The U.S. Court of Appeals for the Ninth Circuit recently weighed in on whether an employee who has been granted access to his employer’s computers - but uses information obtained from those computers in a manner contrary to the employer’s interest - has acted “without authorization” in violation of the Computer Fraud and Abuse Act (CFAA), a federal statute that imposes criminal and civil liability for certain computer crimes and abuses. See LVRC Holdings LLC, v. Brekka, et al., No. 07-17116 (9th Cir., Sept. 15, 2009).1 The CFAA addresses a wide range of unlawful conduct – from damaging a computer to accessing a computer without authorization or in excess of authorization. The statute originally provided only criminal sanctions but subsequently was amended to provide a private right of action and civil remedies.
In Brekka, the Ninth Circuit came down on the side of the employee, ruling that because the employer had granted the employee access to the computers and information at issue, the employee did not violate the CFAA when he subsequently misused the information.
The pertinent facts were straightforward. The employee emailed the company’s valuable financial and other business records to his personal email account while he was employed, but did not delete the records when his employment ended. When the company later learned facts leading it to conclude that the former employee was using the information for improper purposes, it filed suit, alleging that the former employee accessed the information “without authorization” in violation of the CFAA. The Ninth Circuit affirmed the district court’s judgment for the employee, concluding that, under the plain meaning of the CFAA, an employee accesses a computer “without authorization” only where the employee has not received permission to use the computer in the first place (such as when a hacker accesses a computer without permission), or where the employer has rescinded access to the computer but the employee accesses the computer anyway.
The Ninth Circuit held that it is irrelevant under the CFAA that an employee, who has been granted access to the employer’s computer information, subsequently uses the information for personal or wrongful purposes. Although not argued on appeal, the court concluded that the former employee would have prevailed even if the employer alleged that the improper use of the information “exceed[ed] authorized access,” because nothing in the CFAA suggests that an employee’s authorization to access information is “exceeded” where the employee subsequently misuses it, even if doing so breaches an employee’s duty of loyalty to his employer. It is worth noting that language in the opinion suggests that the outcome might have been different if the employer had a policy that prohibited the transfer of company information to a personal account or computer or required employees to return or delete all company information upon termination of employment.
Significantly, the Brekka decision is squarely at odds with the Seventh Circuit’s decision in International Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). In Citrin, the Seventh Circuit held that an employee’s authorization to access a computer ended for purposes of the CFAA when the employee breached his duty of loyalty by deleting information, including the employer’s business data and evidence of the employee’s efforts to set up a competing business in violation of his employment contract, from the employer’s computer.
The two recent decisions in Brekka and Citrin highlight just one of the vexing issues with the CFAA about which courts continue to wrestle. And it is unlikely that employers have heard the last word on whether an employee has acted “without authorization” or “exceed[ed] access” when he subsequently misuses his employer’s computer or information. The opposing conclusions reached by the Ninth and Seventh Circuits are sure to trigger additional litigation and may prompt the U.S. Supreme Court to take up the issue.
In the meantime, employers can take away a few important lessons from these cases:
- First, employers should remember that, depending on the nature and scope of an employee’s conduct, the CFAA might be a valuable tool for deterring employee misuse of the employer’s computers and information, or for remedying the misappropriation or other misuse of trade secrets and other confidential information. Based on the particular facts, employers should consider the CFAA along with other potential claims they may have against disloyal employees and former employees – such as claims for trade secret misappropriation, breach of the duty of loyalty, or breach of an employment or nondisclosure agreement.
- Second, as Brekka illustrates, employers might want to take this opportunity to review their computer and confidentiality policies to ensure that clear directives are in place regarding the use – and misuse – of a company’s computers and information.
- Finally, until the Supreme Court resolves the split in authority highlighted by Brekka and Citrin, all employers (but especially those with operations in multiple jurisdictions) should remain mindful of the CFAA’s different interpretations when crafting workplace policies and pursuing wrongdoers.