By Robert Milligan and Jeffrey Oh
In its order denying defendants’ motion to dismiss in SBM Site Services, LLC v. Garrett, et al., Case No. 10-cv-00385, a Colorado federal court identified a circuit split over the interpretation of “unauthorized access” under the Computer Fraud and Abuse Act and then found a former employer had stated a CFAA claim against a former executive and his new employer regardless of the different circuit interpretations based upon his post-termination computer activities. The case is significant because it provides employers with authority that the CFAA should apply in cases where an employee steals or destroys company data on a company computer after his or her termination.
Pertinent Allegations
In its ruling, the court laid out the pertinent allegations which it accepted as true for purpose of ruling on defendants’ motion. According to the complaint, defendant John Garrett, formerly the Senior Vice President/Chief Business Development Officer at SBM, a janitorial, recycling, and moving services company, worked remotely from home using two desktop computers and two laptop computers provided to him by SBM. He used these SBM-provided devices to remotely access SBM’s computer system. Prior to his move to Able, a direct competitor of SBM, Garrett allegedly had his administrative assistant download numerous SBM files from its network, had them burned to a cd, and then had them sent to him.
According to the amended complaint, on January 4, 2010 Garrett informally notified SBM that he was resigning effective January 22, 2010. SBM then informed Garrett that he would need to return all SBM property, including computers, records and other confidential information, before his departure. After failing to return the company computers at an initial meeting on January 26, 2010, SBM scheduled another meeting for January 29, 2010 to collect the items. Garrett allegedly canceled this second meeting and did not return the last of his company computers until February 16, 2010, over two weeks after starting his new job at Able. Garrett began his employment with Able on January 28, 2010 and SBM alleges that Garrett loaded SBM’s confidential information onto a laptop provided to him by Able. Upon examination of the returned laptop, SBM allegedly found that the hard drive had been encrypted to prevent access in addition to being “intentionally erased.” SBM asserted several claims against Garrett and Able, including violation of the CFAA.
CFAA and Circuit Split
As with most cases where the CFAA is invoked, the question of what constitutes unauthorized access is central to the arguments made by both sides. Section 1030(a)(5)(C) of the CFAA makes it unlawful to “intentionally access[] a protected computer without authorization and as a result of such conduct, cause[] damage and loss.” Garrett argued that because he was authorized to access the laptop while he was employed by SBM, he cannot have accessed the laptop without authorization.
The court acknowledged that the Tenth Circuit has yet to address what constitutes “unauthorized access” for purposes of the CFAA. The court analyzed differing interpretations of the provision made by the Seventh and Ninth Circuits.
In its interpretation of what constitutes “unauthorized access,” the Seventh Circuit applied agency principles in International Airport Centers, LLC v. Citrin to determine that an employee’s access was unauthorized from the moment he decided to quit and had undertaken actions in violation of his duty of loyalty to his employer. According to the decision, access is only authorized within the agency relationship between employer and employee. This agency relationship relies on loyalty as well as transparency, and violating the duty of loyalty, or failing to disclose adverse interests, voids the agency relationship. Under the Seventh Circuit’s approach, whether access to a computer was “unauthorized” depends upon the status of the agency relationship between the employer and employee.
The Colorado federal court noted that the Ninth Circuit has taken a more restrictive view of what constitutes “unauthorized access” for purposes of the CFAA. In LVRC Holdings LLC v. Brekka, the Ninth Circuit determined that “authorization” depends on actions taken by the employer and “[i]f the employer has not rescinded the defendant’s right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA.” In other words, unless an employer rescinds an employee’s right to use or access a computer, the employee arguably has authorized access to all systems and files within the scope of their position. Thus, the onus is on the employer to end an employee’s right to access by explicitly informing them of such. It is notable that the Colorado federal court’s decision does not address the exceeds authorized access section of the CFAA, which provides an alternative theory of liability under the CFAA. An en banc panel of the Ninth Circuit is presently considering that section in U.S. v. Nosal and will issue a decision soon.
Colorado Federal Court’s Analysis: Post-Termination Activities Key
Forgoing to determine which circuit interpretation to follow, the Colorado federal court ruled that SBM had stated a claim under the CFAA under either standard. Since Garrett allegedly accessed SBM’s protected computer systems both after he had decided to quit as well as after he was asked to return all computer equipment, the court found that SBM did in fact have a valid claim for violation of the CFAA. The court reasoned that SBM had notified Garrett that he was required to return all company property at the time he ended his employment. SBM explicitly revoked Garrett’s access to the laptop as of his day as an employee. He allegedly failed to return his equipment, including a laptop, on his last day and canceled a follow up meeting to collect the equipment. He retained the laptop for approximately three weeks after he terminated his employment. When he returned the laptop, it had allegedly been intentionally erased. The court found that it was reasonable to infer that Garrett accessed the laptop after his last day of employment. The court distinguished cases cited by defendants that Garrett’s access was not “unauthorized” because they involved the use or alleged misuse of computer provided equipment during the duration of defendant’s employment. In this case, Garrett allegedly retained Plaintiff’s laptop for three weeks after his employment ended, including more than two weeks after he started his employment with Able.
The court reasoned that there can be no question that, under either the Seventh or the Ninth Circuit’s interpretation of “unauthorized access,” Garrett’s access to the laptop became unauthorized when his employment ended and SBM requested the return of the laptop. The court also found that SBM had stated a claim against Able. The court found that Garrett was an agent of Able and it was reasonable to infer that Garrett accessed SBM’s laptop during the time that he was employed with Able and in the scope of such employment.
Takeaways
With computer access becoming an integral and essential aspect of conducting business in the modern world, issues dealing with how employees access and utilize a company’s computer resources are very important and companies must employ clear and conspicuous computer usage policies with employees, including contractual agreements to return all company property upon termination, in order to effectively protect company property and data. Company computer log-in prompts should remind employees of their obligation to follow computer usage policies. Companies should consider clearly defining when an employee’s computer access is without authorization, exceeds authorization, and is without permission, and only permit the employee access to computer data and servers which is essential to perform their job functions. Lastly, should there be any delay in the return of a company computer upon termination of an employee who may pose a threat to company data security, companies should consider having the computer forensically imaged to detect any computer fraud or abuse by the employee. If any is detected, this new federal decision indicates that the employer may have a viable CFAA against the employee.