Computer Fraud and Abuse Act Implications for Employers
Does a departing employee who logs on to his employer’s computer network and accesses information he intends to use for a competing venture violate the Computer Fraud and Abuse Act? (18 U.S.C. § 1030, “CFAA”). An April 2014 federal district court answered in the affirmative, stoking the fire in a hotly divided judiciary.
The CFAA imposes criminal and civil penalties on anyone who “intentionally accesses a computer without authorization or exceeds authorized access” in obtaining protected information. If applicable, the CFAA provides a potent arrow in the employer’s quiver against employees who resign with confidential and trade-secret electronic information. Among other things, the CFAA’s remedial scheme allows a broad range of recovery encompassing “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring . . . the system . . . to its condition prior to the offense.”
Several courts, in analyzing the CFAA’s legislative history, have noted that the act was originally designed to target hackers who accessed computers to steal information or to disrupt or destroy computer functionality. Without a clear congressional mandate, these courts have declined to extend the CFAA’s reach to cover cases of pre-resignation data misappropriation. See, e.g., United States v. Nosal, 676 F.3d 854, 860 (9th Cir. 2012) (holding that the CFAA “targets the unauthorized procurement or alteration of information, not its misuse or misappropriation”).
More recently, in Associated Pump & Supply Co., LLC v. Dupre—a case involving a resigning salesman’s alleged downloading and deletion of his employer’s confidential files shortly before he started working for a competitor—the U.S. District Court for the Eastern District of Louisiana entered the fray, finding in the employer’s favor on the former employee’s motion to dismiss CFAA claims. (E.D. La., No. 2:14-cv-00009, Apr. 3, 2014).
In so holding, the Dupre court joined a handful of appellate courts and myriad district courts to find that an employee who violates the terms of his employer’s network permission has committed an “unauthorized access” for CFAA purposes. See, e.g., Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006) (computer authorization ceases, and CFAA protection applies, when employee accesses employer’s network for personal gain “in violation of the duty of loyalty that agency law imposes on an employee”); Ervin & Smith Advertising and Public Relations, Inc. v. Ervin, et al., (D. Neb., No. 8:08-cv-459, Feb. 3, 2009) (Smith Camp, J.) (employees who accessed employer’s server and emailed sensitive documents to themselves could be liable under CFAA, because any “authorization was terminated when [the employees] destroyed the agency relationship by accessing and appropriating the protected information for their own personal gain and against the interest of their employer”).
While the law governing the CFAA’s application to employee misappropriations remains unsettled in most circuits, the cause of action is worth pursuing alongside traditional theories of recovery (trade-secrets misappropriation, conversion, etc.). This is especially true if tactical considerations make federal courts, which may maintain pendent jurisdiction over related state-law claims, the preferred litigation venue.