Courts split on proof requirements for unauthorized access in computer fraud and abuse act cases

Authors: Robert B. Milligan and Carolyn E. Sieve (Seyfarth Shaw LLP, Los Angeles)

Citation: Journal of Intellectual Property Law & Practice, doi:10.1093/jiplp/jpp212

LVRC Holdings LLC v Brekka, 581 F.3d 1127 (Ninth Circuit, 15 September 2009)

The federal Ninth Circuit Court of Appeals, rejecting the reasoning of the Seventh Circuit Court of Appeals, joined a growing number of federal courts that have limited the use of the federal Computer Fraud and Abuse Act, 18 USC 1030 (‘CFAA’), in suits brought against former employees accused of wrongfully taking electronic data from a company's computer system before leaving the company. Rather than focusing on the employee's intent in taking the former employer's electronic data, the Ninth Circuit held that the employer is responsible for defining what constitutes ‘unauthorized access’ in violation of the CFAA. Without a showing that the employee exceeded the employer's prescribed access, employers at least in the Ninth Circuit (Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, and Washington) cannot maintain CFAA claims against former employees in such factual scenarios. Employers who commonly asserted such CFAA claims may now be faced with pursuing solely state claims in state rather than federal court.

Legal context

Congress enacted the CFAA in 1984 as a criminal statute designed to protect government and financial institution computers against ‘hackers’. In 1994, Congress added section 1030(g), which allows victims who suffer damages or loss resulting from a violation of the CFAA to maintain a civil action against violators and recover compensatory damages and injunctive relief. In 2000, a federal trial court in the Ninth Circuit rendered the first decision allowing a CFAA claim where an employee accesses an employer's computers to obtain information the employee will purportedly use to benefit a competitor: Shurgard Storage Ctrs., Inc. v Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000). Since then, the CFAA has become a potent means for employers to obtain redress from rogue employees who take company information to benefit themselves or their new employers.

In LVRC Holdings LLC, LVRC alleged violations of sections 1030(a)(2) and (a)(4). Section 1030(a)(2) is violated when a person ‘intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer if the conduct involved an interstate or foreign communication ... ’. Section 1030(a)(4) of the CFAA (18 USC1030(a)(4)) is violated when a person ‘knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value ... ’. These are the CFAA sections most applicable in cases involving employees accused of stealing their employer's proprietary information.

In addition to showing unauthorized access or access in excess of authorization, plaintiffs suing under sections 1030(a)(2) or (4) must show that the violation involved one of the five factors listed in section 1030(a)(5)(B). In suits involving former employees alleged to have misappropriated their former employer's proprietary information, the first factor under section 1030(a)(5)(B) is usually applicable. To meet that requirement, the former employer must show ‘loss to 1 or more persons during any 1-year period ... aggregating at least $5,000 in value’.

Facts

LVRC operated a residential treatment centre for addicted persons in Nevada. In April 2003, LVRC hired Brekka to conduct internet marketing and to interact with the company LVRC retained to provide email, website, and related services. When Brekka was hired, he owned and operated two consulting businesses that obtained referrals for additional rehabilitation services and provided referrals of potential patients to rehabilitation facilities. One business was located in Florida, where Brekka lived; the other was located in Nevada. LVRC's owner was aware of Brekka's businesses, though he said he was not aware of the full nature of their operations.

While Brekka worked for LVRC, he commuted between Florida and Nevada. In connection with his work for LVRC and his commute, he emailed to his personal computer documents he obtained or created in the course of his duties. LVRC and Brekka had no written employment agreement or confidentiality agreement, and LVRC had promulgated no guidelines prohibiting its employees from emailing LVRC documents to personal computers. In June 2003, Brekka obtained an administrative log-in for LVRC's website. With this access, he was able to monitor LVRC's internet marketing efforts.

In August 2003, LVRC and Brekka began discussions about the possibility of Brekka purchasing an ownership interest in LVRC. Shortly after, Brekka emailed to his personal email account and his wife's personal email account a number of LVRC documents, including a financial statement for the company, LVRC's marketing budget, and admission reports for patients. He also emailed to his personal email address a master admissions report containing the names of past and current patients at LVRC's facility. Ultimately, discussions regarding Brekka's potential ownership interest broke down, and Brekka stopped working for LVRC. He left the computer supplied to him by LVRC and did not delete any emails from that computer.

More than a year later, LVRC discovered that someone had logged into the LVRC website using Brekka's log-in information. LVRC notified the FBI and sued Brekka, alleging Brekka violated the CFAA when he emailed LVRC documents to himself and when he allegedly accessed the LVRC website after he left LVRC. LVRC then brought an action in federal court, alleging that Brekka violated the CFAA when he emailed LVRC documents to himself and when he continued to access the website after he left LVRC. In addition, LVRC brought a number of state tort claims.

The Nevada federal district court granted summary judgment in favour of Brekka, holding that LVRC had failed to establish a violation of either 1030(a)(2) or (4). The Ninth Circuit affirmed the district court's ruling.

Analysis

Consistent with the reasoning of various federal district courts and the Seventh Circuit, LVRC argued that, because Brekka accessed the company computer and obtained LVRC's confidential information to further his own personal interests, rather than the interests of LVRC, such access was ‘without authorization’ and violated the CFAA. However, the Ninth Circuit found no support for that argument in the CFAA's plain language and concluded that
‘[n]o language in the CFAA supports [plaintiff's] argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer's interest’.
The Court added that the plain language of the CFAA indicates that ‘authorization’ depends on actions taken by the employer, and
‘[i]f the employer has not rescinded the defendant's right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA'.
Thus ‘a person uses a computer "without authorization" under sections 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway’.

Because Brekka had permission to use his employer's computer while he was employed at the company, he did not access a computer ‘without authorization’ in violation of section 1030(a)(2) or section 1030(a)(4) when he emailed documents to his personal email address and to his wife's personal email address before leaving the company. The Court also found that Brekka did not ‘exceed authorized access’ when he emailed the documents because he was entitled to access those documents in the first place. Further, the Court held that LVRC's evidence failed to establish any factual dispute as to whether Brekka accessed the company website without authorization after he left the company.

In its opinion, the Ninth Circuit explicitly rejected the Seventh Circuit Court of Appeals' reasoning in International Airport Ctrs., L.L.C. v Citrin, 440 F.3d 418 (7th Cir. 2006) that an employee's authorization to access his employer's computer files terminated when he violated his duty of loyalty to his employer. Citing the dictionary definition of ‘authorization’, which ‘means "permission or power granted by an authority"’, the Ninth Circuit deduced that
‘"authorization" depends on actions taken by the employer’ and that ‘[n]othing in the CFAA suggests that a defendant's liability for accessing a computer without authorization turns on whether the defendant breached a state law duty of loyalty to an employer’.
The Ninth Circuit also indicated that its interpretation was appropriate based upon the plain language of the statute and given the care with which it must interpret criminal statutes (1030(a)(2) and (4) create both criminal and civil liability) to ensure that defendants are on notice as to which acts are criminal.

Nonetheless, the Ninth Circuit did not go so far as to define ‘unauthorized access’ to apply solely to outsiders who do not have initial permission to access the plaintiff's computer, as a number of federal district courts have ruled.

Practical significance

Since 2000, CFAA claims have become common where former employees have taken company electronic data for their personal benefit or other improper purpose. This is because the CFAA provides a basis for federal court jurisdiction (some companies prefer to litigate in federal court) and because it allows aggrieved employers a remedy without having to prove the information taken was a trade secret or misappropriated, or that an employment agreement was violated. So long as the employer could prove "unauthorized access" to a protected computer and the requisite loss (at a minimum, $5000), it could obtain a remedy under the CFAA, including immediate injunctive relief.

After LVRC Holdings LLC, an employer litigating in the Ninth Circuit will be unable to maintain CFAA claims against a former employee who transfers company information from its computer system for personal use or that of a competitor premised simply on allegations that the former employee acted ‘without authorization’ or ‘in excess of authorization’ when acting as the agent of a new employer or having taken the data in breach of a duty of loyalty to a former employer.

Instead, in order to maintain a CFAA claim, the former employer must identify what steps it took or policies it promulgated to define for its employees authorized and unauthorized access and demonstrate how the employee exceeded his or her authorization. Even then, if the employer provided the employee with general access to its computer network and did not have adequate network safeguards in place to protect sensitive matter, the employer may struggle to establish a violation of the CFAA.

After LVRC Holdings LLC, employers must ensure that they have clear computer usage policies that outline acceptable computer usage. It is crucial for employers to educate their employees concerning permissible computer usage. They should also be mindful of what access they provide their employees to key company data because they may not be able to maintain CFAA claims against employees who transmit such data for their personal use or other improper purpose if they were originally provided access to the data as part of their employment. An audit of computer usage policies and employee access to confidential data is highly recommended, to ensure that employers in the Ninth Circuit put themselves in the best position following this decision.

No comments:

Post a Comment