Considering for the first time the scope of the Computer Fraud and Abuse Act (CFAA), with respect to employees obtaining and using confidential and proprietary information from their employers’ computer systems for their own gain, the U.S. Court of Appeals for the Fourth Circuit adopted a narrow reading of the “authorization” language used in the statute as going to use, not access. WEC Carolina Energy Solutions v. Miller, Case No. 11-1201 (4th Cir., July 26, 2012) (Floyd, J.).
WEC alleges that before resigning from his position at WEC Carolina Energy Solutions (WEC), Mike Miller and his assistant Emily Kelley downloaded WEC’s proprietary information to a personal computer and emailed proprietary information to Miller’s personal email address. WEC claims that Miller later used that information in a presentation to a potential WEC customer on behalf of a WEC’s competitor, Arc Energy Services (Arc). That customer ultimately chose Arc and WEC brought suit alleging a variety of state law claims and a violation of the CFAA.
Congress initially enacted the CFAA to combat hacking. The statute imposes both criminal and civil liability on a person who, among other things, accesses a computer without authorization or exceeds authorized access. Specifically, WEC contended that Miller and Kelley violated the CFAA because under WECs policies they were not permitted to download confidential and proprietary information to a personal computer. WEC alleged that by doing so Miller and Kelley breached their fiduciary duties to WEC and either lost all authorization to access the confidential information or exceeded their authorization. The district court dismissed WEC’s CFAA allegations for failure to state a claim. WEC appealed.
Before providing its own analysis, the 4th Circuit reviewed a circuit split on the issue between the U.S Court of Appeals for the Seventh Circuit and the U.S. Court of Appeals for the Ninth Circuit. The 7th Circuit has previously based liability under the CFAA based on a theory that when an employee accesses information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer. In contrast the 9th Circuit interprets “without authorization” and “exceeds authorized access” literally and narrowly, limiting the terms application to situations in which an individual accesses information on a computer without permission.
The 4th Circuit rejected the 7th Circuit’s analysis and adopted an interpretation similar to that of the 9th Circuit. The 4th Circuit first noted that when interpreting statutes, such as the CFAA, which involve both criminal and civil liability, the rule of lenity requires strict construction of such statues to avoid interpretations not clearly warranted by the text.
The 4th Circuit went on to determine the proper meaning of “without authorization” and “exceeds authorized access” and held that neither definition extends to improper use of information validity accessed. The court opined that such an interpretation would impose liability far beyond what Congress intended. For example, employees who violated company policy against downloading company materials so that they could work at home would be vulnerable to criminal and civil liability.
The court also rejected any interpretation that grounds CFAA liability on a cessation-of-agency theory. The court held that this rule would also extend liability beyond what Congress intended, potentially imposing criminal sanctions under this theory on employees who merely checked the latest Facebook posting or sporting events scores.
Based on these holdings, the 4th Circuit affirmed the district court’s dismissal of WEC’s CFAA claim, because defendants’ access to confidential information was authorized and only their use of the confidential information, which is not proscribed by the statute, was contrary to WEC’s authorization.