Last month we blogged about a district court for the Northern District of California that distinguished the Ninth Circuit’s recent U.S. v. Nosal decision and allowed an employer to bring a counterclaim under the Computer Fraud and Abuse Act (“CFAA”) against a former employee for alleged violations of a verbal computer access restriction. (Weingand v. Harland Financial Solutions, 2012 U.S. Dist. LEXIS 84844 (N.D. Cal. June 19, 2012). Recently, the court reaffirmed its conclusion regarding Nosal concerning the employee’s subsequent motion to dismiss that CFAA counterclaim.
Defendant employer Harland Financial Solutions alleged that it verbally authorized plaintiff and former employee Michael Weingand to return to its offices after the termination of his employment to copy his personal files from his prior work computer. A dispute arose, however, when Weingand allegedly “accessed , without authorization, over 2,700 business files,” some containing confidential, proprietary, and copyrighted information. (See our previous blog post for further details regarding the background of this case).
As discussed in our previous post, the court granted Harland’s motion for leave to amend its answer to assert a counterclaim against Weingand for violations of the CFAA.
Harland subsequently amended its answer to assert the CFAA counterclaim. Weingand then moved to dismiss the claim for “failure to state a plausible claim for relief.” (FRCP 12(b)(6)).
On August 29, 2012, the court denied Weingand’s motion to dismiss. The court noted that it already rejected a bulk of Weingand’s arguments in the prior motion for leave to amend. The court acknowledged, but declined to adopt, Weingand’s argument that verbal authorization could not be the sort of authorization cover by the CFAA:
Notably, the court reiterated its prior conclusion concerning Nosal:
“although Nosal clearly precluded applying the CFAA to violating restrictions on use, it did not preclude applying the CFAA to rules regarding access.”
Additionally, the court noted that many of the issues raised by Weingand concerning the scope and nature of his authorization, what constituted “personal” files, and whether he exceeded Harland’s authorization, were factual questions appropriate for summary judgment — not a motion to dismiss.
The court denied Weingand’s motion to dismiss because Harland alleged specific details about Weingand’s alleged unauthorized access, including when, where, and what Weingand allegedly accessed and copied.
The court’s reassertion that Nosal does not preclude employers’ “access restrictions” is significant because it reaffirms that Nosal may not be as broad of a limitation for employers that seek to use the CFAA against departing employees that steal valuable company data. After Nosal, it was feared that employers would have no recourse under the CFAA against employees that violate clear and explicit computer, network, and information security policies.
The court allowed Harland to proceed with its CFAA claim based on a mere verbal access restriction. This holding remains consistent with the Ninth Circuit’s prior decision in LVRC Holdings LLC v. Brekka: “The plain language of the statute therefore indicate that authorization depends on actions taken by the employer.” Thus under Weingand, an employer’s computer access policies may remain viable post-Nosal to bring CFAA claims in the Ninth Circuit against employees that violate those policies and steal valuable company data.