By Robert Milligan and Joshua Salinas
As anticipated, the issue regarding the application of the Computer Fraud and Abuse Act (“CFAA”) against employees who violate their employer’s computer use policies and steal valuable company data may be headed to the U.S. Supreme Court. Last week, WEC Carolina Energy Solutions LLC (“WEC”) filed a petition for writ of certiorari before the Supreme Court, asking the Court to determine whether the CFAA applies to employees who violate employer-imposed computer access and data use restrictions to steal company data.
Petitioner WEC provides specialized welding and related services to the power-generation industry. Respondent Mike Miller was employed by WEC as a project Manager in Field Services. WEC issued Miller a laptop computer for use in his employment, along with access to WEC’s computers and servers and numerous confidential and trade secrets documents stored therein. WEC allegedly had a clear company policy prohibiting any unauthorized use of its confidential information and trade secrets, including a prohibition against downloading confidential and proprietary information to an employee’s personal computer.
Miller resigned from WEC and went to work for a competitor, Arc Energy Services (“Arc”). Immediately before his resignation, however, Miller allegedly downloaded a substantial number of WEC’s confidential documents and emailed them to his personal email account. These confidential documents allegedly included highly valuable information regarding WEC’s past and pending customer proposals, pricing information, and quotation worksheets. Miller allegedly incorporated this information into a sales presentation on behalf of Arc for a potential customer regarding two power plant projects; Arc was subsequently awarded those projects.
WEC brought action against Miller for, inter alia, violation of the CFAA. WEC contended that Miller lacked and/or exceeded his authorization to download WEC’s confidential documents because WEC’s company policies prohibited any downloading of these documents to his personal computer.
The Fourth Circuit Court of Appeals in WEC Carolina Energy Solutions LLC v. Miller, 2012 WL 3039213 (4th Cir. 2012), affirmed the district court’s dismissal of the claim and held that departing employees are not liable under the CFAA for mere violations of a company computer use policy. In doing so, the Fourth Circuit adopted the Ninth Circuit’s narrow interpretation of the CFAA , thus widening a split between the federal circuits on whether employees who violate company policies and/or engage in disloyal conduct by stealing company data can be liable under the CFAA. Please see John Marsh’s and Ken Vanko’s blogs, as well as our previous blog, on the case.
On the other side, the Fifth, Seventh, and Eleventh Circuits have adopted a broader interpretation of the CFAA based on either common-law agency principles or computer usage policies. Under the agency theory, when an employee accesses a computer to further interests adverse to the employer, such actions terminate his or her agency relationship and, thus the employee loses any authority to access the computer and certainly access to steal company data. Under the computer usage theory, a violation of a computer usage policy can serve as a basis for holding an employee liable under the CFAA, Thus, an employee who is authorized to access a company computer, but uses that access to steal or damage valuable company data in violation of a computer usage policy, would be liable for his or her wrongful conduct.
Earlier this spring, a Ninth Circuit en banc panel in U.S. v Nosal adopted a narrow interpretation of the CFAA and found that an employee’s violation of his/her employer’s computer usage policies was not a violation of the CFAA. The Solicitor General declined to file a petition for writ of certiorari in that case.
As of now, an employer’s protection under the CFAA against rogue employees that steal valuable company data may simply depend on which jurisdiction they are in and/or the genius of counsel.
WEC’s petition does not necessarily mean the Supreme Court will hear the case. In fact, the Court’s website provides that it receives over 10,000 petitions each year but only grants and hears oral argument in about 75-80 cases (<1%).
The fact that the Supreme Court has yet to decide a CFAA case since the statute’s inception in 1984, along the deepening circuit split, may influence the Court’s consideration of the petition. We will continue to keep you apprised of future developments in the rapidly changing CFAA landscape.