By Erik Weibust and Ryan Malloy

You may recall that we previously reported on Advanced Micro Devices, Inc. v. Feldstein, et al., C.A. No. 13-40007, in which Judge Timothy S. Hillman of the U.S. District Court of Massachusetts granted a preliminary injunction against three former employees of Advanced Micro Devices (AMD) who allegedly stole trade secrets from the plaintiff, without requiring a showing that the defendants actually used that information for the benefit of a competitor.

In the same case, Judge Hillman has now ruled that AMD company cannot sue former employees under the Computer Fraud and Abuse Act (CFAA) for downloading proprietary information onto personal devices before they left to work for a competitor without establishing that the employees had fraudulently or unlawfully accessed the information. 

As noted in the previous blog entry, AMD is a designer and manufacturer of microprocessors and other computer parts.  Defendants are former AMD employees who left AMD and were hired by AMD’s competitor, Nvidia Corp.  According to AMD, three of the defendants copied proprietary data from AMD-owned storage devices onto their own thumb drives and external hard drives while still employed by AMD, and retained the information after they left.  Last January, AMD sued the defendants in U.S. District Court and asserted a claim for violation of the CFAA against the three defendants who allegedly copied proprietary data. 

Although Judge Hillman declined to dismiss AMD’s CFAA claim with prejudice, citing an “incomplete” evidentiary record, he nevertheless adopted a narrow definition of the term “authorized access” under the CFAA by requiring a showing that defendants acted with fraud or deception.  Specifically, Judge Hillman found that AMD’s allegations were insufficient to sustain a CFAA claim under a narrow interpretation of the statute, but permitted AMD to re-plead specific details indicating that some or all of the defendants used fraudulent or deceptive means to obtain confidential AMD information, and/or that they intentionally defeated or circumvented technologically implemented restrictions to obtain confidential AMD information.

In contrast, the broad definition of “authorized access” that has been adopted in other jurisdictions defines access in terms of use.  Under this approach, any time an employee breaches a contractual obligation or a fiduciary duty to its employer, then the employee’s authorization to access information on the employer’s system terminates and all subsequent access is considered unauthorized.  Noting that courts have taken conflicting approaches to the definition, Hillman warned:

[I]f this court were to adopt a broad interpretation of the term of art ‘access that exceeds the scope of authorization’ then arguably any violation of a contractual obligation regarding computer use [such as idle Internet browsing] becomes a federal tort … As between a broad definition that pulls trivial contractual violations into the realm of federal … penalties, and a narrow one that forces the victims of misappropriation and/or breach of contract to seek justice under state, rather than federal law, the prudent choice is clearly the narrower definition.

Defendants’ motion to dismiss was also denied as to all other claims, except for AMD’s claim for unfair competition under Mass. Gen. Laws ch. 93A, section 11, on the ground that defendants correctly asserted the “inter-enterprise” exception to the statute