The scope of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, remains unsettled in the 1st Circuit after two decisions issued just weeks apart adopted differing approaches to the treatment of such claims.
The CFAA prohibits the intentional access of a computer without authorization or exceeding a party’s authorization to obtain information from a protected computer. As we have previously reported here, courts are split on the interpretation of what constitutes unauthorized access or access that exceeds authorization. In some jurisdictions, courts take a narrow view, limiting “unauthorized access” to true “hacking” cases, where a party improperly gains access to documents he or she is not authorized to obtain. On the other hand, certain circuits have favored a broad interpretation that would prohibit a party from accessing documents to which he or she typically would have access, if such access were for an improper purpose (for example, an employee who misappropriates documents to which she legitimately had “technical access” for the benefit of a competitor).
At the beginning of December, Judge Denise Casper of the U.S. District Court for the District of Massachusetts granted in part a preliminary injunction in Enargy Power Co. Ltd. v. Wang, C.A. no. 13-cv-11348-DJC, based on an alleged violation of the CFAA. The plaintiff had alleged that the defendant, a former employee, had instructed his assistant to encrypt certain files on the employer’s computer server, and directed her to transmit those files to him, all in violation of the CFAA. Citing Advanced Micro Devices, Inc. v. Feldstein, et al., C.A. No. 13-40007, which we previously reported on here, Judge Casper noted that the defendant’s actions “employed an element of deception in that he acted without his employer’s consent or knowledge . . . and using his assistant as a conduit, who had every reason to trust that [the defendant] was acting within the scope of his authorization,” and accordingly those actions likely exceeded the scope of his authorization. Judge Casper’s reliance on the “means of a deception” language used in Feldstein suggests a trend in the First Circuit to limit the previously adopted broad interpretation to those cases where a defendant exceeds his authorization through some deceptive act with fraudulent intent. It remains unclear whether a garden-variety misappropriation case, in which an employee obtains documents for the purpose of competing with his or her employer but without “hacking” into the employer’s computer servers, would be viewed as sufficiently “deceptive” so as to constitute a violation of the CFAA under the Feldstein and Enargy line of cases.
Another case decided less than two weeks later took an even narrower view. In Verdrager v. Mintz, Levin, Cohn, Ferris, Glovsky & Popeo, P.C., Judge Peter Lauriat of the Massachusetts Superior Court analyzed a law firm’s CFAA counterclaim against its former associate, who had alleged sex discrimination and retaliation. The firm, Mintz Levin, alleged that the associate had conducted searches for documents related to her case on the firm’s document management system, and forwarded relevant documents to herself or her attorney. Determining that the associate clearly had access to the documents she viewed and transmitted, Judge Lauriat found that “it was not the obtaining of the documents that creates the basis for [Mintz Levin’s] claims against [the associate], but for what use she sought to obtain them.” Judge Lauriat held that the associate’s disloyalty could not form the basis of a CFAA violation, and that Mintz Levin’s failure to restrict the associate’s access to sensitive documents related to her case “further weaken[ed] [Mintz Levin’s] position” that the associate had violated the CFAA, and granted summary judgment in the associate’s favor.
In light of the unsettled landscape of CFAA actions in the First Circuit, employers must remain vigilant. For example, where employers have reason to believe an employee may be using confidential documents for an improper purpose, immediate steps should be taken to restrict the employee’s ability to access such documents. However, until Congress or the Supreme Court settles the matter for good, it remains unclear how courts in the First Circuit will treat CFAA claims against employees accused of misappropriation.