdiction in federal court, which many businesses find preferable to state court. A potential hurdle, however, is whether an employee’s misconduct is “without authorization” when it occurs while he is still employed and is accessing the type of information he routinely accessed in performing his job duties.
The 7th Circuit held in 2006 that the turncoat employee’s breach of his duty of loyalty ends his agency relationship with the company and its corresponding authorization to access the company computers. International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 421 (7th Cir.). Subsequently, the 9th Circuit held that a person uses a computer “without authorization” only when “the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009).
The 9th Circuit believes that “authorization” should be given its ordinary meaning (essentially, “permission”) because the CFAA does not define it. Id. at 1132-33. Nothing in the CFAA suggests that such permission disappears merely because an employee breaches a state law duty of loyalty to the employer. Id. at 1135. The criminal nature of the CFAA further suggests that under the rule of lenity, any ambiguity should be resolved in favor of the defendant. Id.
Some commentators believed that the reasoning in Brekka would prevail, and that the effect of Citrin would be minimized, leaving companies unable to pursue CFAA claims for “without authorization” misconduct occurring during employment. As demonstrated by several cases this summer, however, this has not been the case. Notwithstanding Brekka, recent district court cases—within the 7th Circuit, for example—have not distinguished or otherwise limited Citrin. See, e.g., Dental Health Prods., Inc. v. Ringo, No. 08-C-1039, 2011 WL 3793961 (E.D. Wis. Aug. 25, 2011) and Deloitte & Touche LLP v. Carlson, No. 11-C-327, 2011 WL 2923865 (N.D. Ill. July 18, 2011).
Thus, the debate over the reach of the CFAA rages on. Even in those jurisdictions that hold that the employee’s misconduct is not “without authorization” if it occurs while he is still employed, the CFAA can be used for misconduct that occurs after termination, e.g., hacking into the company’s computers to access data.
The CFAA is becoming a more popular, albeit somewhat controversial, mechanism to seek recovery for employee misconduct. Its role in remedying misconduct occurring during employment will continue to vary by jurisdiction, perhaps until the U.S. Supreme Court decides the circuit split as to what constitutes “without authorization.”