Saturday, January 24, 2009

Kansas Court Sides With Narrow Application of Computer Fraud and Abuse Act (Us Bioservices v. Lugo)

Another court has weighed in on whether the federal Computer Fraud and Abuse Act can be applied to essentially federalize trade secrets claims. The answer, in the case of US Bioservices v. Lugo, was a resounding "no."

In granting the defendant's motion to dismiss the CFAA claim, the court adopted a narrow reading of the predicate act giving rise to liability under the statute. Though the CFAA has a number of different provisions, the touchstone of liability is that a defendant must use a protected computer without authorized access or in a manner which exceeds the access granted to him.

The Lugo case is based on a fairly typical of fact-pattern under the CFAA. An ex-employer claims that an employee downloaded or accessed confidential business information while on her work computer, e-mailed that to another location (usually a home account), and then permitted a new employer to use or obtain the benefit of the stolen data.

Does this activity equate to unauthorized access?

Lugo held no, noting along the way that federal courts are split on the issue. There are a number of factors supporting this narrow reading of the authorization language:

(1) the CFAA is at heart a criminal statute, and the rule of lenity applies
(2) "without authorization" is not defined but means, basically, "without permission" and there was no dispute that the employee had permission to access the information, irrespective of whether she misused it later
(3) the focus of the CFAA is wrongful procurement of data, not wrongful use of it

The court rejected the reasoning applied in other jurisdictions that principles of agency law can be grafted onto the CFAA. Under cases like the influential Citrin decision from the Seventh Circuit, an employee's "access" to his work computer ends when he is in breach of a duty of loyalty. Therefore, in those jurisdictions where Citrin is the prevailing rule, it is much easier to state a claim under the CFAA for cases involving misuse of data.


Court: United States District Court for the District of Kansas
Opinion Date: 1/21/09
Cite: Us Bioservices Corp. v. Lugo, 595 F. Supp. 2d 1189 (D. Kan. 2009)
Favors: Employee
Law: Federal

No comments:

Post a Comment