Computer Fraud and Abuse Act

Before Computers Ruled the World

Once upon a time, businesses stored trade secrets and other proprietary information in locked file cabinets. In the old ink-on-paper days, it was relatively easy to safeguard proprietary information. A limited number of people had keys to the file cabinets. Of course, it was possible to steal the information from the file cabinets. An employee could always copy the information and replace the original in the file cabinet so that no one would be the wiser. But depending on the volume of documents, copying involved a lot of effort and, in some cases, made theft practically impossible.

Times Are Changin’

Much has changed during the last 30 years. Businesses now store proprietary information in electronic systems, and it is much easier to pilfer proprietary information. Copies can be made with a few keystrokes. In a commendable burst of foresight, in 1986, Congress saw this problem looming on the horizon and enacted the Computer Fraud and Abuse Act (“CFAA”) 18 U.S.C. § 1030. The CFAA was designed principally to prevent outsiders from hacking into computer systems, not to prevent theft by insiders like employees. However, depending on the circumstances, the CFAA can also cover theft by corporate employees. The statue makes it a crime to intentionally access a computer “without authorization” or to “exceed authorized access” to obtain information on the computer. The CFAA is a criminal law. Although the general rule is that criminal laws do not create private causes of action, in the CFAA, Congress expressly did so, allowing a private party to obtain compensatory damages and injunctive relief.

When Employees Leave with Data

This past summer, the Fourth Circuit interpreted and applied the CFAA in a civil case involving an employee’s alleged theft of trade secrets. WEC Carolina Energy Solutions, LLC v. Miller, et al., No. 11-1201 (4th Cir. 2012). The defendant, Miller, was an employee of WEC, and WEC authorized Miller to access WEC’s computers. WEC alleged that Miller transferred the company’s trade secrets from the company’s computers to a competitor’s computers and violated the CFAA.

This case presented the following question: If a company authorizes an employee to access the company’s computers and to access the information on the computers, and if the employee, acting within the scope of his authorization, transfers information to a competitor, does the employee violate the CFAA? The court acknowledged that there are two conflicting decisions in other courts that reach opposite conclusions. Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc). Then it rolled up its sleeves and came up with its own answer.

In analyzing this question, the Fourth Circuit focused on the plain language of the statute and congressional intent. The Court noted that because the statute has criminal penalties, the Court must strictly construe it statue applying the so-called “rule of lenity,” rejecting interpretations not strictly supported by the text. The Court concluded that based on the ordinary and common meaning of “authorization,” an employee is authorized to access a computer when the employer approves his admission to that computer. What does this mean in English? Well it means that an employee accesses a computer without authorization only if he gains admission to that computer without the employer’s approval.

Access is King

Similarly, the Court concluded that an employee “exceeds authorized access” under the CFAA when he has approval to access the computer, but uses his access to obtain or alter information that falls outside the scope of his approved access. For example, if the employee accesses files that he’s not authorized to use. According to the Fourth Circuit, the CFAA does not reach the improper use of information validly accessed. For example if the employer authorizes the employee to access certain information, and the employee then improperly uses the information by transferring the information to a competitor, the employee has not violated the CFAA.

So what does this mean when an employee leaves and takes your data with them? Well, the WEC decision means that employers should also be considering other claims, not just CFAA claims. Employers can still sue for violation of state trade secrets laws, breach of fiduciary duty, and depending on the facts, fraud. However, if an employee is allowed to access files and takes them when they leave, this court thinks that this is not a violation of the CFAA.

Do you agree?