Friday, April 10, 2015

New Ruling on Computer Fraud and Abuse Act Illustrates Division in Eleventh Circuit

The reach of the federal Computer Fraud and Abuse Act continues to divide courts and commentators. The friction spills over into statutory language that seemingly is pretty clear: one cannot access a protected computer to obtain information in a manner that exceeds the user's authorized access.

The phrase "exceeds authorized access" has yielded a split among many federal courts. On one side sits the pro-employer theory: that an employee cannot access information for reasons inconsistent with the employer's interest. On the other side, employees argue that the CFAA's definition does not turn on subjective intent as to use and that the statute only bars the accessing of information that the employer did not allow.

The Fifth and Seventh Circuits have pretty well-established rules that fall on the pro-employer side, though the rationales are not identical. The Fourth and Ninth are decidedly pro-employee and construe the CFAA much more narrowly.

The Eleventh Circuit's history on this is not straightforward.

Courts within the Eleventh Circuit (that is, district courts in Florida, Georgia, and Alabama) are divided on how to interpret and apply the CFAA. Some follow the pro-employee construction. Others disagree and side with the Fourth and Ninth Circuit line of authority. The problem seems to be a criminal case from the Eleventh Circuit itself, United States v. Rodriguez, which arguably requires a pro-employer construction of the CFAA.

Illustrating this divide is Enhanced Recovery Co., LLC v. Frady (opinion embedded below), which canvasses the law and decides not to follow Rodriguez - arguably binding precedent in the Eleventh Circuit. Frady involves perhaps the most common, ubiquitous CFAA fact pattern in employee mobility cases. The allegations hinged on an employee's act in preparing to compete by sending corporate documents from a company e-mail account to a personal web-based e-mail. Under the employer's theory, this transmission of e-mails is antagonistic to its business interests and constitutes the use of company information in an unauthorized manner.

As with many close CFAA cases, the fact pattern in Frady adds a twist because the employer had fairly clear policies against non-disclosure of information and a requirement to return company materials at the termination of employment. One reasonably could make the argument that these policies at least put the employee on notice that accessing corporate information for a prohibited use exceeded any authorization to use that information.

The district court in Frady was not persuaded and held this wasn't enough. In doing so, it seemed to tread a very narrow path through the Rodriguez case, which seems on first read to warrant a broader application of the CFAA.

My personal opinion is that something else must be going on here. I have seen judges walk this tightrope before, and I believe that regardless of any formal legal analysis, many remain troubled by the extension of the CFAA well beyond its intended purpose to punish hackers criminally. Courts, of course, acknowledge this but judges must default back to the statutory text to see whether conduct falls within the statutory proscription. And they are certainly bound by circuit law. In the CFAA arena, the distinctions that judges are drawing appear to be so fine and nuanced as to be meaningless.

This is not to say that the court in Frady got the result wrong as a normative matter, because the CFAA is overused. It is, to be sure, not a trade secrets law substitute - though many attorneys perceive that it is. And if the Obama Administration has its way, this divide over the meaning of authorized access will get cleaned up in a way that (surprisingly) favors the employer. Ultimately, I think this too is wrong. The existing legal framework under state law works just fine, and a federal trade secrets act may be okay too (though I am more lukewarm on that than others in my profession).

However, extending the CFAA and criminalizing conduct that doesn't even violate state trade secret law is not the right way to go about protecting intellectual property. In the employment realm, it remains a terrible fit. How judges get there is concerning, but if they agree, then I'm okay with a formal legal analysis that leaves me scratching my head.

No comments:

Post a Comment