In LVRC Holdings LLC v. Brekka, the Ninth Circuit ruled that an employee did not violate the Computer Fraud and Abuse Act (CFAA) by emailing numerous company files to his personal email account prior to his termination. Christopher Brekka was hired to oversee various aspects of LVRC, including maintenance of the company's internet services. In the course of his duties, Brekka was authorized to use LVRC computers and had administrative rights to the company website. During negotiations regarding his purchase of an interest in LVRC, Brekka emailed various LVRC documents – including financial information – to himself at his personal email address. The parties did not have a written employment agreement and LVRC did not maintain guidelines prohibiting employees from emailing LVRC documents to personal computers. After the negotiations broke down, Brekka left LVRC and LVRC brought an action in federal court alleging that Brekka had violated the CFAA when he emailed LVRC documents to his personal computer "without authorization" under the terms of the statute.
The Ninth Circuit, however, rejected LVRC's CFAA claim. The court held that a person uses a computer "without authorization" under the CFAA when they have not received permission to use the computer for any purpose or when the owner of the computer has rescinded permission granted earlier. In this case, there was no dispute that Brekka had permission to access LVRC's computers – in fact, his job required such access. At the time he emailed the company documents to himself, Brekka still had authorized access to LVRC's computers. The court found as a result that Brekka did not violate the CFAA and affirmed his motion for summary judgment on LVRC's claim against him.
Employers should note that the result in LVRC Holdings is somewhat anomalous in that cases involving employees sending confidential company information to personal email accounts typically include a variety of claims beyond merely an alleged violation of the CFAA, such as misappropriation of trade secrets, breach of confidentiality agreements and even claims of theft. For example, a California appellate court in Pillsbury, Madison & Sutro v. Schectman ruled that employees who removed documents from their employer's files without authorization were wrongfully in possession of the documents and were required to surrender originals and all copies along with any documents summarizing, quoting or recording information concerning the nature or contents of the documents.
In all events, employers should be mindful of the authorization given to employees to access company records, including computer systems and electronic files when drafting technology policies as well as general employment policies.