By Robert Milligan and Joshua Salinas
The Computer Fraud and Abuse Act (“CFAA”) remains a potent weapon for employers to use against disgruntled employees who steal company data. The Sixth Circuit in U.S. v. Batti, No. 09-2050, 2011 WL 111745 (6th Cir. 2011)recently upheld the criminal conviction of an employee who allegedly accessed, copied, and leaked confidential information that belonged to his employer’s CEO. The court also awarded the employer restitution for private security investigation costs, despite parallel government investigations. Unfortunately, the court provided no clues into its position regarding the hotly contested “without authorization” interpretation that has split the circuits.
Luay Batti worked in the IT department of Campbell-Ewald, a Michigan advertising company. While employed, Batti allegedly obtained without authorization confidential information that belonged to Campbell-Ewald’s CEO. Six months later, Batti met with Campbell-Ewald’s General Manager to complain about the IT department’s management. Batti also allegedly provided the General Manager a copy of the CEO’s files to reveal the weaknesses in the company’s computer security. Campbell-Ewald fired Batti and contacted the police.
The FBI conducted an investigation into the alleged security breach. Subsequently, Campbell-Ewald hired a security investigation firm and obtained legal advice from outside counsel regarding the alleged security breach.
Butti was convicted for violating the CFAA. The district court awarded Campbell-Ewald $47,565 in restitution for the security firm’s investigation and advice from counsel.
One of the issues Batti raised on appeal was whether Campbell-Ewald could receive restitution when the government had already conducted an investigation.
The Sixth Circuit affirmed the lower court and ordered restitution. The court emphasized that courts are required to award restitution to reimburse necessary expenses incurred when victims investigate offenses. (18 U.S.C. § 3663A). The court echoed the growing majority of courts that private investigations are necessary responses to security breaches. Thus, Campbell-Ewald could recover for incurred investigation costs, regardless of whether the government already conducted an investigation. In fact, Campbell-Ewald’s continued surveillance allegedly caught Batti attempting to access the company’s computer server after his termination.
This holding is welcome news for employers and other victims of CFAA violations. The growing majority of courts permit the recovery of investigation costs in CFAA civil suits. As reflected in Batti, criminal proceedings brought by the government against rogue employees who steal company data may be viable options for employers (provided that they can secure the government’s attention and support) and reduce the need for costly civil suits, particularly where they can receive restitution for their investigation costs.
Yet, the Sixth Circuit provided no insight into how it would rule regarding the current “without authorization” split. Batti did not raise the issue of authorization on appeal and thus the court was not required to discuss it. The facts of the case provided no opportunity for the court to delve into its interpretation of “without authorization.” Batti’s alleged purpose in providing the GM with a copy of the CEO’s files was to show that someone without authorization could obtain this confidential information. On one side of the circuit split, some courts focus on whether the employee was initially authorized to access the stolen data. On the other side, the Seventh and Eleventh Circuits focus on the purpose and intent of the employee’s conduct, which would terminate any previously granted access. Indeed, Batti apparently never had any authorization to access the CEO’s files and thus his alleged conduct constituted “without authorization” under any circuit’s interpretation.
While Batti provides no clear guidance on how it would side in the “without authorization” split, the Court reinforced the employers’ ability to use the CFAA as a viable claim to combat computer security breaches by employees in certain situations.