• Cullen and Dykman LLP Blogs

  • Archives

  • Circuit Split: How Does the CFAA Apply to Employment Cases?

    Imagine a disgruntled employee rummaging through your company’s confidential files and covertly stealing trade secrets to use as he builds a competing business.  What recourse would you have against the rogue employee?

    The Computer Fraud and Abuse Act (“CFAA”) provides a potential avenue for the company to seek redress against the siphoning of confidential information by mischievous employees.  The CFAA was enacted in 1984 as a mechanism to combat the escalating problem of computer hacking.  However, since its inception the CFAA has expanded to encompass a broad array of behavior.  Under the CFAA an individual can be subject to criminal and civil liability for “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access.”[1]

    However, what constitutes “authorization” remains unsettled and discrepancies in interpretation have resulted in a circuit split.  The Fifth, Seventh, and Eleventh circuits have adopted a broad statutory interpretation finding that an employee acts “without authorization or in excess of his authority when the employee acquires an interest adverse to his employer or breaches a duty of loyalty owed to the employer.”[2] Conversely, narrower readings have been adopted by the Ninth and Fourth Circuit as well as district courts within the Second Circuit, finding that the CFAA applies only when the employee improperly accesses information. Therefore, misappropriation of information retrieved through authorized means would not trigger liability.[3]

    Recently, in United States v. Nosal, the Ninth Circuit held that the term “exceeds authorized access” as used in the CFAA “is limited to violations of restrictions on access to information, and not restrictions on its use.”[4]  The Fourth Circuit’s decision in WEC Carolina Energy Solutions, LLC v. Miller, also held that liability will not be imposed on an employee that accesses electronic information in a permissible manner and subsequently misuses that information.[5] Under this interpretation if our hypothetical employee retrieved the company’s confidential information through permissible means and later improperly used that information to the detriment of the company, the employee would nevertheless be free from liability.  For instance, in United States v. Nosal the company’s proprietary information was transferred to David Nosal by an accomplice who had permission to access such information.[6]  Although, Nosal used the information received to start a competing business, his accomplice’s authorized access allowed him to escape liability.[7] In reaching this conclusion the Court emphasized the rule of lenity; a method of statutory construction whereby penal laws are to be construed narrowly in order to provide adequate notice of violations. Specifically, the Court stated that if a company simply decided to alter their employee-use-policies “behavior that wasn’t criminal yesterday can become criminal today without any act of Congress, and without any notice whatsoever.” [8]

    However, if Nosal had engaged in similar conduct under the jurisdiction of a circuit that employs a broad interpretation of the CFAA he would certainly find himself subject to a much different standard.  Given that the information retrieved was used to start a competing business it clearly represented an interest that was adverse to his employer and under traditional agency principles such conduct would constitute a breach of loyalty.  Once this duty of loyalty has been breached the employee is no longer acting with authorization. For instance, the Seventh Circuit held that once the duty of loyalty has been breached it “makes the accessing of computer files that had previously been authorized transform into unauthorized access under the CFAA.”[9] Additionally, the Fifth and Eleventh Circuits hold that unauthorized access occurs when an employee is aware of the companies terms-of-use policies but decides to violate such policies by using information in a prohibited manner.

    Unfortunately, such divergent interpretation will likely remain the norm until the Supreme Court steps in to resolve the issue.  However, the Justice Department decided not to seek certiorari in Nosal, so any guidance from the Supreme Court appears to be in the distant future.

    [1] 18 USCS § 1030(a)(4)

    [2] Different Strokes: Interpreting Computer Fraud and Abuse Act, New York Law Journal (Sept. 4, 2012) (internal quotation marks omitted).

    [3] Id.

    [4] United States v. Nosal, 676 F.3d. 854 (9th Cir. April 10, 2012) (emphasis in original).

    [5] WEC Energy Solutions, LLC v. Miller, No. 0:10-CV-02775, CMC (4th Cir. July 26, 2012)

    [6] Nosal, 676 F.3d at 864.

    [7] Id.

    [8] Id. at 862

    [9] NCMIC Fin. Corp. v. Artino, 638 F. Supp. 2d 1042, 1060 (S.D. Iowa 2009).