Using CFAA to Protect Confidential Information
Employers frequently seek to prevent unauthorized use or disclosure of confidential information by enforcing non-competition or confidentiality agreements against employees who resign to work for competitors. However, employers who have not entered such agreements with their employees nevertheless have available to them various state statutory and common law claims such as tortious interference, breach of fiduciary duty, civil conspiracy and unfair competition. In this column, we have frequently discussed the enforcement of contractual, common law and statutory methods for protecting confidential information,1 but we have not yet specifically focused on a relatively new theory that employers are asserting in litigation with greater frequency, a federal claim under the Computer Fraud and Abuse Act (CFAA). 18 U.S.C. §1030.
The CFAA was initially enacted in 1986 as a criminal statute, and prohibited anyone from accessing a computer system belonging to a bank or the federal government without authorization. Pub. L. No. 98-474, 100 Stat. 1213 (1986). In 1994, Congress expanded the reach of the CFAA by adding a civil remedy. Pub. L. No. 103-322 §290001(g), 108 Stat. 1796 (1994).
The CFAA provides that anyone who "knowingly and with intent to defraud, accesses a personal computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value…[or] intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss…shall be punished." 18 U.S.C. §1030(a)(4)-(5)(C).
Under the CFAA's civil action, anyone "who suffers damage or loss by reason of a violation" of most of the CFAA's provisions "may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief." Accordingly, an employer now has a federal cause of action against an employee who obtains information by accessing a "protected computer"2 "without authorization" or exceeding his or her "authorized access," provided that the loss to the employer exceeds at least $5,000 in value, or if the offense causes:
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; (III) physical injury to any person; (IV) a threat to public health or safety; (V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or (VI) damage affecting 10 or more protected computers during any 1-year period.
18 U.S.C. §1030(g). If successful, an employer may obtain both compensatory damages, injunctive relief or "other equitable relief." Id.
Courts disagree, however, about how broadly the CFAA, and specifically the definition of "exceeds authorized access," can be interpreted. The CFAA defines the term "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." §1030(e)(6). The First, Fifth, Seventh and Eleventh circuits have held that the CFAA can apply to employees who have access to a protected computer that stores their employer's confidential information but use that information for a wrongful or disloyal purpose. The Fourth and Ninth circuits, however, have held that employees violate the CFAA only if they obtain information without their employer having given them access to the source of that information.
In 2012, it appeared that the Supreme Court would resolve the conflict in the circuits when it granted a petition for certiorari in WEC Carolina Energy Solutions v. Miller, 687 F.3d 199, 207 (4th Cir. 2012), where the U.S. Court of Appeals for the Fourth Circuit held that an employee who downloaded confidential and proprietary information to his personal computer, in violation of company policy, did not violate the CFAA. However, the Supreme Court recently dismissed the petition for certiorari at the parties' request. WEC Carolina Energy Solutions v. Miller, 133 S. Ct. 831 (2013). In this article, we analyze divergent interpretations of the CFAA and offer some suggestions regarding how employers can craft their policies so as to maximize the possibility of using the CFAA to protect confidential information in the hands of departing employees.
Some courts have concluded that an employee may act "without authorization" or "in excess of authorized access" under the CFAA when he accesses confidential or proprietary information from his employer's computers that he has permission to access but then uses that information in a manner that is inconsistent with the employer's interests or in violation of contractual obligations or fiduciary duties. For example, the U.S. Court of Appeals for the Seventh Circuit held that a breach of an employee's duty of loyalty can create liability under the CFAA in International Airport Centers v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006). In that case, an employer loaned an employee a laptop, on which the employee was to record data collected in the course of his work. Before resigning to start his own business, the employee allegedly deleted all of the data on the employer's laptop, including data that he had collected for the employer's benefit.
The district court dismissed the employer's suit for failure to state a claim, and the plaintiff appealed. Id. at 418-19. The court found that under these circumstances the employer stated a claim under the CFAA, even though the employer had given him access to the computer and authority to use the computer to collect data, as well as to "return or destroy" "confidential data" upon conclusion of his employment. The court stated that the employee allegedly had breached his duty of loyalty by destroying files that were the property of his employer, because the provision in the employee's contract permitting him to "return or destroy" confidential data was not intended "to authorize him to destroy data that he knew the company had no duplicates of and would have wanted to have." Id. at 421.
The court held that the employee's "breach of his duty of loyalty terminated his agency relationship…and with it his authority to access the laptop, because the only basis of his authority had been that relationship." Id. at 420-21.3 The circuit court consequently reversed the lower court's dismissal, and reinstated the suit. Id. at 421.
Other courts have adopted a much more narrow interpretation of the CFAA than the one applied by the Seventh Circuit and have held that employees violate the CFAA only by the unauthorized access, obtainment, or alteration of information, not the disloyal misuse or misappropriation of information obtained without permission. For example, the Fourth Circuit rejected the Seventh Circuit's interpretation in WEC Carolina Energy Solutions v. Miller. 687 F.3d 199, 203 (4th Cir. 2012). In that case, an employer had given its employee permission to access company intranet and servers as part of his employment. The employee allegedly downloaded his employer's proprietary information before resigning, and then used that proprietary information to make a presentation to the employer's customers on behalf of a competitor.