Update on CFAA Circuit Split: District Courts in 8th Circuit Adopt Minority View, Permitting Claims Where Defendant Exceeds His Authority to Access Computer
We have been watching closely the development of a Circuit split over whether Computer Fraud and Abuse Act (CFAA) - 18 U.S.C. § 1030 -- claims can be brought against persons who have been given authority to access a computer, but then exceed the scope of this authority. The 7th Circuit holds that an employee has accessed his employer's computer "without authorization" and can be sued under CFAA, if he uses legitimately-acquired access rights to advance an interest that is adverse to his employer. A recent ruling by a District Court in the Eastern District of Missouri, in Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, confirms that courts in the 8th Circuit are lining up behind this minority viewpoint.
The Lasco Foods case involves a common litigation scenario in which an executive has left a company to start a competing business. The defendants, Shaw and Hall, were long-time Lasco sales executives. Both were allegedly provided Lasco-owned laptops for use in company business. According to the complaint, in 2008, Shaw and Hall decided to start a competing business. Both before and after Lasco became aware of this new business, but which they were still Lasco employees, the defendants allegedly "accessed, printed, copied and/or downloaded" a substantial amount of data from their laptops, as well as Lasco's network. Among this data allegedly was customer contact information stored in Shaw's Outlook "Contacts" file. Shaw allegedly deleted the Contacts file from his laptop before returning it to Lasco -- thus depriving the company of customer information that it had paid to develop. See Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, E.D.Missouri, No. 4:08-cv-01683, Third Amended Complaint (May 15, 2009).
Several state law remedies address what we will call the "absconding executive" situation, including interference with business relations, conversion, and trespass to chattels causes of action. However, companies have often attempted to sue absconding executives under CFAA, as well.
CFAA Section (a)(5) contains three provisions that permit suits against persons who knowingly access a "protected computer" and intentionally or recklessly cause damage. (A protected computer includes any computer which is used in interstate or foreign communication. 18 U.S.C. § 1030(e)(2). In today's internet age, it includes just about every computer in the country.) However, each of these three provisions require that the defendant have accessed the computer "without authorization." Therein lies the rub. As discussed in our September 24 and October 1 posts, the federal courts are divided on when an employee's access to a computer is "without authorization." The majority position, which was recently adopted by the 9th Circuit, is that "without authorization" only refers to persons who do not have permission to access the company's computer in the first place. LVRC Holdings, Inc. v. Brekka, 9th Circuit, Case No. 07-17116 (Sept. 15, 2009). Under this interpretation, Shaw and Hall could not be sued under CFAA, because they had originally received permission from Lasco to access its computers.
The minority view, which was adopted by the 7th Circuit in Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), is that an employee can also be found to have accessed a computer "without authorization," whenever he does so in breach of his duty of loyalty to the company. See id. at 420 (Citrin's "authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself, and other files that were the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee").
Judge Jean Hamilton adopted the 7th Circuit's view in the Lasco case. As support, she cited the 7th Circuit's claim that in CFAA , Congress intended to address both outside internet hackers and also internal disgruntled programmers. As we noted in our October 1 post, this is a claim that the 9th Circuit disputes. She also cited rulings by District Courts in Nebraska, Arkansas and Minnesota - all in the 8th Circuit - that have also adopted the 7th Circuit's viewpoint. See Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, E.D.Missouri, No. 4:08-cv-01683, Memorandum and Order (October 26, 2009).
Judge Hamilton did note an important statutory interpretation problem in the 7th Circuits' position. CFAA distinguishes between acts that are "without authorization" and those the "exceed authorized access." While most of the provisions of CFAA apply to persons who either accesses a computer "without authorization" OR "exceeds authorized access", the provisions in Section (a)(5) only apply to persons who access a protected computer "without authorization." However, under the 7th Circuit's interpretation of CFAA, "without authorization" would mean the same thing as "exceeding authorized access." This suggests that the 7th Circuit's interpretation of the statute may be incorrect, since in drafting Section (a)(5), Congress expressly did not intend it to apply to persons whose only act involved exceeding their existing authority to access data. However, while Judge Hamilton (and the 7th Circuit) recognized this problem with their interpretations - both simply made the facile claim that the difference between the two terms really was "paper thin" -- thus justifying their conflation.
The end result was that Judge Hamilton ruled that "Lasco sufficiently alleged that Hall and Shaw acted without authorization when then obtained Lasco's information for their personal use and in contravention of their fiduciary duty to their employer, Lasco."
In light of the fact that CFAA provides criminal penalties, as well as a private right of action, for violations of Section (a)(5) (See Section (c)(2)), it is critical that the growing Circuit split over the scope of Section (a)(5) be resolved.
David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.
