Finds Employer Did Not Restrict Access To Confidential Data
A federal appellate court has held that a former employee of a residential treatment facility did not violate the Computer Fraud and Abuse Act (CFAA) when he emailed files to his personal account, downloaded the files and used them in his own business. According to the Ninth Circuit Court of Appeals, the employer did not have a confidentiality rule with respect to email. LVRC Holdings, LLC v. Brekka, No. 07-17116, Ninth Circuit Court of Appeals (September 15, 2009).
LVRC operates Fountain Ridge, a residential treatment center for addicted persons in Nevada. In April 2003, Christopher Brekka was hired by LVRC to oversee the company's Internet marketing programs. His duties also required that he interact with LOAD, Inc., a vendor retained by LVRC to provide email, website and related services to its facility.
At the time Brekka was hired, he owned and operated two consulting businesses that obtained referrals for addiction rehabilitation services and provided referrals of potential patients to rehabilitation facilities. Stuart Smith, the owner of LVRC, was aware of Brekka's outside businesses.
During the course of his employment, Brekka emailed documents he obtained or created in connection with his work for LVRC to his personal computer. LVRC did not have a policy that prohibited employees from emailing company documents to their personal computers.
In June 2003, Brekka sent an email to LOAD's administrator, Nick Jones, requesting an administrative log-in for LVRC's website. Jones sent an email with an administrative user name and password to Brekka's work email, which Brekka downloaded to his work computer. Brekka later obtained confidential information (including usage statistics) from LVRC's website, which he allegedly used to manage the company's Internet marketing efforts.
In late August, Brekka emailed several LVRC documents to his personal email account and his wife's personal email account. These documents included a financial statement for the company, LVRC's marketing budget, admission reports for patients at Fountain Ridge, and notes Brekka prepared from a meeting with another Nevada mental health provider. On September 4, Brekka emailed a master admission report to his personal email account. A few weeks later, Brekka resigned from LVRC.
On November 19, 2004, while performing routine monitoring of the LOAD website, Jones noticed that someone was logged into the LVRC website with the user name that he had provided to Brekka. Shortly thereafter, LVRC filed a report with the FBI alleging that Brekka had unlawfully logged into LVRC's website. The company also filed a lawsuit alleging that Brekka violated the CFAA when he emailed documents to his personal email account in September 2003 and when he continued to access the LOAD website after his employment ended. The trial judge ruled in favor of Brekka and LVRC appealed this decision to the Ninth Circuit.
The CFAA, which was enacted in 1984 and originally designed to prosecute hackers, prohibits individuals from accessing computers "without authorization" or in excess of their authorization. The CFAA does not define "authorization," but the dictionary defines the term as "permission or power granted by an authority." Based on this definition, the Ninth Circuit noted, an employer gives an employee "authorization" to access a company computer when the employer gives the employee permission to use it.
LVRC argued that because Brekka accessed the company computer and obtained LVRC's confidential information to further his own personal interest, such access was "without authorization." The Ninth Circuit disagreed, finding that "[b]ecause LVRC permitted Brekka to use the company computer, the `ordinary, contemporary, common meaning' of the statute suggests that Brekka did not act `without authorization'." According to the court, Brekka had permission to access the computer to fulfill his job duties and he was still employed by LVRC when he emailed the documents to himself and to his wife.
The Ninth Circuit next turned to whether Brekka exceeded his authorized access to LVRC's computer. The court noted that the term "exceeds authorized access" implies that an employee can violate employer-placed limits on accessing certain information stored on the computer even with authorization to access the computer. "If the employer has not rescinded the [employee's] right to use the computer," the court continued, "the [employee] would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA." Because LVRC did not take action to limit Brekka's use of confidential data on a company-owned computer, the court held, he did not exceed his authority to access such information.
The Ninth Circuit also rejected LVRC's claim that Brekka violated the CFAA by logging into the LOAD website after his employment ended. LVRC claimed that no employee except Brekka had knowledge of that specific log-in information. Brekka countered that he left the email containing the administrative user name and password on his company-issued computer when he left LVRC and that at least two other employees used the computer and others had access to it after his departure. Given the lack of evidence upon which a reasonable jury could find that Brekka violated the CFAA after he left the company, the court dismissed this claim as well.
According to Mary Wright, a shareholder in Ogletree Deakins' San Francisco office: "This case reminds all employers to carefully review their electronic communications policy as well as any agreements or policies governing non-disclosure, confidentiality and inventions. These policies should describe exactly what conduct is `authorized' and what conduct `exceeds authorization.' By taking these steps on the front end, the employer will be in the position to prevail on a suit against an employee for violation of the CFAA, as well as for common law claims for breach of contract and conversion."