Below is a cross-post with the Security, Privacy and the Law blog.
Employers increasingly are suing former employees who have left to join or form competing companies using the civil remedies available under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. They use the CFAA to prevent their former employees from using sensitive information obtained from the former employer’s computer system. The scope of the CFAA, however, is subject to hot debate among the federal courts, as highlighted by a recent case from the District of Minnesota.
In Walsh Bishop Associates, Inc. v. O’Brien, Civil Action No. 11-2673 (DSD/AJB), 2012 WL 669069 (D. Minn. Feb. 28, 2012), the court interpreted a provision of the CFAA, 18 U.S.C. § 1030(a)(2)(C), which subjects an individual who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” to civil liability should the plaintiff meet certain conditions. In particular, the court had to determine the scope of the phrase “exceeds authorized access,” which the CFAA defines as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). The plaintiff argued that a person exceeds authorized access by accessing information in order to use it in a manner contrary to an employer’s interests and use policies. The O’Brien court, however, concluded, among other things, that subsection (a)(2) is not based on use of information, but rather access to information. Plaintiff’s interpretation therefore could not be correct and the court had to focus on whether the defendants accessed information that they were forbidden to access instead of how defendants intended to use the information they had obtained.
Other courts, including the District of Massachusetts, have come to a different conclusion regarding this language in the CFAA. In Guest-Tek Interactive Entertainment Inc. v. Pullen, 665 F. Supp. 2d 42 (D. Mass. 2009), Judge Gorton analyzed a different provision of the CFAA that also included both the “without authorization” and “exceeds authorized access” language. See 18 U.S.C. § 1030(a)(4). The defendants argued that the CFAA applies only to those lacking initial authorization and not those who subsequently misuse or misappropriate information. The plaintiff in response argued that the employee defendant’s alleged breach of his fiduciary duty of loyalty to the plaintiff (by copying files and secretly planning a competitive venture while still employed) effectively extinguished his authorization to access plaintiff’s computers. The employee defendant’s initial authorization to access the plaintiff’s confidential information was premised on the agency relationship between the parties, the plaintiff argued, and therefore when the employee breached his duty of loyalty he ended that relationship and constructively terminated his authorization to access the plaintiff’s files. Judge Gorton agreed with the plaintiff. He determined that the First Circuit advocated a broader reading of the CFAA in EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). In that case, the court “upheld a CFAA claim against employees who had collected pricing information from their former employer’s website in order to develop a competing entity with lower prices.” Guest-Tek, 665 F. Supp. 2d at 45. The First Circuit found “that the former employees’ reliance on [plaintiff]’s pricing information reeked of use—and indeed, abuse—of proprietary information that goes beyond any authorized use of [plaintiff]’s website.” Id. (quotation and brackets omitted). The First Circuit’s analysis of the employees’ “authorized use” and “abuse” of the plaintiff’s proprietary information in Explorica, Judge Gorton ruled, undercut the Guest-Tek defendants’ plain language argument—the type of argument the court accepted in O’Brien.
These two cases show that employers can use the CFAA when employees depart to join or form competing companies, but the CFAA’s usefulness may be limited by the case law in the jurisdiction in which the employer sues. Employers therefore should consider where they can sue and the state of the law in those jurisdictions before filing suit. These cases also call attention to a split in case law that eventually may require resolution by the Supreme Court.