Before you include a Computer Fraud and Abuse Act (“CFAA”) claim in a trade secret case, consider carefully: was the data acquired through “unauthorized access” or was it just misused by the defendants? If it was properly accessed (but later misused), your CFAA claim, and the federal question jurisdiction that comes with it, is in jeopardy. In SunPower Corp. v. SunEdison, Inc., Judge Orrick of the Northern District of California recently dismissed the plaintiff’s CFAA claim because the plaintiff failed to allege that the data was accessed without authorization, only that it was later misused.  Because the CFAA claim provided the basis for federal jurisdiction, Judge Orrick indicated that he would dismiss the entire case and not exercise pendent jurisdiction over the remaining thirteen state claims if the CFAA claim could not be properly amended.

The plaintiff initially brought its trade secret case against its former employees in federal court by tacking on a federal question claim for violation of the CFAA based on the former employees’ download of files containing trade secrets which were allegedly taken to their new employer, defendant SunEdison. However, Judge Orrick held that “[b]ecause the CFAA is an anti-hacking statute, not a misappropriation statute, I grant the motion to dismiss because [defendants] accessed the disputed information with authorization while they were SunPower’s employees.” (emphasis added) The key for Judge Orrick was that the former employees accessed the information within the scope of their authorization (i.e., while they were employees). The fact that the former employees may have copied the data to thumb drives and later used the information in violation of Sun Power’s policies was irrelevant.

Judge Orrick followed the Ninth Circuit’s decisions in Brekka and Nosal, which interpreted the CFAA requirement that a defendant have obtained the electronic data “without authorization” or by “exceed[ing] authorized access” in order to state a claim under the CFAA. Those cases make it clear that if an employer authorizes an employee to access computer data, the employee is “authorized” to access the computer within any proscribed access limitations even if he or she violates the employer’s use limitations (e.g., by downloading files to a thumb drive). In other words, claims under the CFAA hinge not on the use of information but on whether the employee was authorized to access it in the first place.

It was important to the Court’s ruling here that the defendants were employees of SunPower at the time of the alleged network access. The Court distinguished two decisions from the Northern District of California (NetApp and Weingand) because in those cases, it was former employees who gain access to their previous employers’ networks after termination of their employment and thus after their access had been revoked. The Court similarly distinguished a Michigan district court case (American Furukawa) that found a CFAA claim was properly alleged when an employee gained access while on a leave of absence and violated a condition of his leave by accessing files. In a footnote, the Court declined to address—but expressed skepticism about—the theory raised by SunPower at oral argument that there were specific provisions of its computer use policies that would constitute “access restrictions” within the Ninth Circuit’s interpretation of the CFAA. Although the Court granted plaintiff leave to amend, the plaintiff declined to do so and is now proceeding in state court.

This case reinforces the fact that it may be difficult in the Ninth Circuit for an employer to allege a violation of CFAA in a misappropriation case against a former employee. It also highlights the importance for a plaintiff to carefully weigh the claims it asserts in a trade secret case. Because trade secret cases are frequently time-sensitive and involve the need for immediate injunctive relief, the benefit of asserting a claim under the CFAA to try to get into federal court should be balanced against the potential of losing precious time battling a motion to dismiss.