The parties in the WEC Carolina Energy Solutions LLC v. Miller matter recently agreed to dismiss the petition for writ of certiorari filed with the United States Supreme Court, and as a result, the Court has dismissed the case.
Accordingly, the circuit split regarding the ability of employers to use the Computer Fraud and Abuse Act (CFAA) to sue former employees in typical employee data theft cases remains unresolved.
In early 2012, a Ninth Circuit en banc panel in United States v. Nosal adopted a narrow interpretation of the CFAA and found that an employee’s violation of his/her employer’s computer usage policies to steal company data was not a violation of the CFAA. The Court focused on whether the employee originally had access to the information, not whether the employee misused the employer’s confidential information in violation of usage policies.
Later in 2012, the Fourth Circuit in WEC Carolina Energy Solutions LLC v. Miller joined the Ninth Circuit and adopted this narrow interpretation of the CFAA.
The First, Fifth, Seventh, and Eleventh Circuits have adopted a broader interpretation of the CFAA based on either common-law agency principles or computer usage policies. Under the agency theory, when an employee accesses a computer to further interests adverse to the employer, such actions terminate his or her agency relationship and, thus the employee loses any authority to access the computer. Under the computer usage theory, a violation of a computer usage policy can serve as a basis for holding an employee liable under the CFAA, Thus, an employee who is authorized to access a company computer, but uses that access to steal or damage valuable company data in violation of a computer usage policy, would be liable for his or her wrongful conduct under the CFAA.
As a result, employers can still pursue CFAA claims in the First, Fifth, Seventh, and Eleventh Circuits against rogue employees who steal data, whereas such claims remain very difficult to pursue in the Fourth and Ninth Circuits.
WEC Carolina Energy Solutions LLC had previously filed a petition for writ of certiorari, asking the Court to determine whether the CFAA applies to employees who violate employer-imposed computer access and data use restrictions to steal company data.
The question posed by the petition for writ of certiorari was “whether the CFAA applies to employees who violate employer-imposed computer access and data use restrictions to steal company data.” Please see Thomas O’Toole’s and Russell Beck’s discussion regarding the issue, as well as a nice summary of the CFAA split in the recent Florida Bar Journal.
Accordingly, in those circuits that do not recognize CFAA claims in the typical employee data theft scenario, employers should consider the following: 1) consider revising your company’s computer use policies and incorporate the concept of computer access policies instead (please see our previous post about the importance of computer access policies, even in the Ninth Circuit); 2) review the access employees are provided to company information on your company’s computer servers and devices and narrow access to such information to need to know (e.g. lower level employees should not have access to highly valuable company information); and 3) the circuit split highlights the importance of contractual restrictions with employees requiring employees to return all company property and information upon termination, as well as employing robust and detailed exit interviews, which probe departing employees regarding the return of all company information, including information that may reside on personal computers and devices and securing the return of the same.
While there was proposed CFAA legislation in 2012, including one bill that would narrow its application and another that would expand its scope, it is unclear whether similar legislation will be proposed in 2013. If you are interested in a legislative fix to the CFAA split, please contact your Seyfarth attorney or let us know here. In the meantime, we will continue to keep you posted on any new significant CFAA decisions.