On July 26, 2012, the Fourth Circuit Court of Appeals decided WEC Carolina Energy Solutions LLC v. Miller, holding that departing employees are not liable under the Computer Fraud and Abuse Act (“CFAA”) for mere violations of a company computer use policy. The Fourth Circuit's decision solidifies the circuit split on whether employees who violate computer use policies and/or engage in disloyal conduct by stealing company data can be liable under the CFAA.
Mike Miller was an employee of WEC Carolina Energy Solutions (“WEC”). During his employment, Miller was provided with a computer and cell phone from which he could access the company’s intranet which housed confidential, proprietary, and trade secret information. Prior to resigning in 2010, Miller allegedly downloaded a number of confidential documents, which he then proceeded to email to himself. Miller began to work for a competitor, Arc Energy Services (“Arc”) and allegedly used WEC’s confidential information in a sales presentation for them. WEC’s computer use policies, which Miller had agreed to comply with as part of his employment, prohibited employees from downloading confidential and proprietary information to a personal computer. Based on his actions, WEC sued Miller, alleging that he had violated the CFAA.
The U.S. District Court for the District of South Carolina held that the violation of company usage policies regarding the downloading and use of confidential and proprietary information did not on its own violate the CFAA. WEC appealed to the Fourth Circuit, which affirmed the District Court’s holding. According to the Fourth Circuit, the CFAA prohibits unauthorized acts of altering and obtaining information from a protected computer. In this case, however, Miller had permission to access the information at the time he downloaded it. As a result, his later use of the information was not in violation of the CFAA.
In holding that Miller’s actions did not violate the CFAA, the Fourth Circuit partially agreed with the Ninth Circuit’s Nosal ruling, which has been previously covered by this blog. The Fourth Circuit criticized the previously vacated three-judge panel opinion in Nosal, stating that even under that interpretation, an employee could not be found liable for permissibly accessing information and using that information in an impermissible manner. The Fourth Circuit also declined to follow the Seventh Circuit, which had previously held in International Airport Centers LLC v. Citrin that employees who access company computers in violation of their fiduciary duties to the company violate the CFAA.
In its holding, the Fourth Circuit utilized a strict construction approach. Judge Floyd found that the CFAA was “primarily a criminal statute designed to combat hacking,” and as such, civil liability should be limited. The court defined the phrase “exceeds authorization” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled to obtain or alter.” Similarly, “without authorization” is “when an individual gains admission to a computer without approval,” while “exceeds authorized access” meant the individual has approval to access a computer but his access. . . falls outside the bounds of his approved access.” In this case, the court found neither definition applied to Miller’s conduct, since all he had done was to improperly use information that was validly accessed during his employment.
John Marsh has astutely pointed out on his blog that there may still be some life left in the CFAA for employers. The Fourth Circuit concluded that an employee "exceeds authorized access" when he has approval to access a computer but uses that access to obtain or alter information outside the bounds of his approved access. Applying these definitions, the Fourth Circuit found that neither forbade Miller's "use" of information that was validly accessed in the first place. Marsh questions whether the result may have been different if the policy had forbid accessing information for purposes other than furthering WEC Carolina's business.
The Fourth Circuit’s decision, along with the recent Ninth Circuit decision in Nosal, substantially limits the use of the CFAA against departing employees. It will be interesting to see if Supreme Court review is sought. We will continue to keep you apprised of future developments in the rapidly changing CFAA landscape.