By Gary Glaser and Jacob Oslick
An old folk melody describes the world as “a very narrow bridge,” where one misstep can bring disaster. The song seeks to inspire, calling on people to have “no fear at all” while crossing through life’s perils.
However inspiring this song might be, some metaphorical bridges just aren’t worth crossing. Trying to assert Computer Fraud and Abuse Act (“CFAA”) claims against disloyal employees is a perfect example. Employers rightly want to seek relief against employees who steal confidential information that might not qualify as “trade secrets.” And, at first glance, the CFAA appears to present a promising bridge into federal court for just such a claim. Even better, for a while, many federal courts adopted a broad view of the statute that permitted precisely these claims. In fact, between 2001 and 2010, the First, Fifth, Seventh, and Eleventh Circuits all issued opinions that interpreted the CFAA broadly, which still stand as the precedent in those Circuits.
Over the past few years, however, other federal courts have increasingly construed the CFAA narrowly. In a number of decisions, various federal courts have restricted both the claims that can be brought under the CFAA and the damages available for violations. These days, simply asserting a CFAA claim will almost certainly be met with a time-consuming and burdensome motion to dismiss. And, often, the CFAA proves to be a bridge to nowhere, because the Court dismisses the claim.
The plaintiff in JBCHoldings NY, LLC v. Pakter, 2013 U.S.Dist. LEXIS 39157 (S.D.N.Y. 3/20/13) recently learned this lesson. In JBCHoldings NY LLC, an employer was faced with a familiar situation: it gave a trusted employee access to its highly confidential information, only to have her allegedly misappropriate it for herself, and then allegedly misuse it to pilfer the company’s business opportunities which she then allegedly provided to former business colleagues who had set up a competing entity with her. The employer responded with a CFAA claim, alleging that the disloyal employer had violated the statute because, by stealing data, she accessed the company’s computers “without authorization” or “exceeded [her] authorized access.”
On March 20, 2013, the Southern District of New York dismissed the employer’s claim. The Court reasoned that the CFAA’s “plain meaning” only prohibits accessing information “without authorization” or “exceed[ing] authorized access,” but “does not speak to the misuse of permitted access or the misappropriation of information which an employee is authorized to access.” In so doing, the Court followed recent decisions by the Fourth and Ninth Circuits in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) and United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), respectively, along with a plethora of Second Circuit district court decisions.
The Court further reasoned that a “review of the statute as a whole confirms the narrow interpretation,” because it defines “loss” quite narrowly. In this regard, the Court noted that an unpublished Second Circuit decision held that the CFAA did not cover losses sustained due to the plaintiff’s misappropriation of proprietary information. See Nexans Wires S.A. v. Sark-USA, Inc., 166 F. App’x 559, 563 (2d Cir. 2006). Given this limitation, the Court in JBCHoldings articulated that “[i]t would be illogical for the statute to prohibit misappropriation of employer information, but not define loss to include the losses resulting from that misappropriation.”
Additionally, the Court held that, while it “does not find the statute ambiguous,” the “rule of lenity” would caution towards a narrow interpretation, “because the CFAA is primarily a criminal statute.”
The Court’s opinion does leave two narrow bridges of hope for employers. First, on the law, the CFAA’s interpretation is far from settled. Despite WEC Carolina Energy Solutions, Nosal, and district court decisions like JBCHoldings, a majority of circuit courts that have addressed this issue have come down on the side of the broader interpretation. And the Supreme Court won’t be resolving this circuit-split anytime soon. The Department of Justice declined to seek certiorari in the Nosal case and, back in January, the Supreme Court dismissed the certiorari petition in WEC Carolina Energy Solutions, upon the parties’ stipulation. So a “broad” CFAA claim remains viable in many jurisdictions.
Second, on the facts, the JBCHoldings court provided direction on how employers can sometimes successfully navigate a narrow CFAA claim. For, although the Court held that the CFAA doesn’t provide a remedy against a disloyal employee who misuses access to a computer, it does apply to an “outside hacker” who lacks any permission whatsoever. The Court further noted that at least some of the Complaint’s allegations created an inference of “outside hack[ing],” including allegations that the disloyal employee may have used spyware or malware to accomplish her goals. That being said, the Court ultimately found that these allegations were “couched in terms of sheer possibility,” and thus failed to pass the Twombly/Iqbal “plausibility” standard. This is because it was much more likely that the employee “simply copied the information to her personal laptop,” without resorting to a nefarious program.
Taking that reasoning to heart, employers should remember that the JBCHoldings case is not every case. While disloyal employees often just swipe information that they can lawfully access, sometimes they get even greedier. They may load spyware and malware onto their employer’s server to farm for useful information. They may decrypt passwords to access higher-level information than they are permitted. Or they might “hack” this data in other ways. And, when employees engage in such conduct, they do more than just misuse information that they can lawfully access. They exceed their authorized access to a company’s computers, and thus indisputably fall within the CFAA’s ambit.
In fact, this kind of conduct may very well have happened in the JBCHoldings case. The employer just didn’t have the facts to back it up its allegations. For, although it began some kind of investigation into the employee’s conduct, this investigation remained “incomplete” when they filed their Complaint, and apparently wasn’t too detailed.
This may have been a fatal mistake. A professional forensic examination can reveal what employees stole, how they stole it, whether they engaged in any other sinister conduct (such as deleting data), and whether they comprised the system’s integrity. Accordingly, this kind of examination can – at least sometimes – provide factual backing for a CFAA claim, even if a Court construes the CFAA narrowly. In short, a forensic examination can help employers decide which potential CFAA claims to avoid, and which to pursue. After all, when you’re crossing a narrow bridge, you want it to be as strongly supported as possible. Even if you have no fear at all.
Employers may also find that they have a better chance of successfully articulating a successful CFAA claim in a “narrow interpretation” circuit, if they draft their confidentiality/trade secrets policies with the express precepts of the CFAA in mind. Thus, for example, it may pay for an employer to expressly provide that an employee’s authorization to access certain specified confidential information of the employer ceases immediately upon certain triggering events. Needless to say, the Courts will have the last word as to whether such policy language can “trump” their interpretation of the terms of the CFAA, but where the employer’s polices closely track those very terms, it may be more difficult for the Court to find that authorization, once given, cannot be lost. Just sayin’. . .