A recent Computer Fraud and Abuse Act (“CFAA”) case from the Southern District of Mississippi further muddies the water with respect to the circuit split regarding the application of the law against former employees who violate computer usage policies or violate their duties of loyalty to their employers by stealing company data from company computer systems.
Unified Brands, Inc. (“Unified”), a manufacturer and marketer of food service equipment, purchased another company, Intek, in 2010. Michael Teders (“Teders”), who had previously been an executive of Intek, entered into employment contracts with both Intek and Unified during the purchase period. Under the terms of the agreement, Teders was prohibited from working for any business which sold or produced steam cooking equipment for a year. In August 2010, Teders began working as Unified’s National Sales Manager, and signed another agreement pledging to maintain the confidentiality of Unified’s proprietary information for a two year period. Teders also signed one year non-compete and non-solicitation agreements. In December 2010, Teders allegedly “secretly negotiated a position with AEC,” a competitor in the steam cooking equipment industry. Prior to announcing his resignation, Teders allegedly accessed the laptop Unified Brands had provided him with, and downloaded confidential and proprietary information. Furthermore, Teders allegedly solicited Unified’s customers in violation of his employment agreement with Unified.
In February 2011, Unfied sued Teders in the Southern District of Mississippi, alleging various causes of action, including violations of the Computer Fraud and Abuse Act (“CFAA”), the Mississippi Uniform Trade Secrets Act (MUTSA), negligent supervision, and tortious interference with business relationship. The defendants moved to dismiss for lack of personal jurisdiction and failure to state a claim.
Jurisdiction
AEC moved for dismissal on the grounds of lack of personal jurisdiction under Rule 12(b)(2) of the Federal Rules of Civil Procedure. Here, the court found that subject matter jurisdiction was based on both federal question and diversity jurisdiction. In federal question cases, the court must look to service of process provisions giving rise to the federal question. Under the CFAA, a federal court may exercise personal jurisdiction “over only those defendants who are subject to the courts of the state in which the court sits.” Point Landing, Inc. v. Omni Capital, Int’l, Ltd., 795 F. 2d 415, 419 (5th Cir. 1986). The analysis is similar for diversity of citizenship cases, where the court conducts a two-step analysis: (1) the forum state’s law must provide for assertion of jurisdiction, and (2) the state law must comport with the Fourteenth Amendment’s Due Process Clause.
In addressing the first step, the court looked to Mississippi’s Long Arm Statute, which allows a court to exercise personal jurisdiction over non-resident persons and business entities that have made a contract with a Mississippi resident that is to be performed in whole or part in the state, have committed a tort in the state, or who do business in the state. Here, Unified argues that personal jurisdiction can be exercised over AEC and Holder because they committed a tort within the state, namely tortious interference with business relationship. The court found AEC and Holder did more than simply hire a competitor’s employee: Teders was still employed with Unified, and yet he was actively negotiating his future employment with AEC and Holder. As such, there was sufficient evidence to establish a prima facie showing that the tortious interference occurred in Mississippi, since at least some of the damage and loss occurred in that state.
In addressing the second step, the court looks to whether state law complies with the Fourteenth Amendment. To make such a showing, the court must show that the defendant has purposefully availed himself of the benefits and protections of the forum state by establishing minimum contacts with the forum state, and that the exercise of jurisdiction doesn’t offend traditional notions of fair play and substantial justice. Here, the court found that the nexus between Mississippi and the allegedly injured business relationship was the employment contract between Unified and Teders, which are governed by Mississippi law. Teders was allegedly soliciting clients while still employed with Unified, which satisfied the due process requirement. Additionally, exercising jurisdiction would not be unreasonable because the defendants directed business activities into Mississippi, which had an interest in litigating the case because the tortious interference occurred within its borders.
Ultimately, the court found a prima facie showing of jurisdiction, but emphasized that the plaintiff must still prove jurisdictional facts at trial or pretrial evidentiary by a preponderance of the evidence.
Motion to dismss for failure to state a claim: the Computer Fraud and Abuse Act
The most notable ruling here is the court’s decision regarding the CFAA claim. Unified alleged that Teders violated the CFAA by intentionally accessing a computer without authorization and obtaining information from a protected computer. AEC and Holder argued Teders downloaded confidential information from a computer he was authorized to access. Despite the defendants’ argument, the court found there was sufficient evidence to assert a plausible CFAA violation. According to the court, several courts have recognized that “once an employer is working for himself or another, his authority to access the computer ends, even if he or she is still employed at the present employer.” Here, the pleadings alleged Teders was unauthorized to access the computer, since he was acting on his own behalf, which the court found was sufficient to assert a CFAA claim.
Interestingly, this case seems to rely on the rationale of the agency theory, which is followed by the Seventh Circuit, as opposed to the computer usage theory followed by the Fifth and Eleventh Circuits. Cases following the agency theory are becoming increasingly rare these days. See our post on WEC Carolina Energy Solutions for additional information on this circuit split.
Under the agency theory, which is based on common law agency principles, when an employee accesses a computer to further interests adverse to the employer, such actions terminate his or her agency relationship and, thus the employee loses any authority to access the computer. The Seventh Circuit applied agency principles in International Airport Centers, LLC v. Citrin to determine that an employee’s access was unauthorized from the moment he decided to quit and had undertaken actions in violation of his duty of loyalty to his employer. According to the decision, access is only authorized within the agency relationship between employer and employee. This agency relationship relies on loyalty as well as transparency, and violating the duty of loyalty, or failing to disclose adverse interests, voids the agency relationship. Under the Seventh Circuit’s approach, whether access to a computer was “unauthorized” depends upon the status of the agency relationship between the employer and employee.
Under the computer usage theory, also known as the intended usage theory, a violation of a computer usage policy can serve as a basis for holding an employee liable under the CFAA. Thus, an employee who is authorized to access a company computer, but uses that access to steal or damage valuable company data in violation of a computer usage policy, would be liable for his or her wrongful conduct. For additional information, see Shawn Tuma’s post on the subject. The computer usage theory has been applied in the Eleventh and Fifth Circuits, while the agency theory’s application has generally been limited to the Seventh Circuit. However, the Southern District of Mississippi’s decision suggests that the agency theory may still have some life left. It will be interesting to see how the case progresses as it moves toward the summary judgment stage, and we will continue to keep you apprised of future developments.