Navigating The Circuit Split on the Computer Fraud and Abuse Act and Its Use Against Employees Who Access Protected Electronic Information “Without Authorization”:

The primary statute that many rely upon to enforce breaches or thefts of electronically stored information is the Computer Fraud and Abuse Act (CFAA).  The CFAA allows victims to maintain a private cause of action against someone who intentionally accesses a protected computer “without authorization” or “exceeds authorized access,” in order to obtain information, perpetrate a fraud, or cause damage.  18 U.S.C. § 1030(a), (g).  The question that many pose is to what extent can a company or employer realistically rely upon the CFAA as a means to protect its information in the case of a breach or unauthorized access to its computing systems.  In this regard, there are divergent views among the courts regarding two key elements of the statute that are a potential limit to its true reach: (i) the meaning of “authorization”; and (ii) the scope of recoverable damages.

A. Authorization

The CFAA does not define “authorization” – and federal courts have supported two different interpretations of this statutory language, particularly in the context of employer/employee relationships.  The result is a circuit split that will likely remain unresolved until the Supreme Court intervenes.

The Minority Approach.  The key issue is what constitutes an employee’s access “without authorization.”  The Seventh Circuit, as well as district courts in the First and Eighth Circuits, has adopted a broad view of what constitutes access “without authorization”: an employee who accesses a company computer in breach of his duty of loyalty to the company has accessed that computer “without authorization.” See, e.g., Int’l Airport Centers, LLC v. Citrin (PDF file), 440 F.3d 418 (7th Cir. 2006).  Relying on principles of agency law, these courts have held that when the basis for the authorization is terminated – namely, the agency relationship – then the authorization itself is necessarily revoked.  At the moment of misappropriation, the employee has acted “without authorization” by acting against the best interests of the company, in favor of his own interests or those of a third party.

The Majority Approach.  A more narrow interpretation of what constitutes access “without authorization” has emerged in recent years – and is now considered the majority position.  In this regard, the Ninth Circuit, along with district courts in the Second, Fourth, Fifth, Sixth, Tenth and Eleventh Circuits, has limited the Act’s use against employees who are accused of wrongfully taking electronic data prior to leaving the company.  In LVRC Holdings LLC v. Brekka (PDF file), 581 F.3d 1127 (9th Cir. 2009), for example, the Ninth Circuit held a current or former employee acts “without authorization” in two circumstances: (1) when he has never received permission to access the protected computer or electronic data for any purpose; or (2) when his permission has been revoked and he accesses the protected computer or electronic data anyway.  In this way, the analysis is shifted away from the fiduciary duties and intentions of the employee.  Instead, the actions of the employer in granting or limiting access will determine the scope of the authorization, if any. 

Until the Supreme Court steps in to resolve the circuit split, employers in all jurisdictions can protect themselves by creating clear distinctions between someone who accesses electronic data “without authorization” and someone who “exceeds authorized access.”  They should implement computer usage policies that clearly define acceptable and unacceptable uses, as well as the scope of an employee’s authorization for such uses.  In fairness to the employees, employee contracts and employment manuals should also include language that helps to define access “without authorization” and in excess of authorization.  And most fundamentally, employers should limit the number and types of users who have access to company trade secrets and confidential information.  In this way, employers can hope to diminish some of the unpredictability in using the CFAA against employees, regardless of the jurisdiction of the lawsuit.

B. Damages

There is another circuit split related to the CFAA regarding the scope of recovery.  The Second Circuit and some district courts in the Fifth, Sixth, Seventh and Eleventh Circuits have held that a private cause of action can only be maintained if the company’s computer system has suffered “an interruption in service.”  This requirement is based on the CFAA’s definitions of “damage” and “loss” – which do not include economic damages and losses that are not tied to a service interruption. 18 U.S.C. § 1030(e).  The limitation poses a particular challenge in situations where a departing employee has copied electronic data, since this kind of access usually does not result in an interruption in service.  See ReMedPar, Inc. v. AllParts Medical, LLC, No. 3:09-cv-00807 (M.D. Tenn. Jan. 4, 2010).  Other district courts, including some in the Third, Fourth and Eighth Circuits, have taken a broader view of the damage and loss requirements of the CFAA, choosing to allow claims to go forward in the absence of “an interruption in service.”  See, e.g., CoStar Realty Information, Inc. v. Field, 612 F. Supp. 2d 660 (D. Md. 2009).

Even though some federal courts will not allow these lawsuits to proceed under the CFAA, victims can still turn to common law remedies – even if they lose federal jurisdiction and have to litigate their claims in state court.

John Rosenthal, Karen Quirk and Elizabeth Erickson of Winston & Strawn LLP co-authored this post.  All three a members of the firm’s eDiscovery & Information Management Practice Group.  The views expressed above are solely those of the authors and should not be attributed to their firm or firm clients.

About John Rosenthal

More ...