A Tennessee District Court recently ruled in Wachter Inc. v. Cabling Innovations, LLC, 3:18-cv-00488 (M.D. Tenn. May 7, 2019) that two former employees with permitted access to company computers were not liable under the Computer Fraud and Abuse Act (“CFAA”) for sharing their employer’s confidential information with a competitor. Wachter adds to the split amongst the circuit courts as to when an employee has acted “without authorization” or “exceeded authorized access” under the CFAA. In part, the CFAA prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer.” 18 U.S.C. § 1030(a)(5)(C).
In Wachter, two former employees with access to company computers and computer systems allegedly obtained information for personal gain and for the benefit of Wachter’s competitor, Cabling Innovations, LLC. The employees allegedly shared their employer’s confidential information and trade secrets without permission.
The Court in Wachter noted that the CFAA fails to define “without authorization” and acknowledged the split amongst the jurisdictions in interpreting the term. Thereafter, and consistent with prior decisions from the Sixth Circuit, the Court narrowly interpreted the CFAA holding that there “cannot be a CFAA violation where an employee has lawful access to his computer.” The Court’s holding continued that the “[CFAA] was not meant to cover the disloyal employee who walks off with confidential information. Rather, the statutory purpose is to punish trespassers and hackers.” Lastly, Wachter stresses the need to construe the CFAA, a criminal statute, narrowly within the context of civil proceedings.
Cases from the Second, Fourth, and Ninth Circuits echo Wachter’s narrow and literal interpretation of the CFAA. The Court of Appeals for the Fourth Circuit in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) held that “an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer.” The Court in WEC stated that to exceed authorized access “refers to obtaining or altering information beyond the limits of the employee’s authorized access. It does not address the use of information after access.” In U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), a former employee received confidential information from his still employeed and former assistant who had current log-in credentials. Despite the assistant violating the employer’s disclosure policy, the Ninth Circuit held that such conduct was not “without authorization, or exceed[ing] authorized access” because the assistant “had permission to access the company database and obtain the information contained within.”
A number of jurisdictions have adopted an expansive view of the CFAA and recognized instances when an employee’s conduct went beyond authorized access. The Court of Appeals for the Seventh Circuit held in Int’l Airport Ctrs., LLC, v. Citrin, 440 F.3d 418 (7th Cir. 2006) that a former employee’s authorized access terminated “when, having already engaged in misconduct and decided to quit…he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee.” Citrin continued that the “breach of [the employee’s] duty of loyalty terminated his agency relation…and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”
Opinions from the Eleventh and Fifth Circuit have held that an employee who accesses information beyond the purposes of his granted authority exceeds his authorized access. In U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), the Court of Appeals for the Eleventh Circuit held that a former Social Security Administration (the “SSA”) employee violated the CFAA upon accessing personal records maintained by the SSA for non-business purposes. The Court in Rodriguez ruled that “the plain language of the [CFAA] forecloses any argument that Rodriquez did not exceed his authorized access” when he accessed personal information that he was authorized to access only for business reasons. Similarly, in U.S. v. John, 597 F.3d 263 (5th Cir. 2010), the Fifth Circuit Court of Appeals held that a former Citigroup employee exceeded her authorization when she shared personal customer information in violation of Citigroup’s policy prohibiting the misappropriation of confidential information contained on Citigroup’s computer systems. The opinion in John offers guidance that “authorization access” as used in the CFAA, “may encompass limits placed on the use of information obtained by permitted access.”
The Supreme Court has yet to address to divergence amongst the circuit courts relating to the CFAA. As such, and given the conflicting jurisdictional interpretations, it is important that businesses (i) clearly communicate access policies to their employees, (ii) review existing confidentiality and non-disclosure policies with both management and employees, and (iii) implement policies and procedures to quickly limit the access rights of terminated or otherwise restricted employees.