The recent case of Accenture, LLP v. Sidhu, 2010 WL 4691944 (N.D. Ca. Nov. 9, 2010) is a classic example of how the 9th Circuit’s holding in LVRC Holdings, LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir. 2009) has led to the dismissal of Computer Fraud and Abuse Act (“CFAA”) claims (or criminal counts) in circumstances in which an employee is clearly not authorized to access the company computers. A critical element to all of the CFAA violations alleged against the defendant, Hardev Sidhu, a former employee of the consulting firm Accenture, was that he had accessed Accenture’s computers “without authorization” or had exceeded his authorized access to the company computers. Title 18, U.S.C. §§ (a)(2)(C), (a)(4), and (a)(5)(A)(iii).
Sidhu worked for Accenture in San Francisco from October 1996 until March 27, 2009, when he “began a medical leave of absence.” Id at *1. While on medical leave, he “continued to receive full pay and benefits.” Id. He also “performed services for Accenture’s clients.” Id. “On several occasions during his medical leave, Sidhu confirmed that his illness required extended bed rest, prompting him to take additional leave.” Id. Sidhu’s medical leave continued for over a year “until Accenture officials determined that Sidhu had fabricated the medical condition upon which he premised his leave of absence, and had started working for HCL, Accenture’s direct competitor,” approximately two months into his medical leave. Id.
Throughout his “medical leave, Accenture made available to Sidhu its secure online network containing confidential and proprietary information, known as Accenture’s Knowledge Exchange (“KX”).” Id. During that time “Sidhu downloaded more than 900 documents from the KX system. The “vast majority” of these files were downloaded after he began working for HCL.” Id. at 1.
Accenture claimed that Sidhu’s authorization to access the company computer during his fraudulent medical leave had been negated by its “various policies, including Accenture’s “Confidentiality Policy,” “Security Policy,” “Dual Employment Policy,” “Workstation Security Standard,” and “Mobile Device Policy,” all of which Sidhu had agreed to or acknowledged. Id. at *1. Based on Brekka, the court rejected Accenture’s position and dismissed the CFAA claims on three separate grounds.
First, the court repeated Brekka’s holding that “an employer gives an employee ‘authorization’ to access a company computer when the employer gives the employee permission to use it.” Id. at 2. Here, Sidhu was an employee – albeit on a bogus medical leave while he was working for a direct competitor — during which time he stole data from Accenture’s computers.
Second, the CFAA defines “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. §1030(e)(6). Rather than focus on the fact that Sidhu did obtain information from the Accenture computers that he was not entitled to obtain for a competitor, the court focused on the statute’s use of the word “alter” stating “[t]here is simply no way to read that definition to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate.” Id. * 3. Thus, the court refused to distinguish Brekka based on Accenture’s “written agreements or policies governing the defendant’s conduct, which involved e-mailing documents to a personal computer.” Id. at *3.
Third, Accenture argued that Sidhu’s deception to its Human Resource Department about working for a direct competitor in violation of the “company’s Dual Employment Policy” resulted in him continuing to have access to company computers rather than his employment being terminated. The court rejected this argument because it required the court to determine whether the “employee conduct is deceptive.” Id. at *4. Courts and juries, however, regularly decide all the time whether a person’s conduct was deceptive.
In sum, the court was only concerned with its test of whether at one point “the employer allowed the employee [to] use the computer system,” and not whether the employer limited the scope of that permission in any way or whether the employee obtained that permission through deception. Id. at *4.
Taking aside the fact that Brekka’s and Sidhu’s interpretation of unauthorized access is rejected by the 1st, 5th, 7th and 11th Circuits, the factual circumstances of this case clearly justify a finding that Sidhu’s access to Accenture’s computers were unauthorized. He flagrantly violated what the company clearly said he could and could not do with respect to accessing its computers and he continued that access through outright fraud. There simply could not be a more compelling case of unauthorized access or exceeding authorized access to the company computers.