Can Your Company’s Computer Use Policy Form the Basis for a Civil Claim?
Trade Secrets Law Update 10/29/13 Brandon M. Krajewski
Can your company's computer use policy form the basis for a civil claim under the Computer Fraud and Abuse Act? In a recent opinion, the Southern District of Texas joins a growing cadre of federal courts to answer yes.
While primarily a criminal statute, the Computer Fraud and Abuse Act ("CFAA") establishes liability for one who, knowingly and with the intent to defraud, exceeds authorized access to a protected computer and obtains anything of value, and furthers the intended fraud. A fierce debate has emerged over whether the phrase "exceeds authorized access" applies to violations of internal computer use policies. With Circuits lining up on both sides of the argument, it appears that this issue may be ripe for a decision by the Supreme Court.
The Southern District of Texas is the latest court to comment on the issue in Beta Tech., Inc. v. Meyers, decided October 10, 2013. The plaintiffs in Beta Tech alleged that former employees made unauthorized copies of Beta Tech's confidential information and later deleted the files to conceal the copying. Defendant Meyers had previously helped draft Beta Tech's "Computer Use Policy" which prohibited use of Beta Tech's computer systems to engage in private or personal business activities, to make unauthorized copies of data, or to delete data. After pilfering Beta Tech's confidential information, plaintiffs allege that Meyers formed a competing company and solicited Beta Tech's clients.
Relying on Fifth and Seventh Circuit precedent, Judge Ewing Weirlien Jr. held that Beta Tech's allegations were sufficient to state a claim under the CFAA. The CFAA defines "exceeds authorized access" as meaning "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." The Court found that Beta Tech's "Computer Use Policy" set the boundary for what information the former employees were entitled to obtain.
In so holding, Judge Weirlien Jr. joins the First, Fifth, Seventh, and Eleventh Circuits in deciding that privately drafted contractual obligations contained in company computer use policies may define the outer bounds of "authorized access" under the CFAA. Judge Richard Posner of the Seventh Circuit advanced the broadest interpretation of exceeding authorized use in penning the cessation of agency theory of liability in International Airport Centers, L.L.C. v. Citrin. In Citrin, Judge Posner reasoned that if an employee acts against the interests of his employer, all authority vested in that employee by virtue of the employee acting as an agent for the employer ceases to exist. Thus, any access or use of an employer's information for the employee’s own gain will necessarily exceed the employee’s authorized use and may form the basis for a CFAA claim.
Arrayed on the other side of the Circuit Split, the Ninth and Fourth Circuits have adopted a narrow interpretation of the phrase "exceeds authorized access." In United States v. Nosal, the Ninth Circuit held that because the CFAA is a criminal statute, all ambiguity must be interpreted against liability. Therefore, the Court held that the CFAA does not apply to employees entrusted with access to company information who later use the information inappropriately. Rather, liability under the CFAA requires conduct more akin "hacking," such as accessing a database under a supervisor's password or pilfering the records room. Chief Judge Kozinski concluded that the CFAA does not apply to violations of private computer use restrictions.
With eminent jurists on each side of the debate, the schism over CFAA liability is sure to draw the attention of the Supreme Court eventually. Until then, the location of your company will impact your rights under the CFAA if an employee fraudulently obtains or damages company information. Regardless of your location, you should:
- Implement or review your company's computer use policy. Make certain you have a signed copy from each employee. Different policies may be advisable for employees with different functions and responsibilities within the company.
- Review your computer system architecture. Consider password protection protocols for different portions of your computer system. A password manager program may ease employee transition to any new program.
If you need assistance in reviewing your computer use policies or think you may have a CFAA claim, please contact your Quarles & Brady LLP attorney or an attorney on the Trade Secrets and Unfair Competition Team.
Quarles & Brady LLP has an entire group of attorneys — the Trade Secrets and Unfair Competition Team — dedicated to helping clients with these issues. Their experience in this area of the law allows them to provide you with efficient and reliable advice. Quarles has assisted clients with these issues on both an hourly and flat fee basis. If you need assistance, please contact Nicole J. Druckrey at (414) 277-5777 or [email protected].