By Robert Milligan, Joshua Salinas, and Jeffrey Oh
In another decision that underscores the circuit split regarding the interpretation of the Computer Fraud and Abuse Act’s (CFAA) language on authorized access, the Honorable Judge David Doty of the United States District Court for the District of Minnesota has dismissedan employer’s claim that its former employees violated the Act. The case, Walsh Bishop Associates, Inc. v. O’Brien, CIV. 11-2673 DSD/AJB, 2012 WL 669069 (D. Minn. Feb. 28, 2012), concerns three former officers of the Minneapolis based architectural firm Walsh Bishop. The court held that since the defendants had authorized access to all of the electronic files they purportedly took, they could not be liable under the CFAA for their use or misuse of the files.
According to the court’s decision, Keith O’Brien, Ian Scott, and David Serrano sat on Walsh Bishop’s executive committee and had “access to the highest level of confidential and proprietary information of [Walsh Bishop].” In June 2011, the three incorporated a separate entity, also a named defendant, WBA Partners, Inc. The three allegedly used WBA Partners, Inc. name on a $7 million proposal while still working at Walsh Bishop. Additionally, in August 2011 Scott allegedly sent a Walsh Bishop customer list to his personal email and Serrano allegedly sent a drawing he had prepared for Walsh Bishop to his personal email.
All three purportedly met with competing firms during this time about switching firms and bringing their clients with them. Thereafter, defendants’ employment with Walsh Bishop terminated at an unknown date. Walsh Bishop subsequently sued defendants claiming a violation of the CFAA and a variety of other state and federal statutes, in addition to common law claims.
Walsh Bishop’s CFAA claim specifically referenced Section 1030(a)(2) of the Act, which holds a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from a protected computer” liable for imprisonment and a fine. Although the CFAA is largely a criminal statute, an amendment to the Act passed in 1994 allows its application in civil suits.
Walsh Bishop contended that Scott and Serrano violated the CFAA when they emailed company documents to themselves “in a manner contrary to [Walsh Bishop’s] interests and use policies.” Walsh Bishop derived its argument from the Ninth Circuit case United States v. Nosal, which expanded the interpretation of “exceeds authorized access” to include violations of a company’s “computer access restrictions – including use restrictions.” (United States v. Nosal, 642 F.3d 788 (9th Cir. 2011), reh’g en banc granted, No. 10–10038, 2011 WL 5109831 (9th Cir. Oct. 27, 2011)). Nosal departed from the Ninth Circuit authority determined “authorization” based on the actions taken by the employer. (See e.g., LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). In Brekka, the Ninth Circuit narrowly interpreted the CFAA and placed the onus on the employer to explicitly rescind the employee’s right to use or access a computer.
The defendants moved to dismiss Walsh Bishop’s CFAA claim on grounds that Walsh Bishop authorized their computer access “at the highest levels,” and, thus they could not exceed authorized access.
In his decision to grant Defendant’s motion to dismiss, the court noted that the Eight Circuit has yet to determine whether the CFAA imposes civil liability on employees who access information with permission but for an improper purpose. The court cited several Minnesota District Court cases that adopted a more narrow view of the CFAA that focused on the scope of access rather than misuse or misappropriation of information. The court found that this narrow interpretation correctly applied the language and purpose of the statute more than Nosal.
First, the court highlighted the plain language of the section 1030(a)(2), which concerns access and not the use of information. He stated that had Congress intended to target use of information, it would have included the appropriate language. (See e.g. § 1030(a)(1)).
Second, the court stated that the legislative purpose and history supports the plain meaning of statute because Congress enacted the CFAA to apply to persons who abused computer technology without access. The court emphasized that Congress never intended to provide a federal cause of action for state-law breach of contract, trade secret, or other business-tort claims.
Finally, the court addressed Walsh Bishop’s argument that the defendants’ acts were unlawful because they violated Walsh Bishop’s computer-use policies. The court first explained that he could not consider the computer-use policy because Walsh Bishop failed to attach the policy in its complaint. The court stated that even if he considered the computer-use policy, the policy only proscribed certain uses of information, not defendants’ scope of access. The court highlighted the fact that Walsh Bishop granted defendants broad access to its computer systems and expressly granted access to the areas of the systems it alleged defendants used with an improper purpose. Therefore, since the defendants had access to all of the files they purportedly took, the court ruled that they cannot be held liable under the CFAA for their use or misuse of said files.
Walsh Bishop is unfortunately at the mercy of court’s decision to use the more narrow interpretation of the CFAA, similar to the Ninth’s Circuit interpretation in Brekka, over the more employer friendly precedent established by the Seventh Circuit in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) and the Ninth Circuit in Nosal.
Although Walsh Bishop implemented explicit computer and data use restrictions, its policies restricted only employees’ use of information and not access to information. This alleged deficiency subjected Walsh Bishop’s claim to the court’s interpretation of the statutory language of the CFAA and corresponding circuit split.
Lastly, the court declined to exercise supplemental jurisdiction over Walsh Bishop’s remaining state-law claims, but dismissed the claims without prejudice so that Walsh Bishop could bring an action in Minnesota state court.
This case is important because it reminds companies to be vigilant in advancing their own computer use and access restriction policies at every opportunity. Employers should implement policies that explicitly define both the employee’s access to information and the appropriate use of information. In addition to a comprehensive and clear computer use and access policies, companies should consistently remind employees of their duty to adhere to such policies. For example, this can be done through a prompt that appears whenever the employee logs on to a protected computer system. This constant reminder can go a long way in discouraging any behavior not in the best interests of a company and provide evidentiary support should the employer need later to sue the employee for violation of the CFAA or similar state laws.