I’ve written many times about the significant split in circuit courts’ interpretation of the Computer Fraud and Abuse Act (CFAA), which affects whether an employer can sue an employee for violating computer use restrictions, usually embodied in a confidentiality agreement or company IT policy, when an employee downloads confidential information he is permitted to access but then takes that information to a competitor. The debate centers on when an employee “exceeds authorized access” under the text of the CFAA. In states that are part of the First Circuit Court of Appeals (which includes Massachusetts), an employer can use the CFAA in a lawsuit against an employee in such a situation. But in the Ninth Circuit, which includes California, an employer can sue only if the employee did not have access to the information as part of his job, meaning, in most cases, that the employee “hacked” into an area of the employer’s computer system that he was not permitted to access.
Yet in a recent article (subscription required), Alan W. Nicgorski argues that there is another trend among the circuits that is even more favorable to employers than the First Circuit’s interpretation. Nicgorski contends that the Seventh Circuit, which is based in Chicago, allows claims under the CFAA whenever an employee “embarks on a course of conduct adverse to his employer’s interest,” such as when an employee takes company information from a computer for the purpose of giving it to a competitor, even if there is no written agreement that the employee violated. See Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006). The Seventh Circuit’s reasoning is that an employee violates his duty of loyalty to the employer when he acts adverse to his employer’s interests, which automatically terminates the employee’s right to access the employer’s computers and information. As a result, the employee acts “without authorization,” another way a defendant can be liable under the statute. After all, the right to access the information was based on the employee being an “agent” of the employer, but a breach of the duty of loyalty terminates that relationship. In effect, this interpretation using the “without authorization” language eliminates an employer’s need for the “exceeds authorized access” language altogether, at least when dealing with an employee who takes information to a competitor, because any authorization given to an employee terminates once the employee acts for a competitor. An employee can’t exceed his authorized access when he has no authorization at all.
So would the First Circuit interpret “without authorization” in the same way as the Seventh Circuit? One judge of the U.S. District Court of Massachusetts thinks so. See Guest-Tek Interactive Entm’t Inc. v. Pullen, 665 F. Supp. 2d 42 (D. Mass. 2009). In Guest-Tek, Judge Nathaniel Gorton denied a motion to dismiss a CFAA claim where the plaintiff alleged that the defendant breached his duty of loyalty to the plaintiff employer by copying files and secretly planning a competitive venture. In short, Judge Gorton ruled that the First Circuit “has favored a broader reading of the CFAA” (see above) and cited Citrin. This decision by no means guarantees that the First Circuit would follow Citrin should the issue be presented to that court, but it does show that the circuits may continue to diverge in three directions. The Seventh Circuit’s decision in Citrin, I think, has been lumped together with the decisions of other circuits that allow CFAA claims based on computer use restrictions because the Seventh Circuit’s interpretation also would allow such a claim. (If anything, an employee who violates a computer use restriction likely breaches his duty of loyalty.) Because most employers have policies upon which CFAA claims can be based, many commentators (including yours truly) have tried to simplify the circuit split by drawing a line between those courts that allow CFAA claims based on computer use restrictions, and those that don’t. But the Seventh Circuit is indeed an outlier, and Nicgorski shows that, at least in that court, an employer need not have a policy to have a claim.