On June 19, 2012, a district court for the Northern District of California distinguished the Ninth Circuit’s recent U.S. v. Nosal decision and allowed an employer to bring a claim under the Computer Fraud and Abuse Act (“CFAA”) against a former employee for alleged violations of a verbal computer access restriction. (Weingand v. Harland Financial Solutions, 2012 U.S. Dist. LEXIS 84844 (N.D. Cal. June 19, 2012). The decision alleviates some of restraints imposed by Nosal on employers who want to bring CFAA claims against departing employees that steal valuable company data.
Plaintiff Michael Weingand worked as a Senior Field Engineer at Defendant Harland Financial Solutions. On November 4, 2010, Harland notified Weingand that it was terminating his employment. The next day, after learning of the termination of his employment, Weingand allegedly emailed Harland’s H.R. Manager, requesting permission to copy his “personal files” on his Harland laptop to a USB flash drive. Harland agreed and let him access his Harland laptop at Harland’s offices on November 6, 2010 at approximately 1:00 p.m.
Weingand later brought action against his former employer Harland for wrongful termination and employment retaliation.
During discovery, Harland learned through computer forensic analysis that Weingand allegedly accessed and copied over 2,700 business files belonging to Harland, its clients, and third-party software vendors; some files containing confidential, proprietary, and copyrighted information. Harland also discovered that Weingand’s alleged unauthorized access of these files allegedly occurred on November 6, 2010 between 1:11 p.m. and 1:41 p.m.–the same date and time Harland gave Weingand permission to copy his personal files from his old work computer.
In light of these alleged facts, Harland moved to amend its answer to add counterclaims against Weingand for, inter alia, violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.
Weingand opposed Harland’s motion on grounds that, inter alia, Harland’s CFAA counterclaim would be futile and subject to a motion to dismiss. In particular, Weingand contended that Harland handed the computer to Harland without restriction. Moreover, Weingand contended that Harland’s proposed CFAA counterclaim contained no allegations as to what directions, limitations, or restricted authorization were stated to Weingand when we was handed the computer. Further, Weingand argued that Harland’s “verbal authorization” regarding access to only personal files was irrelevant because the only authorization which the statute speaks is “code” authorization (i.e. whether someone is literally blocked from certain files by some security measure such as a password).
The Court granted rejected Weingand’s arguments, granted Harland’s motion, and allowed Harland to amend its answer to add the CFAA counterclaim. The Court reasoned that “[Weingand] received permission to access Harland’s computer system based on his representations that he wanted to get his ‘personal files’ after his termination, but he had no authority with respect to the additional files he accessed.” “Thus, the counterclaim creates at least a reasonable inference that his authorization extended only to accessing and copying said ‘personal files’ and that he exceeded that authorization.” Weingand, 2012 U.S. Dist. LEXIS 84844, *6.
This post-Nosal decision has several significant takeaways:
(1) Computer access restrictions/policies may remain viable for CFAA claims in the Ninth Circuit post-Nosal
One of the important holdings from Nosal was that violations of an employer’s computer use policy do not constitute violations under the CFAA. Weingard recognized, however, that Nosal precluded applying the CFAA to violating restrictions on use, but not rules regarding access. In fact, Weingard allowed a claim under the CFAA based on the employer’s mere verbal restriction on access (i.e. that the employee could only access personal files). This holding remains consistent with the Ninth Circuit’s prior decision in LVRC Holdings LLC v. Brekka: “The plain language of the statute therefore indicate that authorization depends on actions taken by the employer.” Thus under Weingand, an employer’s computer access policies may remain viable post-Nosal to bring CFAA claims against employees that violate those policies and steal company data.
(2) Physical access to a computer does not equal “authorization”
The mere fact that an employee is granted physical access to a computer does not necessarily mean the employee is immune to CFAA claims. The Court rejected Weingand’s argument that he had “authorization” simply because he had physical access to the computer. The Court noted that while the Nosal opinion uses the phrase “physical access,” “[Nosal] was concerned only with the distinction between access and use, not any distinction between different types of authorization pertaining to access.” The Court went on: “Indeed, Nosal … suggests that one need not engage in such rigorous technological measures to block someone from accessing files in order to limit their “authorization.” Thus, an employer can communicate its computer access restrictions to employees and remain protected under the CFAA, without having to physically block certain files every time that employee’s authorizations change.
This also remains consistent with Brekka, where the Ninth Circuit stated that if a former employee accesses information without permission, even if his prior log-in information is still operative as a technical mutter, such access would violate the CFAA.
While Nosal substantially limits employers’ use of the CFAA against departing employees that steal company data, it may not be as broad of a limitation as anticipated.
Weingand has since moved to dismiss Harland’s CFAA counterclaim pursuant to FRCP Rule 12(b)(6). The hearing is set for August 31, 2012. We will follow the decision to see if the Court provides any further discussions regarding Nosal, the CFAA, and employers’ use of the CFAA to prohibit data theft by employees.