This past Thursday, July 26th, the US Court of Appeals for the Fourth Circuit issued an opinion addressing liability under the federal Computer Fraud and Abuse Act (CFAA) for departing employees who access and copy computer files with the intent to take those files to a new employer. The CFAA, which imposes civil and criminal liability on those who access computers used in interstate commerce without authorization, has become a favorite cause of action for employers hoping to use federal law to protect their trade secrets.
WEC Carolina Energy Solutions, LLC v. Miller arose when Mike Miller resigned from his position as Project Director for WEC Carolina Energy Solutions, Inc. Twenty days later, according to WEC, he made a presentation to a potential customer on behalf of WEC's competitor, Arc Energy Services, Inc. The customer ultimately chose to do business with Arc. WEC contended that before resigning, Miller, acting at Arc's direction, downloaded WEC's proprietary information and used it in making the presentation. WEC filed suit under the CFAA, but the Fourth Circuit determined the CFAA did not apply.
Writing the opinion in the case, Judge Henry F. Floyd acknowledged that “[o]ur conclusion here will likely disappoint employers hoping for a means to rein in rogue employees.” The court, following the Ninth Circuit’s recent decision in United States v. Nosalconcluded that the CFAA provides no right of action against those soon to depart employees who access computer information that they previously had authority to access and then turn around and disclose that same information to competitors. Rather, the purpose of the CFAA is primarily to address outsider hacking activities; not to police violations of an employer’s computer usage policies.
Noting that the CFAA fails to provide any remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded, the court followed “the canon of strict construction of criminal statutes” and refused to expand the scope of the statute to an interpretation beyond the plain language used by Congress.
The court dismissed the argument that the rogue employees “exceeded their authority” when obtaining information for an improper purpose. That argument failed in large part because, similar to the Ninth Circuit’s analysis in Nosal, the court ruled that the CFAA is concerned with the “unauthorized access of protected computers.” The court determined that under the plain language of the CFAA, an employee accesses a computer “without authorization” when he gains admission to a computer without approval. Additionally, the court determined that an employee “exceeds authorized access” under the CFAA when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access. Under either analysis, the departing employees in both WEC Carolina and Nosal accessed information that they previously had authority to access. Both courts determined that the definitions under the CFAA did not extend to the improper use of information validly accessed.
The decisions by the Ninth and Fourth Circuits – and their refusal to expand the CFAA to address the improper use of information validly accessed – contrasts directly with the decisions from the Fifth, Seventh, and Eleventh Circuits. Those cases, beginning with the Seventh Circuit’s International Airports decision in 2006, permit employers to pursue CFAA claims against employees who violate computer use policies or otherwise violate duties of loyalty to their employers in accessing computer data for the purpose of injuring their employer or violating computer usage policies. As the court in Nosal noted:
“We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). These courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute’s unitary definition of “exceeds authorized access.”
Assuming Congress does not first address the “authorized access” issue under the CFAA, the stage may now be set for the US Supreme Court to resolve the dispute between circuits. In fact, on July 9, 2012, the Solicitor General, hoping to appeal the Nosal decision, obtained a thirty-day extension of the deadline to file a petition for a writ of certiorari with the US Supreme Court.
In the meantime, employers in the Ninth and Fourth Circuits looking to rein in their rogue employees should consider state-law causes of action including conversion, tortious interference with contractual relations, civil conspiracy, and misappropriation of trade secrets. Additionally, employers should revisit their computer use policies and ensure that those policies and contractual agreements contain clearly delineated, conspicuous restrictions regarding use of information systems for unauthorized purposes. Those purposes should be articulated as specifically as possible, and, to the extent possible, clearly define terms like “unauthorized use” or “competitive purposes.”