While employee Lehman was employed by Experian and allegedly subject to various employment covenants, he incorporated Thorium, a competitor. After Experian laid him off, he operated Thorium. Experian sued Lehman and Thorium in a Michigan federal court, accusing them of wrongdoing including violations of the federal Computer Fraud and Abuse Act. Holding that the CFAA is intended to criminalize hacking and that Experian’s allegations of hacking were oblique at best, the court dismissed most of Experian’s claims under that statute.
Status of the case. Because some of Experian’s common law causes of action and one of its CFAA contentions were not dismissed, discovery is proceeding. Experian Marketing Solutions, Inc. v. Lehman, Case No. 15:cv-476 (W.D. Mich., Sept. 29, 2015).
Background. Experian is part of a world-wide marketing services conglomerate that collects and analyzes business data. At the time he was laid off, Lehman was Experian’s executive vice president. He was based in Grand Rapids, Michigan, and was authorized to access the company’s computer files. As a condition of his initial hire, and again later in connection with settlement of a claim he brought against the company while still its employee, he executed non-compete, non-solicitation, and confidentiality agreements. He allegedly violated those agreements and the CFAA by creating and operating Thorium and by downloading Experian’s confidential information (both while he was an Experian employee and after he was laid off) to a hard drive that company had provided to him. He also was accused of violations by purportedly instructing three Experian employees, whom Thorium later hired, to provide him with data from Experian’s computers, and by erasing all information on Experian’s hard drive before returning it.
Broad and narrow interpretations of the CFAA. Federal courts are divided on the meaning of the phrases “[access] without authorization” and “exceeds authorized access” as used in the CFAA with respect to computers. Four courts of appeal have interpreted the statute broadly, ruling that the purpose for accessing a computer is relevant in determining whether access was authorized. Two federal appellate courts disagree.
The Sixth Circuit Court of Appeals. The Sixth Circuit has not ruled definitively as to the meaning of those statutory phrases. However, that court seemed to signal that it favored the majority position when it wrote, in a 2011 decision (quoting from a 2009 Ninth Circuit opinion), that “an individual who is authorized to use a computer for certain purposes but goes beyond those limitations . . . has exceed[ed] authorized access.” Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Amer., 648 F.3d 295, 304.
The ruling in Experian. Concluding that the Sixth Circuit has not weighed in definitively on the meaning of “authorized” as used in the CFAA, and that the quote from Pulte Homes is mere dicta, the district court found the minority interpretation to be the most satisfying. Since Lehman was “authorized” to access Experian’s computers when he downloaded its confidential data before he was laid off, the court held that the CFAA was not violated regardless of what he did with the data. Similarly, the court ruled that the defendants did not violate the statute by obtaining, from three Experian employees who had “authorization” to access its computers, the company’s proprietary secrets after Lehman was terminated. Although his continued use of an Experian computer after he was terminated clearly was not “authorized,” such use was held to be not actionable under the CFAA because Experian failed to allege that he or Thorium thereby obtained anything of value.
One of Experian’s CFAA claims was not dismissed. The allegation that Lehman caused “impairment to the integrity or availability of data” by wiping the hard drive clean before returning it was held to state a statutory violation.
Takeaways. A CFAA claim for unauthorized use of a computer not based on hacking is likely to be dismissed in the Fourth and Ninth circuits. Four other Courts of Appeal — the First, Fifth, Seventh and Eleventh — disagree, holding that the CFAA also prohibits accessing a computer for an unauthorized purpose even though the user has authority to use the computer. Individual district court judges in the circuits that have not ruled have reached varying decisions on this issue. Eventually, either Congress must amend the statute to resolve this inconsistencies or the U.S. Supreme Court may be asked to do so. In the meantime, litigants and their counsel can only guess how those circuit courts which have yet to decide, and the district courts in those circuits, will rule.