A Cautionary Tale: Why Employers Must Define Acceptable Computer Use by Employees
A recent Ninth Circuit decision underscores the importance of having in place clear and narrow guidelines for the use of an employer’s computer systems. The case tells a tale of what can happen when clear policies limiting employee use and access are absent.
LVRC Holdings LLC (LVRC) filed a lawsuit in federal district court against its former employee, Christopher Brekka, his wife, and two of the couple’s consulting businesses alleging that Brekka has violated the Computer Fraud and Abuse Act (CFAA). Specifically, LVRC alleged that Brekka had used the company computer system both before and after his employment ended, emailing company documents — including customer lists — to his and his wife’s personal email accounts to further their competing businesses, and then accessing his work email account after his employment had ended.
LVRC asserted that because Brekka accessed the company computer and obtained LVRC’s confidential information to further his own interests rather than LVRC’s interests, his access was “without authorization” under the CFAA. LVRC did not have a computer use policy in place, had no employment agreement with Brekka, had provided him with an email account and access to the computer system, and had allowed him to email documents to his personal account because he worked remotely.
When Brekka moved for summary judgment the lower court found in his favor, and the Ninth Circuit affirmed. The court held that a violation of the CFAA requires an unauthorized access to the company computer system. Here, during the course of his employment, Brekka was authorized to use the computer, and no policy prohibited emailing information to personal email accounts. The court specifically rejected LVRC’s argument — relying on a Seventh Circuit opinion — that an employee’s authorization to use a company computer ceases when the employee resolves to use the computer contrary to the employer’s interest. See International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). The Ninth Circuit disagreed with the Seventh Circuit’s rationale that an employee’s authorization to access a computer ended for purposes of the CFAA when the employee violated his duty of loyalty to his employer by deciding to start a competing business in violation of his employment contract and erased all data from his work laptop computer before quitting his job. Id. at 419. In rejecting this interpretation, the Ninth Circuit in Brekka relied in large part on the fact that the CFAA is primarily a criminal statute and therefore found applicable the well-established principle that “ambiguity concerning the ambit of criminal statutes should be resolved in favor of lenity.”
As far as Brekka’s access to the accounts after his employment terminated, the Ninth Circuit held that LVRC had not met its burden of proving that Brekka was indeed the individual who had accessed the system given that other employees of LVRC had access to his password. Thus, despite LVRC’s expert’s testimony tracing the usage to Northern California where Brekka happened to be at the time of the use, the evidence was insufficient for this court.
In light of the conflict among circuits, this decision could lead the U.S. Supreme Court to interpret the CFAA for the first time in its 25-year history.
Significance for Employers
The case underscores the importance of clear and unambiguous policies setting limits on computer access and use. Employers should think through carefully the implications of remote use and use of employees’ personal email accounts where proprietary information is sent back and forth out into the internet. Employers should have policies which prohibit use of computers for employee’s personal benefit, other than incidental use. Employers must also take care to close down email access immediately after an employee parts company with the employer.