Keep up with the latest developments and legal issues in the telecommunications and emerging technology sectors, with exclusive access to a comprehensive collection of telecommunications law news,...
Courts have split over whether employees who misuse company information can run afoul of the Computer Fraud and Abuse Act. Joshua Fowkes of Arent Fox discusses how courts have approached the issue and suggests why companies should consider raising claims under the CFAA in addition to under trade secret laws.
By Joshua Fowkes
Joshua Fowkes is a partner in the litigation group at Arent Fox LLP in Washington.
A company’s trade secrets are often its most valuable assets. Because trade secrets are typically stored electronically, they are vulnerable to computer hackers. Hacking is prohibited by and subject to criminal and civil liabilities under the Computer Fraud and Abuse Act (CFAA). 18 U.S.C. Section 1030. But trade secrets are also vulnerable to theft by employees and business partners. When trade secrets are stolen by an employee, a company has several remedies, including claims for misappropriation of trade secrets, breach of employment contract, and conversion. But companies sometimes overlook the option of adding claims under the CFAA, particularly now that federal courts have jurisdiction over most trade secret cases under the Defend Trade Secrets Act. The CFAA prohibits a person from obtaining information by accessing a computer without authorization or by exceeding his authorized access. But what if an employee who is authorized to access a company’s information used it in violation of a corporate policy or to harm the company? Courts around the country have answered that question differently. In fact, two courts within two weeks reached opposite results.
The U.S. District Court for the Southern District of Florida held that a person with authorization to access data “exceeds authorized access” if he uses the data to contravene a corporate policy. There, an employee who had full access to his employer’s computer system was supposed to help his employer in a lawsuit, but undermined his employer’s legal defense by sending key evidence to his employer’s adversary. Hamilton Group Funding v. Basel, S.D. Fla., 16-cv-61145, 4/12/18 . The district court noted that the Eleventh Circuit had ruled that a defendant violated CFAA’s prohibition of “exceeding authorized access” when he “obtained personal information for a nonbusiness reason.” As a result, the Florida district court broadly interpreted the phrase “exceeding authorized access” so that the employee’s misuse of this information violated the CFAA and awarded judgment to the company on its CFAA claim.
These two contrasting rulings are just the latest examples of a circuit split on this issue. The First, Seventh, and Eleventh Circuits interpret the phrase “exceeds authorized access” broadly and conclude that an employee exceeds his authorized access to information whenever he acquires information with a subjective intent that is contrary to his employer’s interest, even if the employee had authorization to access the information. In other words, these courts have held that the CFAA bars unauthorized use of information that a person was authorized to access only for particular purposes. EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001); Int’l Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010). In contrast, the Second, Fourth, and Ninth Circuits interpret that same phrase narrowly and conclude that an employee or business partner does not exceed authorized access in violation of the CFAA by acting with an improper subjective intent or by violating corporate policies restricting use of that information. U.S. v. Valle, 807 F.3d 508 (2d. Cir. 2015); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); Nosal v. U.S., 676 F.3d 854 (9th Cir. 2012). The U.S. Supreme Court may need to resolve this split of authority, but it has refused requests to do so. And people have complained for years that the CFAA is an outdated statute that was implemented before the internet existed, and that Congress should replace or revise it.
In the meantime, companies whose employees misuse corporate information should consider complementing their claims for misappropriating trade secrets with CFAA claims. First, while a claim for trade secret theft generally permits a company to recover greater damages, a claim under the CFAA in some ways is easier to win. For instance, a company pursuing a claim for trade secret misappropriation frequently must spend significant time and money to prove that the stolen information was a trade secret, and that it took adequate measures to guard the trade secret’s confidentiality. But a company pursuing a CFAA claim must prove only that its adversary intentionally accessed a computer, lacked authorization or exceeded its authorized access, obtained the information, and caused a loss of at least $5,000. Second, the Supreme Court may ultimately resolve the current circuit split by ruling that an employee exceeds his authorized access to information whenever he obtains it with an intent that is contrary to his employer’s interest, even if the employee initially had authorization to access it. Third, even if a company’s CFAA claim against an employee who had authorization to access the trade secret may fail, it might learn in discovery that another person who lacked authorization violated the CFAA by directing the employee to access the computer. Fourth, a CFAA claim will provide additional leverage to use in settlement discussions. Consequently, even though courts are resolving this issue by issuing competing rulings, companies should not overlook the option of raising CFAA claims against disloyal partners and employees.
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)