The ease with which employees can now surreptitiously obtain and misuse data on their employers' computer networks makes the Computer Fraud and Abuse Act ("CFAA") an important weapon in the arsenal of an employer seeking civil remedies for such misuse. The CFAA, a federal anti-hacking statute, imposes civil and criminal liability for intentional and unauthorized access of protected computer systems with the intent to defraud, cause damage or obtain anything of value.
One key to stating a cognizable claim against a former employee under the CFAA is showing that the former employee accessed a computer "without authorization" or "exceeded authorized access." Some recent cases make it clear that the access determination hinges on the actions taken by the employer in authorizing access, not on the former employee's improper purpose in accessing the data or the former employee's intended future use of the data adverse to the employer's interests. This suggests that employers can bolster their chances of maintaining viable CFAA claims by issuing specific policies defining and limiting employee access to computer systems and data.
However, a split of authority between the federal circuits complicates this issue, making it important to understand the differing views of the various courts that have ruled on it.
The Seventh Circuit's Agency-Based Approach to Authorization in Citrin
In International Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006), the Seventh Circuit held that an employee's breach of the duty of loyalty by acting in a manner adverse to his employer's interests can make his or her computer access "unauthorized" under the CFAA.
The First, Third and Fifth Circuits have issued CFAA rulings similar to the Citrin approach. In EF Cultural Travel BV v. Explorica Inc., 274 F.3d 577 (1st. Cir. 2001), the First Circuit held that an employee who breached a confidentiality agreement could have "exceeded" his authorized access to the company's computer network. In P.C. Yonkers Inc. v. Celebrations The Party and Seasonal Superstore LLC, 428 F.3d 504 (3d Cir. 2005), the Third Circuit noted that the CFAA extends to actions against "former employees and their new companies who seek a competitive edge through wrongful use of information from the former employer's computer system"). And in United States v. John, 597 F.3d 263 (5th Cir. 2010), the Fifth Circuit ruled that "an employer may 'authorize' employees to utilize computers for any lawful purpose but not for unlawful purposes and only in furtherance of the employer's business."
Split of Authority -- Other Courts Reject the Citrin Approach
Courts in other circuits see the matter differently. In LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), an employee emailed financial and operating documents of the plaintiff to his personal email account. After the employee ceased working for the plaintiff, the plaintiff brought a civil CFAA claim against him. The district court granted summary judgment against the CFAA claim, finding that the employee's accessing and emailing employer computer documents to his personal email account was "authorized" because, among other things, there was no evidence that the employee "had agreed to keep the emailed documents confidential or to return or destroy those documents upon the conclusion of his employment."
The Ninth Circuit affirmed, rejecting the Citrin court's agency-based approach "that an employee can lose authorization to use a company computer when the employee resolves to act contrary to the employer's interest." Instead, the Ninth Circuit held that the employee's emailing of the employer's documents to his personal email account was not "unauthorized" because he "was given permission to use [the] computer and . . . accessed documents or information to which he was entitled by virtue of his employment." It also held that under the CFAA an employee uses a computer "without authorization" when "the employer has rescinded permission to access the computer and the defendant uses the computer anyway." The Ninth Circuit observed that it was compelled to reach this result because if the employer has not rescinded the defendant's right to use the computer, the employee would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to the employer would also constitute a criminal (and civil) violation of the CFAA.
In United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), using a similar employer-based approach, the Eleventh Circuit held that an employee who violated employer policy restrictions on data access violated the CFAA and upheld his criminal conviction. The employee worked for the Social Security Administration and exceeded his authorized access when he looked up personal acquaintances in SSA databases.
In addition, at least two district courts in the Fourth Circuit have decided that, contrary to Citrin, CFAA liability hinges on actions taken by the employer in authorizing access rather than on the employee's purpose in accessing the information. Both opinions also touched on the effect of employer policies. In WEC Carolina Energy Solutions LLC v. Miller, 2011 WL 379458 (D.S.C. 2011), the court rejected Citrin and dismissed the plaintiff's CFAA claim despite the employer's contention that the defendant employees violated company policies against downloading confidential and proprietary information to a personal computer or using any confidential information without the employer's authorization. As the court noted, "[t]he company policies at issue in this case do not restrict an employee's ability to access data. Instead, they restrict how a WEC employee may use confidential information after accessing it." The court in Sloan Financial Group, LLC v. Coe, 2010 WL 4668341 (D.S.C. 2010) reached a similar result, noting that the employer's policy prohibiting employees from removing client information from the office did not "preclude or limit access to the client information by employees."
The Takeaway -- Employers Should Design Policies That Clearly Delineate Authorization to Access Computer Systems and Data
The opinions in Brekka and in similar cases, while complicating matters by rejecting the Citrin approach, do point employers in the direction of a workable solution. They suggest that employers can restrict employee access to corporate computer data and thereby support a CFAA claim by implementing policies that specifically restrict data access. They also suggest that those policies should be clearly communicated to employees to put them on notice of the their potential CFAA liability for policy violations.