A district court in Arizona recently issued a published decision limiting the use of the Computer Fraud and Abuse Act (“CFAA”) by employers who have been the victim of electronic data theft by their former employees. In Shamrock Foods v. Gast, — F.Supp.2d —-, 2008 WL 450556 (D.Ariz.), the district court held that a departing employee’s transmittal of confidential information to his personal e-mail account prior to his resignation did not give rise to a cause of action under CFAA.
According to the employer’s complaint, the employee, who had executed a confidentiality agreement with the employer, allegedly e-mailed numerous company confidential and proprietary files to his personal e-mail account shortly after the employee had begun employment negotiations with a competitor. The day after he sent the company material to his personal e-mail account he allegedly told his manager that he was considering leaving the company and shortly thereafter informed the company that he was joining a direct competitor.
In its complaint, the company alleged that the employee was acting as an agent of the competitor when he assessed and e-mailed the confidential information. The company further alleged that he provided the information to the competitor and that the competitor was using the information to the company’s detriment.
The company brought suit in federal court asserting CFAA claims under 18 U.S.C. § 1030(a)(2), (4), and (5)(iii), as well as state law misappropriation claims. The employee and the competitor moved to dismiss the CFAA claims for failure to state a claim.
The district court granted the motion to dismiss concluding that 1) a violation for accessing a protected computer “without authorization” occurs only when the initial access is not permitted; and 2) an “exceeds authorized access” violation occurs only when initial access to a protected computer is permitted but the access of certain information is not permitted.
The court analyzed the CFAA statute in some depth and the specific CFAA claims that the employer brought. The court stated that it is a violation of section 1030(a)(2) when a person “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer if the conduct involved an interstate or foreign communication.” Next, the court stated that section 1030(a)(4) is violated when a person “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value….” Finally, the court declared that section (a)(5)(A)(iii) is violated when a person “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage. . . .”
In sum, the court reasoned that to state a claim under (a)(2) and (a)(4), the employer must allege conduct showing that the employee accessed a protected computer without authorization or exceeded authorized access and under section (a)(5)(A)(iii), the employer must allege conduct showing that the employee accessed a protected computer without authorization.
The competitor and the employee argued the CFAA claims were not actionable because the employee was authorized to access the computer and information at issue. The employer argued that the employee was no longer authorized to access its confidential information once he acquired the improper purpose to use this information to benefit himself and the competitor.
The district court acknowledged that there were two lines of cases interpreting the meaning of “authorization” under the CFAA. According to the court, some courts have applied principles of agency law to the CFAA and have held that an employee accesses a computer “without authorization” whenever the employee, without knowledge of the employer, acquires an adverse interest or is guilty of a serious breach of loyalty. The court cited the following the cases in support of that proposition: Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420-421 (7th Cir.2006); ViChip Corp. v. Lee, 438 F.Supp.2d 1087, 1100 (N.D.Cal.2006); Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1125 (W.D.Wash.2000).
The court also stated that other courts “have opted for a less expansive view, holding that the phrase ‘without authorization’ generally only reaches conduct by outsiders who do not have permission to access the plaintiff’s computer in the first place.” The court cited the following cases in support of this contrasting position: Diamond Power Intern., Inc. v. Davidson, Nos. 1:04-CV-0091-RWS-CCH and 1:04-CV-1708-RWS-CCH, 2007 WL 2904119, at *13 (N.D.Ga. Oct.1, 2007); Brett Senior & Assocs., P.C. v. Fitzgerald, No. 06-1412, 2007 WL 2043377, at *2-4 (E.D.Pa. July 13, 2007); Lockheed Martin Corp. v. Speed, No. 6:05-CV-1580-ORL-31, 2006 WL 2683058, at *5 (M.D.Fla. Aug.1, 2006); Int’l Ass’n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F.Supp.2d 479, 495 (D.Md.2005).
The court found that it was persuaded by the narrower view of “authorization”. First, the court found that the plain language of the statute supports a narrow reading of the CFAA. According to the court, section 1030(e)(6) defines “exceeds authorized access” to mean a violation occurs where the defendant first has initial “authorization” to access the computer. Under that section, once the computer is permissibly accessed, the use of that access is improper because the defendant accesses information to which he is not entitled. According to the court, under Citrin and Shurgard (cases that are often cited to support liability under these facts), however, that distinction is overlooked. According to the court, under their reasoning, an employee who accesses a computer with initial authorization but later acquires (with an improper purpose) files to which he is not entitled-and in so doing, breaches his duty of loyalty-is “without authorization,” despite the Act’s contemplation that such a situation constitutes accessing “with authorization” but by “exceed[ing] authorized access.” 18 U.S.C. § 1030(e)(6). The court found that the construction made by the courts in Citrin and Shurgan conflates the meaning of those two distinct phrases and overlooks their application in § 1030(e)(6). The court stated that the plain language of § 1030(a)(2), (4), and (5)(a)(iii) target “the unauthorized procurement or alteration of information, not its misuse or misappropriation.”
Next, the court found that the legislative history supports a narrow view of the CFAA. The court cited Congressional testimony indicating that the general purpose of the CFAA “was to create a cause of action against computer hackers (e.g ., electronic trespassers). According to the court, “[s]imply stated, the CFAA is a criminal statute focused on criminal conduct. The civil component is an afterthought.” The court reasoned that the legislative history confirms that the CFAA was intended to prohibit electronic trespassing, not the subsequent use or misuse of information.
Finally, the court found that principles of statutory construction support adopting a narrower view of the CFAA. The court found that the rule of lenity guides its interpretation of the CFAA because it has both criminal and noncriminal applications. According to the court, the rule requires a court confronted with two rational readings of a criminal statute, one harsher than the other, to choose the harsher only when Congress has spoken in clear and definite language. According to the court, the approach advanced by the employer in the case would sweep broadly within the criminal statute breaches of contract involving a computer. Similarly, according to the court, an interpretation of CFAA based upon agency principles would greatly expand federal jurisdiction and the court expressly declined “the invitation to open the doorway to federal court so expansively when this reach is not apparent from the plain language of the CFAA.”
The court stated that it was adopting the restrictive view of “authorization” and following the line of authority that a violation for accessing ‘without authorization” occurs only where initial access is not permitted. The court found that the employer had failed to state a claim because the employee was initially provided access to the computer he used and was permitted to view the specific files he allegedly emailed to himself. Accordingly, the court found that the employee did not access the information at issue “without authorization” or in a manner that “exceed[ed] authorized access” and thus, the employer failed to state a claim under the CFAA.
While there are several cases from the Ninth Circuit and other jurisdictions that would support a CFAA claim on these facts including Shurgard and ViChip Corp., this case demonstrates that there is a clear split in authority concerning the proper scope of the CFAA. Even in those jurisdictions following the restrictive view, however, employers can avail themselves of state law claims, such as trade secret misappropriation and breach of contract, for misuse of confidential information by former employees.