In the modern world, computers have revolutionized the way business is conducted, but such technological innovation inevitably led to novel methods of conducting crime and civil torts. In 1986, to protect the public from such crime, Congress enacted The Computer Fraud and Abuse Act (“CFAA”). ((Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (2012).)) Originally, the statute made punishable, under federal law, various acts aimed at certain “protected computers.” ((See Matthew Andris, Comment, The Computer Fraud and Abuse Act: Reassessing the Damage Requirement, 27 John Marshall of Computer & Information Law 279, 283 (2009).)) In 1994, Congress amended the CFAA and made available a civil remedy. ((Andris, supra n. 2, at 285.)) In recent years, prosecutors and employers alike have used the CFAA to pursue employees who steal trade secrets. ((See infra n. 14.))
Although the CFAA is primarily a criminal statute, it does allow for very narrow civil liability as provided by section 1030(g). To establish civil liability, first, a plaintiff must show that the defendant committed an act prohibited by section 1030, which includes “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtains . . . information from any protected computer.” ((§ 1030 (g), (a)(2)(C))) In addition to one of those acts, a plaintiff must also fulfill one of the of the factors in section 1030(c)(4)(A)(i)(I)-(V), including: (1) losses exceeding $5,000; (2) modification or impairment of a medical examination, diagnosis, treatment or care; (3) physical injury to any person; (4) a threat to public health or safety; and (5) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security. In addition to those requirements, damages or loss must be shown depending on which subsection was violated. (( See, e.g., 1013(c)(4)(A)(i)(I).)) For example, to successfully establish a claim based on section 1030(a)(2) and factor 1030(c)(4)(A)(i)(I), a plaintiff must show that defendant
“(1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information (4) from any protected computer (if the conduct involved an interstate or foreign communication), and that (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.” ((LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009).))
While the statute, at first glance, seems to primarily prohibit external hacking into a computer to steal information, prosecutors and civil plaintiffs have used the CFAA to pursue employees when an employee has authorized access to a computer, but uses such authorized access for an impermissible purpose, such as stealing trade secrets. ((See United States v. John, 597 F.3d 263 (5th Cir. 2010); United States v. Rodriguez, 628 F.3d 1258 (11th Cir.2010); Int’l. Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); United States v. Nosal, 676 F.3d 854 (9th Cir. 2012)(en banc); MSCI Inc. v. Jacob, 946 N.Y.S.2d 565 (1st Dep’t. 2012); JBCHoldings NY, LLC v. Pakter, 2013 WL 1149061 (S.D.N.Y. 2013).)) These cases usually focus on whether the CFAA is triggered when an employee violates his employer’s computer use policy. Recently, in U.S. v. Nosal, the Ninth Circuit held that using a computer with authorized access for an impermissible purpose does not give rise to liability under the CFAA. ((United States v. Nosal, 676 F.3d 854, 863-64 (9th Cir. 2012)(en banc).))
The Narrow View of Liability
In U.S. v. Nosal, Defendant, David Nosal, was employed by Korn/Ferry, an executive search firm. Nosal later quit Korn/Ferry to start his own executive search firm, and he convinced Korn/Ferry employees to supply him customer information from Korn/Ferry’s confidential database. Although Korn/Ferry had a policy that forbid disclosing confidential information, the employees still supplied Nosal with the information. Nosal was charged with aiding and abetting others in exceeding authorized use.
The Ninth Circuit, sitting en banc, held that Nosal did not violate the CFAA because “the CFAA does not extend to violations of use restrictions.” The court based its conclusion on the text and legislative history of the CFAA. It found that the purpose of the CFAA is to “is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets.” Therefore, it concluded that “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” Then, according to the Nosal Court (and contrary to a more broad interpretation espoused by other courts), the focus is on whether the employee had access to the information used, not that the purpose for which the information was used. Furthermore, the majority held that interpreting the CFAA broadly would create liabilities not intended by Congress. For instance, if an employee, authorized to use a computer, uses that computer to check Facebook, in violation of his employer’s policy, that employee could, in theory, be criminally liable under the CFAA because the employee exceeded his authorized access by violating his employer’s policy.
Although the narrow interpretation provided by the Ninth Circuit was met with criticism as being too lenient, the Fourth Circuit explicitly adopted the Ninth’s Circuit narrow interpretation. ((WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 203 (4th Cir. 2012).)) In WEC Carolina Energy Solutions LLC v. Miller, Defendant, Mike Miller, was employed by Plaintiff, WEC Carolina Energy Solutions LLC. In April 2010, he resigned from his position and, twenty days later, gave a presentation on behalf of WEC’s competitor to a potential customer. ((Id.)) During this presentation, Miller used WEC proprietary information, which he acquired while working for WEC.
The Fourth Circuit held that Miller did not violate the CFAA because, agreeing with the Nosal Court: “the CFAA fails to provide a remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded.” ((Id. at 203.)) The Court primarily based its finding on the plain meaning of the statute. It found a person accesses a computer “‘without authorization’ … when he gains admission to a computer without approval,” and that he “exceeds authorized access when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access” Based on these meanings, the Court found that “neither of these definitions extends to the improper use of information validly accessed.” Simply, the court rejected “an interpretation of the CFAA that imposes liability on employees who violate a use policy, choosing instead to limit such liability to individuals who access computers without authorization or who obtain or alter information beyond the bounds of their authorized access.” ((Id. at 207.))
The Broad View of Liability
Although the narrow interpretation is more favorable towards employees, the majority of the Circuits, as pointed out by the Nosal dissent, have adopted a broad interpretation. Specifically, the First, Fifth, Seventh, and Eleventh Circuits have embraced a broad interpretation. In those circuits, the court is more likely to focus on what purpose the information was accessed for, not whether the person accessing the information had the sufficient authorized access. Therefore, in those circuits, the theft of trade secrets by an employee authorized to access the trade secrets may trigger CFAA liability.
In EF Cultural Travel BV v. Explorica, Inc., defendant Phillip Gormley, vice president of Explorica had a confidentiality agreement with his former employer, plaintiff EF Cultural Travel BV. ((EF Cultural, 274 F.3d at 579.)) To gain an advantage over the competition, Gormley created a scraper program using proprietary information of Plaintiffs, which was not easily obtainable by outsiders. The scraper program utilized this proprietary information to scan Plaintiffs website to create a database of prices of tours offered by Plaintiff in previous years. Using this database, defendants were able to undercut Plaintiff’s prices.
The First Circuit held that using this proprietary information, in violation of Gormley’s confidentiality agreement, was a violation of the CFAA because Gormley exceeded his authorized access. By violating the confidentiality agreement, Gormley had exceeded the authorization that Plaintiff gave him. Defendants further argued that the information was not proprietary because any outsider could gather the information given enough time. The court did not accept this argument because defendant’s use of the proprietary information amounted to abuse that went beyond any authorized use of Plaintiff’s website.
In United States v. John., Defendant, Dimetriace Eva–Lavon John, was employed as an account manager at Citigroup. ((United States v. John, 597 F.3d 263, 269 (5th Cir. 2010).)) In this position, Defendant had access to the computer system and the customer account information contained within. With this access, she supplied her brother with information relating to numerous corporate accounts. This information enabled her brother to fraudulently charge the accounts.
The Fifth Circuit held that Defendant violated the CFAA because she exceeded authorized use given to her by Citigroup. The court found that “when an employee knows that the purpose for which she is accessing information in a computer is both in violation of an employer’s policies and is part of an illegal scheme, it would be ‘proper’ to conclude that such conduct ‘exceeds authorized access.’” Furthermore, the court found that “an employer may ‘authorize’ employees to utilize computers for any lawful purpose but not for unlawful purposes and only in furtherance of the employer’s business.” Any use going against such a policy would be exceeding authorized access.
In International Airport Centers, L.L.C. v. Citrin, Defendant, Citrin, was employed by plaintiffs-affiliated companies to record data on potential real estate transactions. ((Int’l. Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 419 (7th Cir. 2006).)) They lent him a laptop to aid him in this job. After collecting data, Citrin decided to quit his job and become self-employed. Before returning the laptop to plaintiffs, he copied all the real estate data from the computer and irreversibly erased the data from the laptop. ((Id. When data is normally deleted, the data is still recoverable using special software.. Instead of normally deleting the files, Citrin used a special secure-eraser program that makes erased data irrecoverable. Id.))
The Seventh Circuit used agency law to find that Citrin violated the CFAA. Citrin’s authority to access the laptop arose from his relationship (employment) with plaintiffs. This relationship ended when he violated the duty of loyalty by failing to disclose his adverse interests. Accordingly, the Court found that Citrin had no authority to access the computer “because the only basis of his authority had been that relationship” and the relationship ended when he violated the duty of loyalty.
In United States v. Rodriguez, Defendant, Rodriguez, was employed by the Social Security Administration. ((United States v. Rodriguez, 628 F.3d 1258, 1260 (11th Cir.2010).)) As part of his duties, Rodriguez has access to the social security database, which contains sensitive information such as social security numbers, annual incomes, date of births, addresses, etc. Rodriguez was aware of a policy that prohibited obtaining information from the database for a non-business use. Contrary to this policy, Rodriguez used the database for non-criminal purposes such as satisfying his curiosity about relatives and to send letters, flowers, and other goods to females.
The Eleventh Circuit held that Rodriguez violated the CFAA because he exceeded authorized access by not following established business policy. The Administration’s policy stated that the database may only be used for business purposes, but Rodriguez admittedly used the database for personal purposes. The court held that, since Rodriguez went against this policy, he exceeded the authorized access. Rodriguez also tried to argue that he did not exceed authorized access because his use of the information was not criminal as required by John in the Fifth Circuit. The court was not persuaded by this argument because it stated that the CFAA does not focus on how the information is used, but, instead, it focuses on how the information is obtained.
New York Fodder
Counsel at home here in the Second Circuit have authority on both sides of aisle to aid arguments for, and against, liability pursuant to the CFAA. ((Compare United States v. Aleynikov, 737 F. Supp. 2d 173, 191-94 (S.D.N.Y. 2010) (narrow interpretation), Univ. Sports Publ’ns Co. v. Playmakers Media Co., 725 F. Supp. 2d 378, 383-84 (S.D.N.Y. 2010) (narrow interpretation) with Mktg. Tech. Solutions, Inc. v. Medizine LLC, No. 09 Civ. 8122(LLM), 2010 WL 2034404, at *7 (S.D.N.Y. May 18, 2010) (broad interpretation), Register.com, Inc. v. Verio, Inc., 126 F.Supp.2d 238, 253 (S.D.N.Y.2000) (broad interpretation).)) There is Second Circuit authority for the proposition that mere misuse does not state a claim under the CFAA, because a person does not “exceed[ ] authorized access” or act “without authorization” when he misuses information to which he otherwise has access. ((See Nexans Wire S.A. v. Sark-USA, Inc., 166 Fed. App’x 559, 563 (2d Cir. 2006)(affirming the district court’s reading of CFAA provision to exclude losses incurred as a result of plaintiffs misappropriation of proprietary information).)) Interestingly, the First Department in MSCI v. Jacob followed the narrow interpretation of Nosal, and held that the “CFAA does not encompass [defendant’s] misappropriation of information that he lawfully accessed while working for plaintiffs or misuse of work computers in violation of their computer policies.” ((MSCI Inc. v. Jacob, 96 A.D.3d 637, 946 N.Y.S.2d 575, 575 (1st Dep’t. 2012).))
Counsel confronted with a potential CFAA claim with regards to a theft of trade secret claim must first determine whether the local jurisdiction has adopted a narrow or broad view of liability pursuant to the CFAA. If the jurisdiction follows a narrow interpretation, one critical question is whether the employee actually had authorization to use and access the information, not what purpose the information was used for. On the other hand, if the jurisdiction follows a broad interpretation, the employee has less protection and any breach of a computer use policy may lead to CFAA liability.