THE PRIVATIZATION OF CYBERCRIMES What every company should know
What recourse does an employer against the violator to have when an employee, who has obtain compensapermission to use her employer’s tory damages and computer network, uses that access injunctive relief or for an improper purpose? For examother equitable reple, a soon-to-be terminated (or lief.”3 To assert a viable claim, the resigning) employee copies her harmed plaintiff must allege, among employer’s client list and takes that other things, that the defendant misappropriated information with intentionally accessed its informaher when she leaves her tion “without authorization” employer to start a comor in a way that “exceeds peting business venture. authorized access.”4 A little-known federal In recent months there statute, the Computer has been a growing split in Fraud and Abuse Act authority over the scope of (“CFAA” or “Act”), may the terms “without authoribe of value. zation” and “exceeds authorCodified at 18 U.S.C. § ized access” – the predicates 1030, the CFAA was for liability under the Act. enacted by Congress to Indeed, Courts around the enhance the governcountry are grappling with the issue of whether the ment’s ability to prosecute cybercrimes. HowKathryn C. Cole CFAA applies in a situation where an employee with ever, the Act, which has access to his employer’s computer a private right of action, also may be network uses that access for an effectively utilized by private employimproper purpose. ers because actions forbidden by Some courts – including the the CFAA include everything from Southern District of New York – have obtaining information to damaging construed the terms “without authorcomputer data or a computer itself.1 The Act makes it a crime for current ization” and “exceeds authorized or former employees to intentionally access” narrowly, holding that an access a computer network issued or employee’s misuse or misappropriaowned by their employer “without tion of an employer’s business inforauthorization” or in a way that mation is not “without authorization” “exceeds authorized access.”2 if the employer gave the employee Specifically, the CFAA provides access to such information. This line “Any person who suffers damage or of cases holds that the CFAA proloss by reason of a violation of this hibits improper ‘access’ of computer section may maintain a civil action information, rather than the misuse
or misappropriation of information.5 In other words, once an employee is granted “authorization” to access an employer’s computer that stores confidential company data, that employee does not violate the CFAA regardless of how he subsequently uses the information. Other courts, however, have construed the statutory predicates for liability far more broadly. These courts – including courts in the Fifth, Seventh, and Eleventh Circuits – have found that the CFAA covers violations of an employer’s computer use restrictions or a breach of the duty of loyalty under the agency doctrine.6 Specifically, these courts hold that “an employee accesses a computer ‘without authorization’ whenever the employee, without the employer’s knowledge, acquires an interest that is adverse to that of his employer or is guilty of a serious breach of loyalty.”7 These courts focus on an intention to defraud in connection with the access or improper action at issue. From a practical standpoint, what is most troubling about the “broad approach” is that it criminalizes a staggeringly broad cache of behavior. Indeed, minor violations of a company’s computer network usage poli-
cies or harmless computer trespass activities could result in criminal charges. Consider, for example, whether, based on the plain meaning of § 1030(a)(5)(C), an employee who leaves her employer for a new job after surfing job websites with the laptop issued to her by her former employer has accessed the computer network without authority? Or the employee who checked Facebook? Or sent a personal email, from a work laptop? These de minimis personal uses of workplace computer networks is so commonplace that it would be almost unthinkable to believe that Congress intended to criminalize it. While the narrow interpretation may be the better reasoned approach, given: (1) the plain meaning of the statute; (2) the statutory canon of avoiding absurd results; and (3) the legislative history and congressional intent, it is quite possible that the United States Supreme Court will need to resolve this growing split of authority.8 Until this split of authority is resolved, practitioners and companies alike should be aware of how courts in their respective jurisdictions view the CFAA. Irrespective of the CFAA, even if an employee manages to misuse information, employers are not without recourse. Indeed, businesses may still avail themselves of traditional civil claims including misappropriation of trade secrets and breach of contract.
Kasthryn C. Cole, a former clerk to the Honorable Richard C. Wesley of the Second Circuit Court of Appeals, is a commercial litigation associate at Farrell Fritz, P.C.
1. See 18 U.S.C. § 1030(a) (1)-(7). 2. Id. § 1030(a)(2) and (g). 3. Id. 4. Id. § 1030(a)(2) and (g). 5. See, e.g., Orbit One Commc’ns, Inc. v. Numerex Corp., 692 F.Supp.2d 373, 385 (SDNY 2010) (“The plain language of the CFAA supports a narrow reading. The CFAA expressly prohibits improper ‘access’ of computer information. It does not prohibit misuse or misappropriation.”). See also LVRC Holdings LLC v. Brekka, 581 F.3d 1127 [9th Cir. 2009] (holding that that the CFAA targets the unauthorized procurement or alteration of information rather than its misuse); Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 965 [D. Ariz. 2008] (“[T]he plain language of the CFAA “target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation.”); Int’l Ass’n of Machinists & Aerospace
Workers v. Werner-Matsuda, 390 F.Supp.2d 479, 499 (D. Md. 2005) (“[T]he CFAA, however, do[es] not prohibit the unauthorized disclosure or use of information, but rather unauthorized access.”); Ajuba Int’l., LLC v. Saharia, Case No. 11-12936 (E.D. Mich. May 14, 2012) (adopting the narrow approach and holding that allegation that employee lost any authorization he had to access employer’s computers, or, exceeded his authorization when he accessed the computers in violation of confidentiality and use limitations, failed to state a claim under the CFAA); ReMedPar, Inc. v. AllParts Med., LLC, 683 F. Supp. 2d 605, 609 (M.D. Tenn. 2010) (construing “without authorization” narrowly, and dismissing CFAA claim based on use of information the employee was authorized to obtain in a fashion that was adverse to the employer’s interests); Black & Decker, Inc. v. Smith, 568 F. Supp. 2d 929 (W.D. Tenn. 2008) (rejecting Citrin's agency analysis, and dismissing CFAA claim that was based not on the employee’s accessing of information, but on his later misuse thereof); Am. Family Mut. Ins. Co. v. Rickman, 554 F. Supp. 2d 766, 771 (N.D. Ohio 2008) (noting in dicta that the CFAA “was not meant to cover the disloyal employee who walks off with confidential information. Rather, the statutory purpose is to punish trespassers and hackers.”); United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (holding that if a company allows its employees to use work computers, it has granted them authorization to access any information they can reach without “the circumvention of technological access barriers,” such as password protections). 6. See, e.g., United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010) (holding that Social Security Administration employee violated the CFAA when he accessed personal records for nonbusiness reasons in violation of SSA policy). See also United States v. John, 597 F.3d 263 (5th Cir. 2010) (holding that the CFAA encompasses limits placed on the use of information obtained by permitted access to a computer system “at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime”); Int’l. Airports Ctrs. LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) (holding that employee’s breach of his duty of loyalty terminated his agency relationship with his employer, and with it his authority to access his employer’s computer); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). 7. Guest-Tek Interactive Entm’t, Inc., v. Pullen, 665 F. Supp. 2d 42, 45 (D. Mass. 2009) (citations omitted); see also Dana Ltd. v. Am. Axle & Mfg. Holdings, File No. 1:10-CV-450 (W.D. Mich. June 29, 2012) (quoting Guest-Tek Interactive Entm’t, Inc. v. Pullen, 665 F. Supp. 2d 42, 45 (Dist. Mass. 2009)). 8. See Brekka, 581 F.3d at 1132-33 (engaging in a plain meaning analysis of “without authorization” and “exceeds authorized access”); Bell-Aerospace Servs., Inc. v. US Aero-Servs., Inc., 690 F. Supp. 2d 1267, 1272 (M.D. Ala. 2010) (applying the rule of lenity and the canon of avoiding absurd results); Re MedPar, 683 F.Supp. 2d at 613 (discussing legislative history of the CFAA).
©2012 Long Island Business News, all rights reserved
OCTOBER 2012 I VOL. 63 I NO. 2 I