By Robert Milligan and Jeffrey Oh
In its order denying defendants’ motion to dismiss in SBM Site Services, LLC v. Garrett, et al., Case No. 10-cv-00385, a Colorado federal court identified a circuit split over the interpretation of “unauthorized access” under the Computer Fraud and Abuse Act and then found a former employer had stated a CFAA claim against a former executive and his new employer regardless of the different circuit interpretations based upon his post-termination computer activities. The case is significant because it provides employers with authority that the CFAA should apply in cases where an employee steals or destroys company data on a company computer after his or her termination.
In its ruling, the court laid out the pertinent allegations which it accepted as true for purpose of ruling on defendants’ motion. According to the complaint, defendant John Garrett, formerly the Senior Vice President/Chief Business Development Officer at SBM, a janitorial, recycling, and moving services company, worked remotely from home using two desktop computers and two laptop computers provided to him by SBM. He used these SBM-provided devices to remotely access SBM’s computer system. Prior to his move to Able, a direct competitor of SBM, Garrett allegedly had his administrative assistant download numerous SBM files from its network, had them burned to a cd, and then had them sent to him.
According to the amended complaint, on January 4, 2010 Garrett informally notified SBM that he was resigning effective January 22, 2010. SBM then informed Garrett that he would need to return all SBM property, including computers, records and other confidential information, before his departure. After failing to return the company computers at an initial meeting on January 26, 2010, SBM scheduled another meeting for January 29, 2010 to collect the items. Garrett allegedly canceled this second meeting and did not return the last of his company computers until February 16, 2010, over two weeks after starting his new job at Able. Garrett began his employment with Able on January 28, 2010 and SBM alleges that Garrett loaded SBM’s confidential information onto a laptop provided to him by Able. Upon examination of the returned laptop, SBM allegedly found that the hard drive had been encrypted to prevent access in addition to being “intentionally erased.” SBM asserted several claims against Garrett and Able, including violation of the CFAA.
CFAA and Circuit Split
As with most cases where the CFAA is invoked, the question of what constitutes unauthorized access is central to the arguments made by both sides. Section 1030(a)(5)(C) of the CFAA makes it unlawful to “intentionally access a protected computer without authorization and as a result of such conduct, cause damage and loss.” Garrett argued that because he was authorized to access the laptop while he was employed by SBM, he cannot have accessed the laptop without authorization.
The court acknowledged that the Tenth Circuit has yet to address what constitutes “unauthorized access” for purposes of the CFAA. The court analyzed differing interpretations of the provision made by the Seventh and Ninth Circuits.
In its interpretation of what constitutes “unauthorized access,” the Seventh Circuit applied agency principles in International Airport Centers, LLC v. Citrin to determine that an employee’s access was unauthorized from the moment he decided to quit and had undertaken actions in violation of his duty of loyalty to his employer. According to the decision, access is only authorized within the agency relationship between employer and employee. This agency relationship relies on loyalty as well as transparency, and violating the duty of loyalty, or failing to disclose adverse interests, voids the agency relationship. Under the Seventh Circuit’s approach, whether access to a computer was “unauthorized” depends upon the status of the agency relationship between the employer and employee.
The Colorado federal court noted that the Ninth Circuit has taken a more restrictive view of what constitutes “unauthorized access” for purposes of the CFAA. In LVRC Holdings LLC v. Brekka, the Ninth Circuit determined that “authorization” depends on actions taken by the employer and “[i]f the employer has not rescinded the defendant’s right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA.” In other words, unless an employer rescinds an employee’s right to use or access a computer, the employee arguably has authorized access to all systems and files within the scope of their position. Thus, the onus is on the employer to end an employee’s right to access by explicitly informing them of such. It is notable that the Colorado federal court’s decision does not address the exceeds authorized access section of the CFAA, which provides an alternative theory of liability under the CFAA. An en banc panel of the Ninth Circuit is presently considering that section in U.S. v. Nosal and will issue a decision soon.
Continue Reading Colorado Federal Court Rules That Former Employer Stated A Claim Against Former Executive and His New Employer Under The Computer Fraud Abuse and Act Regardless Of Differing Circuit Interpretations Of The Act