Unauthorized access to electronic information can give rise to liability under The Computer Fraud and Abuse Act (the “CFAA”). In addition to state law causes of action that may be asserted, such as trade secret misappropriation, the CFAA provides a private right of action against unauthorized users who access a computer “without authorization” or who “exceed authorized access.” The CFAA is often the federal question that creates a basis for federal court jurisdiction over a trade secret misappropriation action that would otherwise proceed in state court. However, in a recent decision, Judge Beth Labson Freeman of the Northern District of California rejected an expansive reading of the CFAA to include misappropriation or agency-theory liability; rather, to be liable under the CFAA, an individual must directly access information without authorization.
The plaintiffs in that action sought to hold a former employee, a competitor, and two of its directors liable under nine state law claims, as well as the CFAA, for the actions of a former employee who allegedly downloaded and stole the corporations’ confidential trade secrets. Specifically, Plaintiffs alleged that one of the defendants, while employed, downloaded plaintiffs’ trade secrets and confidential business information onto a portable storage device, then resigned and began working for the defendant competitor. Six months after the plaintiffs’ former employee began at the competing defendant, it miraculously announced two new products very similar to that of the plaintiffs. As against the former employee defendant, plaintiffs alleged that he directly accessed the data, but as to the director defendants, the allegations essentially were that the former employee acted as an agent and a conduit through which the other agents gained unauthorized access to plaintiffs’ data.
The Court dismissed the CFAA claim with prejudice. First, as conceded by plaintiffs themselves, it held the former employee defendant downloaded the files while still working for plaintiffs and was therefore authorized to access the information he allegedly stole from plaintiffs, preventing a CFAA violation. Second, the Court rejected plaintiffs’ agency or “indirect access theory of CFAA liability” as to the other defendants—i.e., that the competitor defendant, its affiliate companies and its directors violated the CFAA by indirectly accessing the plaintiffs’ network “through their agent”, plaintiffs’ former employee. None of the other defendants accessed plaintiffs’ information. And, even if the former employee defendant misappropriated the information, and gave it to the other defendants, there could be no CFAA claim because “they themselves did not hack” plaintiffs’ system.
The takeway from this decision is that, at least in the Ninth Circuit, a CFAA claim will succeed only if the facts involve direct and unauthorized procurement of or access to information, not its misuse or misappropriation; otherwise, the plaintiff will most likely be limited to state law claims, such as trade secret misappropriation, in state court.