Not a Member?  Become One Today!

Split over Computer Fraud and Abuse Act’s Reach Grows

By Allen Smith  3/31/2014
 
Some courts have used the Computer Fraud and Abuse Act (CFAA)—a law enacted to punish hackers for gaining unauthorized access to computers—to punish employees who take employer files with them just before they stop working for the employer; The U.S. District Court for the Western District of Pennsylvania is not one of them.

Noting that U.S. circuit courts of appeal have split over whether employers may use the CFAA to go after such disloyal former employees, the district court decided on March 6, 2014, to join the narrow interpretation of the statute. The court agreed with the defendants that access to the information, rather than the use of it, must be unauthorized for there to be a violation of the law. In this case, access to the information was authorized, so there was no violation.

Information Worth Millions Stolen in Data Breach

Carnegie Strategic Design Engineers sued five former employees who took more than 285 gigabytes of data from the employer’s system, including confidential company and customer data, before leaving to work for a competitor. Data taken by the former employees included client project data, engineering drawings, cost estimating data, customer contact information, vendor contact information, and other nonpublic proprietary business and trade secret information.

Carnegie contended that the commercial value of the business information is worth $10 million. The plaintiff has spent more than $5,000 on computer forensic investigation and mitigation of the data breach, and has suffered productivity loss as senior-level management and in-house staff have spent time investigating the data breach.

The company sued the former employees, alleging that they violated the CFAA. Carnegie maintained that the employees lost all authority to access the company’s password-protected computer system the instant they undertook to do so for their own benefit or the benefit of a third person.

Narrow vs. Broad View of Law

The court noted that “the scope of the CFAA has been expanded in recent years and employers … are increasingly taking advantage of the CFAA’s civil remedies to sue former employees and their new companies who seek a competitive edge through wrongful use of information from the former employer’s computer system.”

To prevail, the company must be able to show that the defendants either obtained access to the employer’s computer without authorization or exceeded their authorized access. But the term “authorization” is not defined by the statute, and courts are divided over what it means.

“Under the narrow view, an employee given access to a work computer is authorized to access that computer regardless of his or her intent to misuse information and any policies that regulate the use of information,” the court noted, quoting Dresser-Rand Co. v. Jones, 2013 WL 3810859 (E.D. Pa. 2013). “Under the broad view, if an employee has access to information on a work computer to perform his or her job, the employee may exceed his or her access misusing the information on the computer, either by severing the agency relationship through disloyal activity, or by violating employer policies and/or confidentiality agreements.”

The 4th and 9th circuits have adopted the narrow view. The 1st, 5th, 7th and 11th circuits have adopted the broad view. The district court adopted the narrow view, saying it “is the proper interpretation of the statute and the true interpretation of Congress’ intent in enacting the statute.”

Pennsylvania District Courts’ Rulings

The court noted that other district courts in its circuit (the 3rd Circuit) also have adopted the narrow view. In Consulting Professional Resources v. Concise Technologies LLC, 2010 WL 1337723 (W.D. Pa. 2010), an employee copied confidential information from her employer’s computer system before resigning and using it at her new company. The court found that “while disloyal employee conduct might have a remedy in state law, the reach of the CFAA does not extend to instances where the employee was authorized to access the information he later utilized to the possible detriment of his former employer.”

In Dresser-Rand, former employees accessed their work laptops and downloaded thousands of documents to external storage devices. The court decided that if the employees “were authorized to access their work laptops and to download files from them, they cannot be liable under the CFAA even if they subsequently misused those documents to compete against the plaintiff.”

In the Carnegie case, the employees were permitted to access the computer system and the data at issue; there was no “hacking into” a computer or files.

The district court also rejected the argument that the 3rd Circuit already had adopted the majority of courts’ broad interpretation of “authorization.”

Right to Access Not Lost

The crux of Carnegie’s argument is that the employees lost the right to access the information when they did it for their own or a third party’s benefit to the detriment of the employer.

“Such a finding is contrary to the plain language of the statute that governs ‘access’ and not ‘use,’ ” the court stated. “The scope of the CFAA does not extend to employees who were authorized to otherwise access the data in question, but did so in bad faith or to the future detriment of his former employer because this court interprets the term ‘authorization’ narrowly and finds that it does not extend to the improper use of information validly accessed.”

This decision is Carnegie Strategic Design Engineers v. Cloherty, No. 13-1112 (W.D. Pa. 2014).

Allen Smith, J.D., is the manager of workplace law content for SHRM. Follow him @SHRMlegaleditor.

Copyright Image Obtain reuse/copying permission


Sections