The Eleventh Circuit Court of Appeals’ December 27, 2010 decision in U.S. v. Rodriguez, Appeal No. 09-15265, — F.3d –, 2010 WL 5253231 (11th Cir. Dec. 27, 2010) may mark a significant split among the federal appellate circuits over the meaning of the phrases “without authorization” and “exceeds authorized access” under the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. (“CFAA”). On one side of the fence sit decisions which reject such suits due to the employer’s prior grant of access, regardless of the employee’s purpose of access or subsequent use of the files. On the other side are decisions which allow CFAA claims where the employee’s purpose for accessing the files was unauthorized, even if the access itself was permitted.
In Rodriguez, the court upheld the criminal CFAA conviction of defendant Roberto Rodriguez, a former Social Security Administration (“SSA”) telephone service representative, because he accessed confidential and sensitive files for “a non-business reason.” The SSA had previously established a policy prohibiting employee access of confidential databases “without a business reason,” of which Rodriguez was made aware several times. Despite these clear warnings from his employer, Rodriguez accessed more than 100 times confidential, personal information from Social Security files concerning women with whom he had a romantic relationship. Even though Rodriguez’s access of the database itself was authorized, the purpose of the access was not, thus triggering the “without authorization” or “exceeds authorized access” provisions of the CFAA.
The Eleventh Circuit thus aligned itself with the Seventh Circuit, which in Int’l Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), held that an employee violates the CFAA where he already has decided to quit, and thereafter accesses company files for unauthorized purposes in furtherance of his “breach of duty of loyalty” to the company (i.e. to erase valuable company data). That is, when an employee accesses computer files with a purpose to injure his employer, his access is necessarily unauthorized because by law because he never had permission to work against the company.
On the other side of the split is the Ninth Circuit‘s September 2009 decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). There, the court dismissed the CFAA suit against the former employee for subsequent misuse of company files because the purpose and misuse of the employee’s access was irrelevant, so long as the access itself for was permitted, for any purpose. According to Brekka, reading a purpose-related qualification into the CFAA terms “without authorization” and “exceeds authorized access” would run counter to the plain meaning of those statutory requirements. In fact, Brekka explicitly rejected Citrin’s suggested interpretation along those lines.
Rodriguez did not explicitly reject Brekka. Rodriguez instead distinguished Brekka because in Brekka there was no express prohibition against the employee’s accessing files and e-mailing them to his home address, whereas in Rodriguez, a prohibition against non-business-related access was in place. Nevertheless, Rodriguez implicitly rejected Brekka, because Brekka limited CFAA claims to those instances in which an employee had not received permission to access a computer for “any purpose,” or where the permission had been previously rescinded and the employee accessed the computer anyway. Rodriguez had permission to access the SSA database, albeit for a limited purpose, so his conviction likely would have been overturned by the Ninth Circuit, not upheld as the Eleventh Circuit did. Also, because of the unique circumstances in Rodriguez, there is a possibility that it could be distinguished on its facts alone.
In any event, the lessons to be learned by corporate counsel and management from this conflict are not limited to whether an employer can sue an employee for violating the CFAA. These decisions serve as reminders to management that they must carefully and vigilantly create and enforce employee computer-use policies, including the following:
*Write clear computer-access policies, disseminate those policies among employees, and periodically remind employees of their obligations;
*Require employees, whether professional, clerical, or otherwise, to sign non-disclosure and computer confidentiality agreements, where access to computers is strictly limited to furthering company business; and
*Develop a limited-permission structure so that employees are provided access only to those files needed to do their job.
You may contact Seyfarth Shaw’s Trade Secret Protection attorneys for further ideas and discussion of issues related to employee misuse or theft of company intellectual property.