If a current employee, who is otherwise authorized to use her employer’s computer systems, uses her access to download trade secrets with the intention of competing against the company, does that employee violate the Computer Fraud and Abuse Act by “exceed[ing] authorized access” to protected computers, or by accessing her company’s computers “without authorization”?
We have a developing circuit split on this question!
One view, invoked by the 7th Circuit in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), holds that once an employee breaches the duty of loyalty, that malformed intent terminates all authorization to the employer’s computers, rendering the subsequent act of downloading a CFAA violation.
The opposite view was discussed on this blog earlier this year, when I wrote about the 9th Circuit’s decision in United States v. Nadal, 676 F.3d 854 (9th Cir. 2012). In Nadal, the 9th Circuit (rather humorously) held that this scenario does not describe a CFAA violation because the employee in this scenario does in fact have a valid authorization to use the company’s computers, and this authorization had never been revoked. The 9th Circuit held that these prohibitions in CFAA were intended to cover only hacking–i.e., those to gain entry to the company’s systems from the outside (without any authorization at all), or those who poke around from the “inside” by accessing files and folders that are beyond the scope of their authorization.
We have a new Circuit chiming in on this question–the 4th Circuit. In its new opinion in WEC Carolina Energy Solutions v. Miller, the 4th Circuit has joined the 9th Circuit, holding that employees who download their company’s trade secrets are not, by that act alone, violating CFAA:
With respect to the phrase, “without authorization,” the CFAA does not define “authorization.” Nevertheless, the Oxford English Dictionary defines “authorization” as “formal warrant, or sanction.” Oxford English Dictionary (2d ed. 1989; online version 2012). Regarding the phrase “exceeds authorized access,” the CFAA defines it as follows: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” [18 U.S.C.] § 1030(e)(6).
Recognizing that the distinction between these terms is arguably minute…, we nevertheless conclude based on the “ordinary, contemporary, common meaning,” see Perrin v. United States, 444 U.S. 37, 42 (1979), of “authorization,” that an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer. Thus, he accesses a computer “without authorization” when he gains admission to a computer without approval. [Citation]. Similarly, we conclude that an employee “exceeds authorized access” when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access. See id. Notably, neither of these definitions extends to the improper use of information validly accessed. [Ed. note: emphasis is mine]
And, for clarity’s sake, the 4th Circuit went out of the way to expressly reject the Seventh Circuit’s “cessation-of-agency” theory – the idea that once the employee breaches the duty of loyalty all authorization is lost:
Such a rule would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer’s use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer’s computer systems.
The 9th Circuit’s parade of horribles was far more entertaining, but there is something to be said for brevity.