A worker’s authorized access of an employer’s computer system during the course of his employment, in which he acquired information that he later misused, gives rise to civil liability under the Computer Fraud and Abuse Act (CFFA), the U.S. District Court for the Eastern District of Louisiana held April 3 (Associated Pump & Supply Co., LLC v. Dupre).
Kevin Dupre worked as a salesman covering certain Louisiana parishes for Associated Pump & Supply Co. under a confidentiality and noncompetition agreement. Before terminating his employment, Dupre allegedly started a competing company and discussed employment with another competitor. Dupre also allegedly downloaded files containing confidential information and trade secrets and deleted files belonging to Associated Pump from his work computer. The employer filed suit against Dupre alleging a CFAA violation, amongst other claims. Dupre moved to dismiss the CFAA claim, contending that Dupre’s access was not “unauthorized” or “exceeding authorization.” A claim brought pursuant to the CFAA under 18 U.S.C. § 1030(a)(4) requires the plaintiff to prove the following elements: “(1) defendant has accessed a protected computer; (2) has done so without authorization or by exceeding such authorization as was granted; (3) has done so ‘knowingly’ and with ‘intent to defraud’; and (4) as a result has ‘further[ed] the intended fraud and obtain[ed] anything of value.”
As we recently blogged in our Trade Secrets blog here and here, some federal courts have taken a pro-employee stance, while others have taken a pro-defendant interpretation of the CFAA’s “without authorization” and “exceeding authorization” provisions. The Fourth and Ninth Circuit Courts of Appeals have adopted that approach, holding that the CFAA does not apply to employees who copy files and send them to or use them for a competitor. The access itself was not unauthorized, even if the subsequent file use was. Thus, they find no liability under the statute’s plain language. The Fifth, Seventh and Eleventh Circuits, however take the opposite stance: that employees who use their otherwise authorized access to company computers can be liable under the CFAA for their subsequent misuse of the files on those computers. Under normal agency law, employees have no authorization to use company files against the company. Their accessing the company’s computers for that purpose, those courts held, violated the CFAA.
The Dupre case relied on the Fifth Circuit case of U.S. v. John, 597 F.3d 263 (5th Cir. 2010). The Fifth Circuit held in John that CFAA liability arises when employee access “exceeds the intended use of the system or when the access is ‘in violation of an employer’s policies and is part of an illegal scheme.’ ” In John, the employee used authorized access to view and print information but exceeded authorized access by violating company policies when she accessed accounts she didn’t manage, removed sensitive information from the premises and used it to perpetrate fraud on the company and its customers. As in John, Dupre’s alleged conduct violated company policies protecting the confidential information that he accessed, and he allegedly misused the protected information in violation of those policies and the confidentiality agreement. Although the Fifth Circuit’s holding was specifically applicable to the criminal context, its reasoning “informs this court on how the Fifth Circuit would treat the instant matter,” the district court said.
The Dupre case is another example of the very same CFAA language over which other federal courts have issued conflicting decisions for the past two decades. This again points up the need for the Supreme Court to resolve the split, or for Congress to amend the statute. As we have noted before, as it stands now, whether a disloyal employee may be prosecuted or sued under the CFAA depends on the federal circuit in which he or she works. Nonetheless, the Dupre case is another decision favoring employers.