In a decision last week, Judge Ewing Werlein Jr. of the U.S. District Court for the Southern District of Texas addressed the question of whether an employer had successfully alleged a claim under the Computer Fraud and Abuse Act (“CFAA”), such that the employer could properly bring its numerous claims against former employees and their companies in federal court. He ruled that the employer had properly pleaded the CFAA claim, and that as a result, the court had subject matter jurisdiction over the case. Beta Technology, Inc. v. Meyers, Civ. No. H-13-1282, 2013 WL 5602930 (S.D. Tex. Oct. 10, 2013).
Before we get into the substance of the decision, some background is in order. Subject matter jurisdiction is an important issue for federal judges. If there’s no basis for subject matter jurisdiction, a case doesn’t belong in federal court. First-year civil procedure students learn this rule from the venerable decision in Capron v. Van Noorden, in which the Supreme Court allowed a plaintiff to obtain reversal of a final judgment because he hadn’t properly alleged that the court below had subject matter jurisdiction over his claim.
The two main categories for federal jurisdiction in non-criminal cases are diversity jurisdiction and federal question jurisdiction. Diversity jurisdiction, as defined in 28 U.S.C. § 1332, permits the federal courts to hear disputes between citizens of different states – i.e., “diverse” citizens – so long as more than $75,000 is at stake. Federal question jurisdiction, which is defined in 28 U.S.C. § 1331, allows the federal courts to address “all civil actions arising under the Constitution, laws, or treaties of the United States.” And under 28 U.S.C. § 1367, once the court has jurisdiction to hear one claim, it can hear any other claims that form “part of the same case or controversy,” even when those claims drag additional parties into the mix.
In the case before Judge Werlein, Beta Technology, the plaintiff, sued two of its former employees, Leigh Meyers and Sonja Garcia, and Meyers’s new companies (referred to in Judge Werlein’s opinion as “Encore”). Beta alleged that Meyers, Garcia, and Encore stole its customers using its confidential and proprietary information, breaching an employment agreement and fiduciary duties to Beta. Beta also alleged that Meyers violated CFAA, which allows for civil liability against anyone who “intentionally accesses a protected computer without authorization” and causes more than $5,000 of loss in a one-year period. 18 U.S.C. 1030(a)(5). There was no diversity of citizenship between the parties, so the ground for jurisdiction had to be federal question jurisdiction. The CFAA claim was the only one that arguably arose under the “laws . . . of the United States.”
And that was the claim that the defendants attacked. They moved to dismiss for lack of subject matter jurisdiction, arguing that Beta had failed to properly state a CFAA claim. Once the CFAA claim was eliminated, they argued, there would no longer be federal subject matter jurisdiction and the case would have to be dismissed. They challenged the CFAA claim on the basis that Beta had given Meyers the computer, so his access to the information on it could not have been “unauthorized.” For the contrary proposition, Judge Werlein cited the Fifth Circuit’s holding in United States v. John, 597 F.3d 263, 272 (5th Cir. 2010). In that case, the court held that under CFAA a person may exceed authorized access to a computer – and to data from that computer – “if the purposes for which access has been given are exceeded.” According to Judge Werlein, Beta’s Computer Use Policy, which Meyers had helped write, prohibited him from copying Beta’s confidential information for his personal business use or to delete stored information from the computer. Therefore, Meyers’s use of his company-issued computer could have exceeded his authorized access, giving rise to potential CFAA liability.
The Fifth Circuit’s view of CFAA as permitting liability when an employee’s use exceeds an authorized purpose is expansive, and has not been adopted by other circuit courts (at least in the criminal context). See, e.g., United States v. Nosal, 676 F.3d 854, 856 (9th Cir. 2012) (holding that CFAA did not allow criminal liability against individuals that have authority to access a computer but later misuse the information). Given the disagreement in the circuit courts, it won’t be surprising if this issue ends up before the Supreme Court at some point. But for now, the defendants in the Beta Technology case are stuck in federal court, where they apparently don’t want to be.