Illustrating the ambiguity and interpretation problems created by the Computer Fraud and Abuse Act, a Nebraska district court has taken an expansive reading of the statute directly contrary to other recent holdings - including the Lugo case and the Bridal Expo case posted below.
Once again, the controversy centers around the meaning of "authorization" in the context of employee appropriation of electronic data during the course of his or her employment. In a conventional (a)(4) or (a)(5) claim under the CFAA, an employer always has to demonstrate that an employee's use of a protected computer was unauthorized. The meaning of that term has been subject to two general interpretations by federal courts.
In this case, the defendants - former executives in an advertising and public relations firm - e-mailed documents to their home computers as they were preparing to compete against their firm. Unlike the Bridal Expo case, there was no dispute in this case that the computer access was done prior to the end of the employment relationship. Arguably, then, the access was authorized.
But following the line of cases in the Seventh Circuit and elsewhere, the court found that principles of agency law - a principle articulated nowhere in the CFAA - essentially rendered the employee's self-interested acts "unauthorized" under the federal statute. The case follows an expansive reading of the CFAA, articulated most notably in the Citrin case from the Seventh Circuit. Many courts have declined to follow Citrin and its progeny.
Please read the entry concerning Lugo for an example of a more narrow reading of the CFAA.
Court: United States District Court for the District of Nebraska
Opinion Date: 2/3/09
Cite: Ervin & Smith Advertising and Public Relations, Inc. v. Ervin, 2009 U.S. Dist. 8096 (D. Neb. Feb. 3, 2009)