Although the Computer Fraud and Abuse Act (CFAA) is primarily a criminal statute designed to combat hacking, it allows an employer to bring a civil action against an employee who accesses the employer’s computers “without authorization” or in a manner that “exceeds authorized access.” Employers often bring claims under the CFAA in the “disloyal employee scenario” when an employee (typically, an employee who has accepted employment with a competitor) downloads or emails to himself confidential information for the benefit of a competitor.
In WEC Carolina Energy Solutions LLC v. Miller, the Fourth Circuit Court of Appeals confronted such a situation. According to the complaint, shortly before the former employee resigned from his position as project director for WEC, he downloaded to his personal computer and emailed to himself WEC’s “proprietary information.” The former employee then used WEC’s information to make a presentation to a potential WEC customer on behalf of WEC’s competitor. Although WEC had authorized the former employee’s access to the company’s intranet and computer servers, WEC’s policies prohibited using that information without authorization or downloading it to a personal computer. After the customer awarded two projects to the competitor (allegedly as a result of the former employee’s actions), WEC sued the former employee under the CFAA, claiming that he violated the Act because, under WEC’s policies, he was not permitted to download WEC’s proprietary information to a personal computer. By doing so, WEC argued, the former employee breached his fiduciary duties to WEC and through that breach he either (1) lost all authorization to access the confidential information; or (2) exceeded his authorization.
The district court dismissed the CFAA claim, reasoning that WEC’s policies regulated use of information, not access to that information. Thus, even if the former employee’s purpose in accessing the information was contrary to WEC’s policies regulating use, it would not establish a violation of WEC’s policies relevant to access and, consequently, would not support liability under the CFAA.
The Fourth Circuit affirmed. The court noted that there is a line of cases following International Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) and embracing a cessation-of-agency theory. Under that school of thought, an employee is deemed to act “without authorization” or in a manner that “exceeds authorized access” whenever he uses the employer’s computer to misappropriate the employer’s confidential information or facilitate another breach of the duty of loyalty. Breach of the duty of loyalty, under this analysis, immediately terminates the agency relationship and with it any authority to access the employer’s computers.
The Fourth Circuit, however, rejected the cessation-of-agency theory, reasoning that the plain meaning of the terms “without authorization” or “exceeds authorized access” does not encompass a scenario where the employer allows the employee access to data, and the employee then uses that information improperly. Instead, held the Fourth Circuit, the terms “without authorization” or “exceeds authorized access” apply “only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.” Unlike some other opinions that have interpreted the CFAA narrowly, WEC Carolina Energy Solutions makes clear that a disloyal employee’s violation of a computer use policy, no matter how outrageous, will not support a CFAA claim if the employee has authorization to access the data at the time he retrieves or downloads it.
The lesson for employers is twofold. First, an employer who wishes to retain the ability to bring a CFAA claim in the disloyal employee context must deny access to its trade secrets in the first place, or withdraw that authorization before the employee accesses the data. Even under the restrictive analysis of WEC Carolina Energy Solutions, an employee who uses a computer to steal the employer’s off-limits data may still be prosecuted under the CFAA. Second, in the more typical disloyal employee situation, where the employee downloads information to which he was permitted access and then misuses that data to benefit a competitor, the employer will not have recourse to a CFAA claim and should focus on state-law claims. The latter lesson applies, for now, only in the Fourth and Ninth Circuits, but WEC Carolina Energy Solutions is likely part of a trend that other courts will follow.