Increasingly, employers who suffer data breaches from employees are using the Computer Fraud and Abuse Act (CFAA) to trigger federal question jurisdiction and have the dispute heard in federal court. As a hybrid criminal-civil statute, the CFAA forbirds knowing and fraudulent access of computers without “authorization” or “exceeding authorized access” to further fraud and “obtain anything of value.”
The federal courts of appeal have diverged in how to interpret the two “authorization” components (lacking or exceeding authorization) of the CFAA in civil suits. The Seventh Circuit, in International Airport Centers LLC v. Citrin, interpreted the CFAA broadly as a federal misappropriation statute, where disloyal abuse of prior permission to use employer computers robs the employee of “authorization.” The narrower and more popular view is the Ninth Circuit’s interpretation in U.S. v. Nosal, where the court concluded the CFAA offense of “exceeding authorized access” does not encompass the insider employee who merely violates computer use restrictions.” This interpretation was recently adopted by the Fourth Circuit. Adherents to Nosal rely on the rule of lenity, which strictly construes criminal laws in favor of defendants.
The Eighth Circuit, which encompasses Minnesota federal courts, has not directly addressed the issue or chosen between the Citrin and Nosal views. On August 7, 2012, Minnesota District Judge Patrick Schiltz followed the Nosal approach in dismissing a CFAA claim by a small insurance agency against its former vice president of sales, who forwarded 74 confidential agency e-mails to a private e-mail account, while establishing a competing business and trying (mostly unsuccessfully) to divert the agency’s clients to himself. Clearly, the VP had authority to access the agency’s confidential information resources. The VP was never forbidden by the agency to access any confidential information.
The agency made a Citrin-like argument for broad application of the CFAA, arguing the VP’s computer access authority was implicitly conditioned on using the resource to further the agency’s business, not to “steal clients.”
Judge Schiltz ruled that the “court continues to believe that the narrower interpretation of the CFAA is more consistent with statutory text, legislative history, and the rule of lenity” and noted that “the broader interpretation would transform just about every state-law claim for misappropriation of trade secrets into a federal lawsuit . . . not to mention expose employees who violate their employers’ computer-use restrictions to criminal liability.”
In dismissing the agency’s CFAA claim, Judge Schiltz observed that if Congress “meant to so vastly expand the jurisdiction of the federal courts, Congress would have been much more explicit.”
Until the U.S. Supreme Court resolves the split in the circuits on the application of the CFAA to employee misappropriation, prudent employers should ensure that computer use policies are precisely worded and that access to information resources is narrowly controlled. We will continue to closely monitor any federal court rulings on the CFAA.