The IP Law Blog Focusing on legal trends in data security, cloud computing, data privacy, and anything E

The Seventh And Ninth Circuits Split On What Constitutes “Without Authorization” Within The Meaning Of The Computer Fraud And Abuse Act

Posted in Trade Secrets, Web/Tech

By Dale C. Campbell and David Muradyan

The Seventh Circuit and the Ninth Circuit do not agree on what constitutes “authorization” under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (2004) (“CFAA”)?  The CFAA prohibits accessing computers “without authorization” or “exceed[ing] authorized access” to take various forbidden actions, ranging from obtaining information to damaging a computer or computer data.  See 18 U.S.C. § 1030(a)(1)-(7). Notably, the CFAA provides a private cause of action for persons who have suffered harm resulting from computer fraud.  Id. § 1030(g).  The CFAA provides, in relevant part: “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” Id. To assert a viable claim, the harmed plaintiff must allege, among other things, that the defendant intentionally accessed its information “without authorization” or “exceeds authorized access.” Id. § 1030(a)(2). Congress enacted the CFAA in 1984 to enhance the government’s ability to prosecute computer crimes.  LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130 (9th Cir. 2009).  The CFAA was targeted to rein in hackers who illegally accessed computers to steal data or to disrupt or destroy computer functionality. Id. The CFAA was also designed to target criminals who possessed the capacity to “’access and control high technology processes vital to our everyday lives . . ..’”  Id. at 1130-31 (citing H.R. Rep. 98-894, 1984 U.S.C.C.A.N. 3689, 3694 (July 24, 1984).

The Seventh and Ninth Circuits have interpreted the phrase “without authorization” differently.  In International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), defendant Citrin, an employee of IAC (which consisted of various affiliated companies engaged in the real estate business), used a laptop lent by IAC to record information he collected in connection with his job.  Id. at 419. Citrin subsequently quit IAC and went into business for himself, in breach of his employment contract. Id.  However, before he returned the laptop to IAC, he deleted all the data in it – “not only the data that he had collected but also data that would have revealed to IAC improper conduct to which he had engaged before he decided to quit.”  Id.  In reviewing whether Citrin had acted “without authorization,” the Seventh Circuit held that Citrin had violated the CFAA because his authorization terminated “when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposed on an employee.”  Id. at 420.  The Seventh Circuit concluded that this breach of the duty of loyalty to his employer terminated the employee’s agency relationship “and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”  Id. at 420-21.  Thus, the employee acted “without authorization.” Id. at 421.  In summary, the Citrin holding stands for the proposition that an employee can lose authorization to use a company computer when that employee engages in acts that are against the company’s interest or beyond the purpose for which authority was granted.

In sharp contrast, the Ninth Circuit reached a different conclusion when considering whether an employee had acted “without authorization.”  Specifically, in LVRC, 581 F.3d at 1128-29, the Ninth Circuit considered whether Brekka, an employee of LVRC Holdings, LLC (“LVRC”), acted “without authorization” when he emailed LVRC’s documents from his work computer to himself and to his wife.  The Ninth Circuit reasoned that because the employee was given permission to use LVRC’s computer while he was employed, he did not access a computer “without authorization” when he e-mailed documents to himself and to his wife before leaving LVRC. Id. at 1129, 1135. Further, emailing the documents did not “exceed authorized access” because Brekka was entitled to obtain the documents by virtue of his employment with LVRC.  Id.  In declining to adopt the Seventh Circuit’s interpretation of “without authorization,” the court held that a “person uses a computer ‘without authorization’ . . . [only] [1] when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or [2] when the employer has rescinded to access the computer and the defendant uses the computer anyway.” Id. at 1135. The Ninth Circuit declined to hold that the “defendant’s authorization to obtain information stored in a company computer is ‘exceeded’ if the defendant breaches a state law duty of loyalty to an employer” because no such language was found in the CFAA.  Id., n. 7.  The Ninth Circuit noted that because the CFAA was “primarily a criminal statute,” and because there was ambiguity as to the meaning of the phrase “without authorization,” it would construe any ambiguity against the government, especially in light of the “rule of lenity, which is rooted in considerations of notice, [and] requires courts to limit the reach of criminal statutes to the clear import of their text.” Id. at 1134-35 (citation and quotation marks omitted).

Undoubtedly, the Ninth Circuit’s more narrow application of the CFAA, as opposed to the Seventh Circuit’s more broad-view approach, is controlling in this jurisdiction. However, under the broad view approach used by the Seventh Circuit, courts have held that when an employee or former employee accesses an employer’s computer and subsequently misuses the information obtained, such access is in “excess of authorization” even if the employee could otherwise have accessed the information for proper purposes. For example, in a case in the U. S. District Court for the Eastern District of Missouri, the district court relied upon the Citrin decision and held that, even if employees were authorized to access their employer’s computer records, they cannot use such authorization (and, hence, their access can become “unauthorized”), if they use the information for their own interests.  Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing, & Consulting, LLC, 2009 U.S. Dist. LEXIS 99535 (October 26, 2009). The court concluded that the employer sufficiently alleged that the employees “acted without authorization when they obtained [the employer’s] information for their personal use and in contravention of their fiduciary duty to their employer.”  Id. at *14. Thus, whether an employee’s access if authorized depends on the employee’s motive.  See id.  

Other than in the factual context of a complete outside hacking into a company’s computer system, the misuse of computer data by employees, especially departing employees, is the most common scenario underlying a CFAA claim. This is especially true when an employer alleges a CFAA violation in conjunction with a claim of trade secret misappropriation. This broad interpretation of the CFAA adopted by the Seventh Circuit is much more protective of an employer’s electronic trade secrets and other confidential information. Nevertheless, the Ninth Circuit has adopted a much narrower view of the CFAA that does not focus on intended misuse of information so long as the employee had authorized access in the first place. Under this line of cases, courts reject the notion that Congress would have “intended essentially to criminalize state-law breaches of contract,” and have not placed any emphasis on motive.  Brett Senior & Associates PC v. Fitzgerald, 2007 WL 3043377, *4 (E.D. Pa. July 13, 3007).

Given the Seventh and the Ninth Circuit split, the Supreme Court will likely be called upon to resolve the conflict; however, the plaintiff in LVRC did not appeal, so a resolution will not be forthcoming soon.

An employer in California can take steps to implement policies and procedures that limit employee access within the computer system and thereby increase its chances of prevailing in a private claim under the CFAA. Long-time readers of this column will recognize these recommendations as the same ones we have recommended in the past for the protection of a company’s trade secrets. This should include geographical, departmental, and subject matter limitations. Further, the company’s employment manual should expressly provide that any access of the company’s computer system without “authorization or in excess of authorization” is expressly prohibited. The CFAA will never replace traditional state remedies for trade secret misappropriation but can become a useful companion to state law.