A recent decision from the Eastern District of Pennsylvania reinforces the importance of the timing of purported misconduct in alleged violations of the Computer Fraud and Abuse Act (CFAA) and Defend Trade Secrets Act (DTSA). In Teva Pharmaceutical USA, Inc. v. Sandhu, et al., 2018 WL 617991 (Jan. 30, 2018), Judge Savage found that a defendant former executive could not be liable under the CFAA for conduct that occurred while she had authorized access to computers from which she misappropriated trade secrets. Id. at *1. However, the court also found that CFAA claims could be brought against the recipients of those trade secrets under an “indirect access” theory, and that DTSA claims could be brought on the basis of activity that began before the enactment of the DTSA but continued to occur after its passage.
Teva Pharmaceuticals, the largest generic drug manufacturer in the world, employed Barinder Sandhu as its Senior Director of Regulatory Affairs from 2012 to 2016. Id. In that role, Sandhu was responsible for overseeing Teva’s post-approval regulatory affairs for its generic products in the United States. As part of her employment, Sandhu entered into a confidentiality agreement and was allegedly given extensive access to Teva’s trade secrets, including confidential information about products still in development and correspondence from the Food & Drug Administration detailing how Teva might obtain approval for other products in development. Id.
Teva alleges that during her employment, Sandhu was romantically involved with Jeremy Desai, the CEO of Apotex, a competing manufacturer of generic pharmaceuticals. According to Teva, it received a tip from a former Apotex employee that Sandhu had shared information about Teva products in development with Desai. Id. at *2. Teva’s internal investigation allegedly revealed that (1) Sandhu emailed documents marked as “confidential” and containing Teva’s trade secrets to Desai, (2) Sandhu had copied approximately 900 Teva files to her personal cloud-based storage account, and (3) Sandhu had then copied the same files to flash drives. Teva terminated Sandhu and brought claims against her under the CFAA and DTSA, as well as state law claims for violation of the Pennsylvania Uniform Trade Secrets Act, conversion, breach of contract, and breach of fiduciary duty. Teva also sued Desai and Apotex for violating the DTSA and CFAA, along with a host of state law claims. Id.
Teva’s CFAA Claims
In ruling upon a 12(b)(6) motion to dismiss, Judge Savage found that Teva could not maintain claims against Sandhu under the CFAA because Teva did not allege “that Sandhu acted without authorization or exceeded her authorized access.” Id. at *3. After acknowledging that the question of what kind of activity “exceeds authorized access…when it is an employee who properly accessed and improperly used the information has split the circuit courts,” the court found that Sandhu had not violated the CFAA because she had authorized access to the computers in question at the time that she misused Teva’s confidential information. Id. In doing so, the Court joined the minority view adopted by the Fourth and Ninth Circuits that the CFAA “prohibits unauthorized access and does not extend to the use of the information accessed. In other words, liability attaches to access, not use.” Id. In the court’s reasoning, the majority approach taken by the First, Fifth, Seventh, and Eleventh Circuits – that unauthorized use of information taken from a computer can violate the CFAA – “expand[s] the scope of the statute beyond what Congress intended.” Id. at *5. The Court held that “[h]ad Congress intended the statute to punish one who misuses information she was authorized to obtain, it knew how to do so. It could have added one word—‘use’…” Id.
While finding that Sandhu could not be held liable under the CFAA “[b]ecause she was authorized to access Teva’s computers when she did,” the court did not dismiss Teva’s CFAA claims against Desai and Apotex, finding that Teva had adequately plead a theory of indirect unauthorized access. “A person who did not directly access the computer may still be liable under the CFAA if he ‘directs, encourages, or induces’ someone else to access a computer that he himself is unauthorized to access.” Id. at *6.
Despite allowing Teva’s CFAA claims against Desai and Apotex to proceed, the court also noted that Teva’s damages against those defendants would be limited to costs incurred in responding to the violation and assessing damages done by defendants’ alleged unauthorized access. “…Teva cannot recover under the CFAA for lost revenue caused by misappropriation of confidential information.” Id. at *8.
Teva’s DTSA Claims
Defendants also moved to dismiss Teva’s claims based upon the argument that their alleged conduct predated the enactment of the DTSA. The Court disagreed, noting that under the statute, “[m]isappropriation…includes unauthorized ‘use,’ not just acquisition, of a trade secret.” Id. at *9. Because Teva’s complaint alleged that the defendants continued to use its trade secrets after the DTSA’s enactment on May 11, 2016, its DTSA claims could proceed. While the issue has yet to be considered at the Circuit level, the Eastern District of Pennsylvania’s ruling noted that every district court to consider the question thus far has reached the same conclusion. See Syntel Sterling Best Shores Mauritius Ltd. v. Trizetto Grp., Inc., 15–cv–211, 2016 WL 5338550, at *6 (S.D.N.Y. Sept. 23, 2016); Adams Arms, LLC v. Unified Weapon Sys., Inc., 16–cv–1503, 2016 WL 5391394, at *5–7 (M.D. Fla. Sept. 27, 2016); Allstate Ins. Co. v. Rote, 16–cv–1432, 2016 WL 4191015, at *1–5 (D. Or. Aug. 7, 2016); Henry Schein, Inc. v. Cook, 191 F. Supp. 3d 1072, 1076–78 (N.D. Cal. 2016); Brand Energy & Infrastructure Servs., Inc. v. Irex Contracting Grp., No. CV 16-2499, 2017 WL 1105648, at *4 (E.D. Pa. Mar. 24, 2017).
The district court’s decision illustrates the limitations of the CFAA in cases involving an ex-employee, at least in the minority of circuits that follow the ‘narrow” view of the statute adopted by the court. An employee’s misuse of trade secrets from a computer that they are authorized to access does not support a CFAA claim against the employee in the Fourth or Ninth Circuits, and the Eastern District of Pennsylvania followed suit in this case. Such conduct would support a CFAA claim against the employee in the First, Fifth, Seventh, and Eleventh Circuits. Regardless of whether a claim was allowed, damages under the CFAA are limited to those caused by an interruption in service to the affected computer or, as alleged here, the costs incurred in “responding to the violation and assessing damages.” A plaintiff cannot recover damages stemming from the alleged misuse of trade secrets under the CFAA. The court’s decision also joins the growing consensus that the DTSA provides a cause of action for violations that began before enactment but continued after enactment of the statute.