Fourth Circuit: Computer Use Policies Don't Create CFAA Liability

Employer-side attorneys got a bitter pill yesterday when the Fourth Circuit held, emphatically, that it is not permissible to build a federal computer fraud case against departing employees based on violations of a company computer use policy. This opinion, along with the en banc Ninth Circuit’s opinion earlier this year in United States v. Nosal means that large parts of the country are off-limits for this type of litigation.  

However, a faint glimmer of hope for employers lies in the uncertain status of the Nosal case. The government has twice obtained a stay of mandate from the Ninth Circuit in order to buy time to file a petition for certiorari to the U.S. Supreme Court. Earlier this month, Justice Kennedy gave the government until Aug. 8 to file a petition. The Fourth Circuit's ruling yesterday marks the second time a court has rejected the government's interpretation of the CFAA. Government attorneys might be more interested in filing a cert petition now. 

Idle speculation on my part, but I wonder if the government has held off on filing a cert petition in Nosal because government attorneys were holding out hope that Congress would amend the CFAA to reflect the government’s interpretation of the statute. Comprehensive cybersecurity legislation, a logical location for CFAA amendments, is reportedly going to see attention next week in the Senate.

In WEC Carolina Energy Solutions LLC v. Miller, No. 11–1201 (4th Cir., July 26, 2012), the court held that a company employee did not violate the Computer Fraud and Abuse Act’s prohibitions against unauthorized access or access in excess of authorization when he downloaded confidential information from his employer’s computer network and later used that information in a competing business.

Judge Henry Franklin Floyd ruled that the CFAA, 18 U.S.C. §1030, prohibits unauthorized acts of obtaining and altering information from a protected computer, not using without authority lawfully accessed information. Because the employee in this case was permitted to have access to the information at the time he downloaded it, his later use of that information for a subsequent employer did not violate the CFAA, the court said.

In so holding, the court agreed with the en banc Ninth Circuit’s recent decision in United States v. Nosal, 676 F.3d 854 (2012). The court rejected the Seventh Circuit reading of the CFAA in International Airport Centers LLC v. Citrin, 440 F.3d 418 (2006), in which the court held that an employee loses lawful authority to access an employer’s computer network if the access violates the employee’s fiduciary duty of loyalty to the employer. The court’s opinion made clear that, in the Fourth Circuit, it is not possible to build a CFAA case based on violations of a company’s computer use policy.

Data Used to Gain Business for Competitor

Defendant Mike Miller resigned from the plaintiff, WEC Carolina Energy Solutions and went to work for a competitor, Arc Energy Services Inc. Before leaving WEC’s employ, Miller downloaded proprietary information from WEC’s network. He allegedly used that information to win a contract for business that both WEC and Arc Energy were competing for. WEC filed a civil lawsuit against Miller, alleging, among other things, that Miller violated the CFAA when he downloaded WEC’s proprietary information to his personal computer. According to WEC, “[u]nder WEC’s policies [employees] were not permitted to download confidential and proprietary information to a personal computer.” WEC argued that Miller lost authorization to access the company’s information when he breached his fiduciary duty to the company and that he exceeded authorization under the company policy.

The trial court dismissed the CFAA claim, concluding that the WEC policy regulated use of company information, not access to that information, and therefore violation of the policy would not support liability under the CFAA’s authorized access provisions.

CFAA Does Not Regulate Data Use

The Fourth Circuit affirmed. The CFAA is primarily criminal statute that provides a civil remedy for a subset of its provisions. The court said that it was appropriate to focus on the plain language of the statute, and to take a strict construction or “rule of lenity” approach because the CFAA is a criminal statute. The CFAA does not define “authorization.” It does, however, define “exceeds authorization” as follows: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter,” 18 U.S.C. §1030(e)(6). With the aid of a dictionary and some common-sense parsing of the statute, the court defined access “without authorization” to mean “when [an individual] gains admission to a computer without approval.” An individual “exceeds authorized access” when that individual “has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access.” The court remark that neither of these definitions reached the conduct complained of in this case, namely, the improper use of information that was validly accessed when the defendant was in the plaintiff’s employ.

Nosal Panel, Citrin Criticized

In support of its argument that the defendant had violated the CFAA, WEC pointed to the (subsequently vacated) three-judge panel opinion in Nosal and the Seventh Circuit’s Citrin opinion. The Fourth Circuit rejected both of these courts’ readings of the CFAA. In Nosal, the three-judge panel zeroed in on Congress’ use of the word “so” in the CFAA’s definition of “exceeds authorized access.” According to the panel, “so” means “in a manner or way that is indicated or suggested.” Thus, according to the Nosal panel opinion, the defendant’s subsequent improper use of lawfully obtained information constituted computer access “in a manner” to which they were not entitled. United States v. Nosal, 642 F.3d 781 (9th Cir. 2011).

The en banc Nosal opinion did not embrace this reading of the statute, nor did the Fourth Circuit here. Even if the court was willing to follow the Nosal panel’s semantic jiu jitsu, the effort would not lead to the result reached by the panel, the court said. If an employee uses his username and password to access information and later puts that information to an impermissible use, his “manner” of access remains valid, the court said. “In the Ninth Circuit’s view, and ours, interpreting 'so' as 'in that manner' fails to mandate CFAA liability for the improper use of information that is accessed with authorization,” the court declared. In any event, the court added, the rule of lenity dictates that criminal liability should be judicially found only where Congress has clearly criminalized the conduct under review. The court noted that, if it were to accept the Nosal panel’s view, the law would treat as criminal behavior an employee’s act of violating a computer use policy if the violation was committed for the purpose of advancing the employer’s interests.

Similar considerations led the court to reject Citrin`s cessation-of-agency gloss on the CFAA. Taking the hypothetical example of an employee who accessed Facebook during work hours in contravention of the employer’s computer use policy, the court said that, under Citrin, the employee’s right to use the employer’s network would immediately terminate. “[W]e do not think Congress intended an immediate end to the agency relationship and, moreover, the imposition of criminal penalties for such a frolic,” the court said.

Along the way, the court remarked that the employer still had numerous state-law claims that it could pursue–as was in fact pursuing–against the defendant.

Follow this blogger on Twitter at @tjotoole.