Friday, October 30, 2009
Two Views of the Computer Fraud and Abuse Act (Brekka and Pullen)
Cases under the Computer Fraud and Abuse Act arising out of employee competition continue to head down two divergent paths.
In particular, courts are faced with a decision on whether to interpret the CFAA broadly or narrowly when an employer claims an ex-employee has acted "without authorization" or has "exceeded authorization" in accessing computer-stored information prior to termination of employment.
As I have written before, the more narrow view has gained substantial favor, illustrated by the Ninth Circuit's ruling in LVRC Holdings LLC v. Brekka. That case (originating from Nevada) arose out of a claim that an ex-employee improperly e-mailed company documents to himself prior to his resignation. Of note, the employer had no policy against this, and the documents were apparently sent to facilitate the ex-employee's potential buy-in to the company as a member. Put differently, when the deal soured - and after Brekka quit - the company had very few equities weighing in its favor. Whether that affected the Ninth Circuit's decision or not is not clear.
But the court rejected the argument that the term "authorization" was somehow linked to whether the employee acts contrary to his employer's interest or in defalcation of a fiduciary obligation of loyalty. Rather, the court looked to the plain meaning of the CFAA's terms - and the fact it is at heart a criminal statute - to find Brekka used LVRC's computer system in a manner totally consistent with the access previously granted to him as an employee.
The First Circuit, however, is less sympathetic to an employee's arguments for a narrow construction of the CFAA and reads the Act more broadly. In Guest-Tek Interactive Entertainment Inc. v. Pullen, a district court from Massachusetts denied an employee's motion to dismiss on the same grounds as raised in Brekka. While not directly adopting Judge Posner's influential opinion in the Seventh Circuit's Citrin case, the court rebuffed an employee's effort to dismiss a case after he allegedly transferred thousands of confidential files to a personal USB storage device before resignation. Unlike Brekka, the equities in this case decidedly militated in favor of the plaintiff.
The court in Pullen noted the progressive expansion of the CFAA from its relatively limited origins, as well as the fact employers are customarily using the statute to - essentially - federalize trade secrets claims. How this is at all relevant is not clear, but the court deemed it worthy of mention. The First Circuit, therefore, will interpret the CFAA in a broad fashion, analogous to how the Seventh Circuit does in the aftermath of Citrin.
Having considered the divergent views of federal courts, one issue is perfectly clear. Employers have to be out in front of this issue to eliminate difficult questions of statutory construction. Specifically, employers can be more diligent about protecting digitally stored information by formulating clear computer usage policies concerning use of company data on personal computers, migration of data to internet-based e-mail accounts, and the transfer of data for competitive purposes even while still employed. Including these policies within an employee handbook can help define the scope of authorization, regardless of what the CFAA default position is.
Court: United States Court of Appeals for the Ninth Circui
Opinion Date: 3/13/09
Cite: LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009)
Court: United States District Court for the District of Massachusetts
Opinion Date: 10/19/09
Cite: Guest-Tek Interactive Entertainment Inc. v. Pullen, 2009 U.S. Dist. LEXIS 98737 (D. Mass. Oct. 19, 2009)