Computer Use Policies May Be Grounds For CFAA Claims
Can a company's computer usage policy form the basis for a civil claim under the Computer Fraud and Abuse Act? In a recent opinion, the Southern District of Texas joins a growing cadre of federal courts to answer yes.
While primarily a criminal statute, the CFAA establishes liability for one who, knowingly and with the intent to defraud, exceeds authorized access to a protected computer and obtains anything of value and furthers the intended fraud. A fierce debate has emerged over whether the phrase "exceeds authorized access" applies to violations of internal computer use policies. With circuits lining up on both sides of the argument, it appears that this issue may be ripe for a decision by the Supreme Court.
The Southern District of Texas is the latest court to comment on the issue in Beta Tech. Inc. v. Meyers, decided Oct. 10, 2013. There, Beta Tech alleged that former employees made unauthorized copies of Beta Tech's confidential information and later deleted the files to conceal the copying. Defendant Meyers had previously helped draft Beta Tech's "computer use policy." The policy prohibited use of Beta Tech's computer systems to engage in private or personal business activities, to make unauthorized copies of data, or to delete data. Beta Tech alleged that Meyers pilfered Beta Tech's confidential information, formed a competing company and solicited Beta Tech's clients.
Relying on Fifth and Seventh Circuit precedent, Judge Ewing Weirlien Jr. held that Beta Tech's allegations were sufficient to state a claim under the CFAA. The CFAA defines "exceeds authorized access" as meaning "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." The court found that Beta Tech's "computer use policy" set the boundary for what information the former employees were entitled to obtain and what they could do with the information afterward.
In so holding, Judge Weirlien Jr. joins the First, Fifth, Seventh and Eleventh Circuits in deciding that privately drafted contractual obligations contained in computer use policies can define the outer bounds of "authorized access" under the CFAA. Judge Richard Posner of the Seventh Circuit, in International Airport Centers LLC v. Citrin, advanced an interpretation of authorized use relying on the cessation of agency theory of liability. In Citrin, Judge Posner reasoned that if an employee acts against the interests of his employer, all authority vested in that employee by virtue of the employee acting as an agent for the employer ceases to exist. Thus, any access or use of an employer's information for the employee's own gain will necessarily exceed the employee's authorized use and may form the basis for a CFAA claim.
Judge Posner built upon a foundation lain by the First Circuit in EF Cultural Travel BV v. Explorica Inc. There, the defendant signed a broad confidentiality agreement prohibiting the disclosure of any information "which might reasonably be construed to be contrary to the interests of the plaintiff. The court found that whatever authorization the defendant had to access and use plaintiff's files, the defendant exceeded his authorization by providing the information to a third-party competitor in violation of the confidentiality agreement. The Fifth and Eleventh Circuits relied on the same principle in grounding CFAA liability on the breach of private agreements on computer use in United States v. John and United States v. Rodriguez, respectively.
Arrayed on the other side of the circuit split, the Ninth and Fourth Circuits have adopted a narrow interpretation of the phrase "exceeds authorized access." In United States v. Nosal the Ninth Circuit held that because the CFAA is a criminal statute, all ambiguity must be interpreted against liability. Therefore, the court held that the CFAA does not apply to employees entrusted with access to company information who later use the information inappropriately. Rather, liability under the CFAA requires conduct more akin to "hacking," such as accessing a database under a supervisor's password or pilfering the records room. Chief Judge Alex Kozinski concluded: "we need not decide today whether Congress could base criminal liability on violations of a company or website's computer use restrictions. Instead, we hold that the phrase 'exceeds authorized access' in the CFAA does not extend to violations of use restrictions."
In WEC Carolina Energy Solutions LLC v. Miller, the Fourth Circuit echoed Judge Kozinki's rationale in holding that CFAA only prohibits obtaining or altering information that an individual lacked authorization to access in the first place. As the court explained, "Congress has not clearly criminalized obtaining or altering information 'in a manner' that is not authorized. Rather, it has simply criminalized obtaining or altering information that an individual lacked authorization to obtain or alter." Under the narrow interpretation of the CFAA what someone does with the information they lawfully access is simply beyond the purview of the statute. This interpretation has been adopted by district courts in Minnesota, Pennsylvania, Florida, Tennessee, Arizona, Georgia and Maryland.
With eminent jurists on each side of the debate, the schism over CFAA liability is sure to draw the attention of the U.S. Supreme Court eventually. Until then, the location of the company will impact its rights under the CFAA if an employee fraudulently obtains or damages company information. Regardless of location, the company should:
- Implement or review the company's computer use policy. Make certain the company maintains a signed copy from each employee. Different policies may be advisable for employees with different functions and responsibilities within the company.
- Review the computer system architecture. Consider password protection protocols for different portions of the computer system. A password manager program may ease employee transition to any new program.
- Implement or review protocols for data management when an employee leaves the company. Remind the employee of their obligations under the company's computer use policy or other agreements.
- If the company suspects an employee has obtained confidential information or damaged files, consider imaging company hard drives or servers before allowing IT to inspect them. Accessing the files may permanently erase information crucial to proving a CFAA claim.
Originally published in Law360, November 26, 2013