In a recent decision, the federal Ninth Circuit Court of Appeals joined a growing number of federal courts that have limited the use of the Computer Fraud and Abuse Act (“CFAA”) in suits brought against former employees accused of taking data from a company’s computer system before leaving the company.
In LVRC Holdings LLC v. Brekka, Case No. 07-17116, 2009 WL 2928952 (9th Cir. September 15, 2009), the Court held that an employer could not maintain its claim under the CFAA, 18 U.S.C. § 1030, against a former employee accused of e-mailing company property to his personal e-mail account because the employer could not establish that the former employee accessed its computer system “without authorization” or “in excess of authorization,” causing a loss. The employee argued that he was authorized to access the computer system in connection with his job duties, and was, therefore, authorized to access the computer system.
In its opinion in Brekka, the Ninth Circuit explicitly rejected the Seventh Circuit Court of Appeals’ reasoning in International Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006) (Judge Posner, presiding), in which the Seventh Circuit held that a defendant employee’s authorization to access his employer’s computer files terminated when he violated his duty of loyalty to his employer.
Concluding that “[n]o language in the CFAA supports [plaintiff’s] argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer’s interest,” the Ninth Circuit switched the focus of inquiry from the former employee’s motive to an objective standard: What actions did the employer take to define what was authorized access and what was not? “If the employer has not rescinded the defendant’s right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA.”
In Brekka, plaintiff allowed its employee to e-mail company documents to his personal computer in the course of his duties. In addition, plaintiff promulgated no employee guidelines to prohibit employees from e-mailing company documents to personal computers. These were facts fatal to its CFAA claim and may provide a basis to distinguish subsequent cases where employers attempt to assert CFAA claims against former employees accused of e-mailing company information to their personal accounts, provided that they have clear policies prohibiting such activities.
The Brekka Court held “that a person uses a computer ‘without authorization’ under §§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.”
The Brekka decision is a wake-up call to employers to take measures to define for their employees the type of computer activity that is permissible (and impermissible) so that the employers can, to the extent allowable, avail themselves of a CFAA claim.