The federal Computer Fraud and Abuse Act, 18 U.S.C. §1030, criminalizes access to a computer that is either "without authorization" or that "exceed[s] authorized access," and provides a civil right of action for violations as well. In the last several years, a split has developed in the federal courts on the question of whether an employee’s access to an employer’s computer, even if it was authorized in the ordinary course of business, ceases to be authorized if the purpose if the access is to further an act that is disloyal to the employer. The Ninth Circuit has now weighed in on the issue in an opinion rendered today in LVRC Holdings, LLC v Brekka, No. 07-17116 (9th Cir. Sept. 15, 2009), and has taken a position diametrically opposed to that of an influential Seventh Circuit opinion, International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).
The question of what effect an employee’s disloyalty has on authorization to access an employer’s computer has arisen in numerous cases in which employers have added civil claims under the CFAA in actions brought against employees alleged to have misappropriated of trade secrets. A typical scenario in which such a claim would be made is where, before departing for a new job, the employee is alleged to have copied or transmitted an employer’s computer files for the benefit of a new employer.
Often, what is at stake in such cases is the employer’s ability to maintain an action in federal court. A dispute over misappropriation of trade secrets is likely to involve only state law issues, and unless there is diversity of the parties, there is no basis for jurisdiction in a federal court. But, of course, federal courts have jurisdiction over a CFAA claim, and the trade secret misappropriation claims are then swept into federal court along with the CFAA claim as pendent state law claims.
The Seventh Circuit opinion in International Airport Centers v. Citrin is the ruling that is cited by employers seeking to press CFAA claims in such cases. In that case the circuit, in an opinion written by Judge Posner, ruled that under common law agency principles, an employee who breaches the duty of loyalty to an employer thereby becomes unauthorized to access the employer’s computer, at least for the purpose of furthering an act of disloyalty to the employer. In LVRC Holdings, LLC v Brekka, the Ninth Circuit ruled to the contrary, finding that under the plain meaning of the language of the CFAA, acts of disloyalty on the part of an employee do not render the employee’s access to the employer’s computer unauthorized within the meaning of the statute.
In LVRC, the Ninth Circuit panel concluded that under the ordinary, contemporary, common meaning of the statutory terms, an employer gives an employee ‘authorization’ to access a computer when the employer gives the employee permission to use it. The court found that there is no statutory language to support the contention that authorization terminates when an employee determines to act contrary to the interest of an employer. The court looked to the term "exceeds authorized access," and concluded that the definition of that term made it clear that Congress had no intent to include in the statute any implicit, rather than explicit, limitation on the term authorization. It is an employer’s act of allowing or terminating an employer’s authorization to access a computer that determines whether the employee’s access is authorized within the meaning of the statute, not the employee’s disloyal act. The court reasoned:
Section 1030(e)(6) provides: the term exceeds authorized access means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter. 18 U.S.C. § 1030(e)(6). As this definition makes clear, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has exceed[ed] authorized access. On the other hand, a person who uses a computer without authorization has no rights, limited or otherwise, to access the computer in question. In other words, for purposes of the CFAA, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations. It is the employers decision to allow or to terminate an employees authorization to access a computer that determines whether the employee is with or without authorization.
The Ninth Circuit rejected the Seventh Circuit’s reasoning in International Airport Centers, LLC v. Citrin, concluding that relying on whether an employee’s mental state changed from loyal employee to disloyal competitor to determine whether the statute had been violated would be problematic in the criminal law context. The statute should be interpreted consistently in civil and criminal contexts, the court reasoned. Relying on the employee’s mental state with respect to disloyalty to determine whether the statute had been violated would run afoul of the proscription against interpreting criminal statutes in surprising and novel ways that impose unexpected burdens on defendants.
In this respect, the ruling echoes (but does not cite) the recent district court opinion in United States v. Drew, No. CR 08-0582-GW (C.D. Cal. Aug. 28, 2009) (the MySpace "cyberbullying" criminal prosecution). There, the court dismissed a misdemeanor charge of violating the CFAA that was predicated on a user’s alleged violation of the MySpace Terms of Service, finding that it would run afoul of the void for vagueness doctrine because individuals of ‘common intelligence’ arguably would not be on notice that a breach of the terms of a service contract could become a crime under the CFAA.
And conversely, the Ninth Circuit ruling appears to contradict the recent opinion in United States v. Nosal, 2009 U.S. Dist. LEXIS 31423 (N.D. Cal. Apr. 13, 2009), in which the district court declined to dismiss an indictment charging a violation of 18 U.S.C. § 1030(a)(4). The indictment alleged that the statute was violated when a former employee accessed an employer’s computer network to copy proprietary information for use in a competitive enterprise. The court found that the statutory element of intent to defraud in subsection 1030(a)(4) could be found in the employee’s knowing access of electronic records for uses outside their intended purpose. The court in Nosal also rejected the defendant’s argument that because subsection 1030(a)(4) had never been addressed in the criminal context the indictment should be dismissed under the rule of lenity. Citing International Airport Centers, LLC v. Citrin and a number of opinions following it, the court found that there was ample authority in civil cases construing this section to conclude that the CFAA was violated by the ‘access to the employers confidential and proprietary information to advance his own competitive enterprise.
No doubt more will be heard on this issue in the Ninth Circuit, and other courts as well. And eventually, perhaps, the U.S. Supreme Court.