By Robert Milligan and Jeffrey Oh
A recent California federal court decision has permitted an employer to pursue a former employee for alleged violations of the employer’s computer usage policies under the Computer Fraud and Abuse Act (“CFAA”), while an en banc Ninth Circuit panel considers the validity of such claims. The Ninth Circuit’s decision in the United States v. Nosal provided employers with a potentially powerful tool under the CFAA to combat data theft by employees and other insiders, only to see the decision rendered non-citable in October 2011 while an en banc Ninth Circuit panel reconsiders the issue. A recent decision from federal district judge Larry Alan Burns of the United States District Court, Southern District of California, reflects a willingness to allow employers to continue to use the CFAA to combat data theft at least until the en banc panel rules in Nosal.
The case, Platinum Logistics v. Mainfreight and Melissa Ysais, centers around Ms. Ysais, a former sales manager at Platinum Logistics who allegedly violated a binding nondisclosure agreement by taking customer lists and rate sheets in her transition to a competitor. Platinum Logistics claims that in taking these electronic documents without permission Ms. Ysais violated the CFAA.
In its initial complaint, Platinum Logistics specifically cited § 1030(a)(5)(C), a subsection of the CFAA which prohibits “intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss.” Ruling on a motion to dismiss, the Court cited the Ninth Circuit’s interpretation of § 1030(a)(5)(C) given in LVRC Holdings LLC v. Brekka in which access without authorization is defined as “without any permission at all.” Given that Ms. Ysais accessed the documents in question while still employed at Platinum Logistics and had accessed them previously within the scope of her job, the Court granted the defendant’s motion to dismiss, but without prejudice to Platinum Logistics. In his discussion on the matter, the Court provided Platinum Logistics with the opportunity to file an amended complaint, citing a different subsection of the CFAA as the potential basis for a valid claim.
According to the Court, Platinum Logistics may have a valid claim under §§ 1030(a)(2) and (a)(4), which offers legal recourse for cases where authorized access is exceeded. As interpreted by the Ninth Circuit in Nosal, “an employee ‘exceeds authorized access’ under § 1030 when he or she violates the employer’s computer access restrictions – including use restrictions.” In the case of Platinum Logistics, Ms. Ysais’s alleged apparent disregard of the company’s non-disclosure agreements in taking electronic documents puts her in violation of the CFAA as it is currently interpreted. Accordingly, the Court provided the plaintiff with an opportunity to amend its complaint to state this claim under the CFAA. Should the plaintiff elect to assert the CFAA claim, the Court ordered the claim stayed pending resolution of Nosal.
As modern computer technology continues to change the work place and how companies operate, the CFAA continues to serve as an increasingly important legal tool in preventing data theft by employees and insiders. The outcome of Nosal is being closely watched by employers and employees and United States Supreme Court challenge is probably inevitable once the Ninth Circuit renders its decision.