Our colleague, Bill Flanagan, has provided this guest blog on a new case from the 9th Circuit construing the Computer Fraud and Abuse Act in the employment context:
The Ninth Circuit Court of Appeals recently weighed in on the question whether an employee who has been granted access to his employer’s computer system – but then uses the properly-accessed information in a manner contrary to the employer’s interest – has acted “without authorization” in violation of the Computer Fraud and Abuse Act (“CFAA”), a federal statute that imposes criminal and civil liability for certain computer crimes (LVRC Holdings LLC, v. Brekka, et al., No. 07-17116 (9th Cir., Sept. 15, 2009). The court came down on the side of the employee, ruling that because the employee had been given access to the information on the computer, he did not violate when he allegedly misused it.
In this case, the employee emailed the company’s valuable financial and other business records to his personal email account while he was employed, but did not delete the records from the personal computer when he quit. When the company later learned facts leading it to conclude that the former employee was using the information for competitive purposes, it sued him, alleging that the former employee accessed the computer information “without authorization,” which is prohibited under the CFAA.
The court affirmed the lower court’s judgment for the employee – concluding that under the plain meaning of CFAA an employee accesses a computer “without authorization” only where the person has not received permission to use the computer in the first place (such as when a hacker accesses a computer without permission), or where the employer has rescinded access to the computer but the employee uses it anyway. According to the Ninth Circuit, it is irrelevant under the CFRA that an employee, who has been granted access to the employer’s computer information, uses the accessed information for personal or wrongful purposes. (Language in the opinion suggests that the outcome might have been different if the employer had a policy that prohibited the transfer of company data to a personal computer and required employees to return all company data upon termination of employment – and employers might want to consider enhancing their computer-usage policies accordingly.)
The Ninth Circuit decision is squarely at odds with a decision in the Seventh Circuit, International Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006.) In that case, the court held that an employee’s authorization to access a computer ended for purposes of the CFAA when the employee breached his duty of loyalty by deleting information, including the employer’s valuable data and evidence of the employee’s efforts to set up a competing business in violation of his employment contract, from the employer’s computer.
It is unlikely that employers have heard the last word on the issue, as the opposite conclusions reached by the Ninth and Seventh Circuits are sure to trigger additional litigation and, perhaps, ultimate resolution by the Supreme Court.