Federal courts have continued to disagree on whether the Computer Fraud & Abuse Act ("CFAA") applies to employees who misuse confidential information or trade secrets obtained from an employer's computer system that the employee was authorized to access. In Florida, and particularly in the Middle District, the large majority of district courts to consider the issue have followed the "narrow" view that an employee who has been granted access to information does not "exceed authorized access" under the CFAA by virtue of the employee's subjective intent or by subsequently violating company policies on the use of the information. Does that mean that employers in those districts cannot, or should not, assert CFAA claims under the "broader" view -- that an employee who accesses confidential information for personal purposes inconsistent with the employer's interests has "exceeded authorized access" to the information?
When the plaintiff in Creative Touch Interiors Inc. v. Spade et al., Case No. 3:15-cv-00860-MMH-JBT, added CFAA claims to its complaint and then refiled in federal court, the company and its attorney were met with a motion for sanctions under Fed. R. Civ. P. 11, § 1927, and the court's inherent power. In that motion, the defendants argues that Creative Touch's CFAA claims had "no legal basis," because those claims did not meet the "narrow" definition of "exceeding authorized access." (The defendants also claimed that Creative Touch added those claims for the improper purpose of "forum shopping.")
Creative Touch responded that at least one court in the Middle District of Florida, as well as courts in other districts, had upheld CFAA claims based on the "broad" definition of exceeding authorized access," and that its CFAA claims were therefore warranted by existing law or by a nonfrivolous argument for extending, modifying or reversing existing law. In fact, the defendants themselves noted in their motion for sanctions that there was a split of authority on the issue.
The Eleventh Circuit has not directly ruled on the issue of the scope of the CFAA; however, in United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), the court held that an employee "exceeded authorized access" under the CFAA when he obtained information from his employer's (the Social Security Administration) database for a nonbusiness purpose, in violation of the SSA's policies prohibiting employees from accessing information on its databases for nonbusiness reasons. Courts applying the "narrow" view of "exceeding authorized access" have distinguished Rodriguez, where the SSA's policies limited the conditions of an employee's access to confidential information in the first instance, from cases involving the violation of policies that limit the use or disclosure of information that the employee was permitted to access.
So, back to the motion for sanctions: after the motion was filed, Creative Touch amended its complaint and dropped the CFAA claims. The defendants argued that Creative Touch acted too late, and that defendants were still entitled to the costs and fees they incurred in defending the "meritless CFAA claims." Five days later, "after conferring further with plaintiff," the defendants withdrew their motion for sanctions with no further explanation. The fact that Rule 11 provides for prevailing party attorney's fees may have been a consideration.
It appears that the defendants in the matter would have had an uphill battle in obtaining an award of sanctions against Creative Touch, but it also seems unlikely that those claims, as pled, would have succeeded, at least in the Middle District of Florida. In anticipation of one day having to litigate the authorization issue under the CFAA, it's a good idea for employers everywhere to consider addressing whether their policies on electronic information address the scope of an employee's "authorized access" to exclude use, deletion, or disclosure for nonbusiness purposes, and then properly communicate those policies to their employees.