ES&H v. Allied Safety: Court Sidesteps Split in Authority over Whether CFAA Applies to an Employee Who Misuses His Authority to Access His Employer's Computer Files
A recent decision by a judge in the District of Eastern Tennessee reflects the continued judicial unease over an employer's use of the CFAA -- a criminal statute -- to sue an employee who has abused his authority to access the company's computer files by obtaining secret information for use in subsequent employment. See ES&H, Inc. v. Allied Safety Consultants, Inc., E.D.Tenn, No. 3:08-cv-323 (Sept. 16, 2009).
The Computer Fraud and Abuse Act (CFAA) provides criminal penalties and gives victims the right to sue for damages when a person intentionally accesses a computer "without authorization" or "exceeds authorized access" and obtains information, perpetrates a fraud or causes damage. 18 U.S.C. § 1030(a)(2), (4), (5). However, courts have long been split over when a person can be considered to have accessed a computer "without authorization."
In an oft-repeated scenario, an employee, who was granted access to his employer's data as part of job, learns that he is about to be fired or decides to leave on his own. He then quickly downloads information that might be useful to his next employer immediately before formal termination.
Some courts considering this scenario have held that "without authorization" only reaches outsiders who do not have permission to access the company's computer in the first place. Other courts looking at this fact pattern apply agency law principles and hold that an employee who uses his access rights to obtain information to advance an interest adverse to his employer has accessed a computer "without authorization."
In Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962 (D. Ariz. 2008), the defendant, Jeff Gast, began working for Shamrock in 2000. In December 2007, he was promoted to Regional Sales Manager. About that time, he also began employment talks with a Shamrock competitor, Sysco Food Services. On January 4 and 7, 2008, Gast emailed numerous documents containing confidential Shamrock material to his personal account. A few days later, he resigned his position at Shamrock and joined Sysco. Shamrock sued, claiming that Gast had violated CFAA, specifically, 18 U.S.C. § 1030(a)(2), (4) and (5).
The Arizona District Court held that the text and legislative history of CFAA supported the narrower view of "authorization." The strongest argument cited by the court was that the House Committee reports discussing CFAA stated that "Section 1030 deals with an 'unauthorized access' concept of computer fraud, rather than mere use of a computer. Thus, the conduct prohibited is analogous to that of 'breaking and entering' rather than [merely] using a computer . . . in committing the offense." H.R. Rep. No. 98-894 at 20 (1984), as reprinted in 1984 U.S.C.C.A.N. 3689, 3706. The Committee report also repeatedly referred to "hackers" who "trespass into" computers and the inability of "password codes" to protect against this threat." H.R. Rep. No. 98-894 at 10-11. U.S.C.C.A.N. at 3695-97. Based on this narrower interpretation of "authorization," the court dismissed the CFAA claims against the former employee.
While a majority of federal courts have adopted the narrow position, a number of federal courts have taken the more expansive view of the term "authorization." For lists of courts adopting each view, see Shamrock, 535 F.Supp.2d at 964-65, and ES&H, Inc. v. Allied Safety Consultants, Inc., E.D. Tenn. (Sept. 16, 2009).
In International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), the 7th Circuit stated that in enacting CFAA, "Congress was concerned with . . . attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer's data system on the way out (or to threaten to do so in order to extort payments), on the other . . . ." As such, "an employee's authorization to access his employer's computer system must be understood to have terminated when, having already engaged in misconduct and decided to quit . . . in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee." Id. at 420.
This is a distinction with a major difference. If the minority view is accepted, then we can expect to see civil and even criminal actions against employees who download employer files for a great number of purposes that are in furtherance of their employers' interests, including: (i) to post information on a website, (ii) to engage in whistleblowing, (iii) to start their own business, (iv) to create a file of templates for future work after leaving the company, or (v) to gather trade secret information to use against the employer's interest in a competing venture or in subsequent employment. Many, if not most, of these types of actions are covered by state interference with business relations and covenant not to compete laws -- which, by the way, are civil, not criminal laws. It seems unlikely that Congress intended to CFAA to permit such claims to be brought as both criminal and civil actions in federal court.
In some recent cases, courts faced with this interpretive dilemma have found another way to avoid applying CFAA to the disgruntled employee scenario. In American Family Mutual Ins. Co. v. Rickman, 544 F.Supp.2d 766 (N.D. Ohio 2008), an employer sought to use CFAA to sue an employee who had accessed company information and then shared it with a competitor. After reviewing the interpretive split regarding "authorization", the court stated that did not need to resolve this issue, because the employer had failed to allege entitlement to damages cognizable under CFAA. The damage the employer claimed was loss of revenues caused by the delivery of its trade secret information to a competitor. The court pointed out that while CFAA permits a plaintiff to recover lost revenues, these lost revenues must have been caused by an "interruption of service." Id. at 771. In the typical disgruntled employee case, while an employee may download information, he actions usually do not cause a loss of service, and hence are not covered by the CFAA.
The court in American Family noted that CFAA "is limited to the destruction and/or damage of computer information. Prior to the widespread use of computers, and employee could walk off with confidential paperwork; with computers, that employee can walk off with the disc, or quietly transmit the information to an outside source. This method is easier than trying to hide the paperwork in a bulging sack or expandable briefcase, but computer access alone does not make the conduct subject to CFAA. An employer still has traditional state statute and common law remedies available for it for recovering against the dishonest employee." Id. at 772.
Precisely.
The reasoning articulated in American Family was also adopted by the court in ES&H v. Allied Safety, resulting in a dismissal of that case, as well. The solution reached in the American Family and ES&H cases could well resolve a significant number of disgruntled employee cases, including many of the types of cases I have listed above. For other cases, the split over the meaning of "authorization" under CFAA lives on.
David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.
