September 27, 2022

Volume XII, Number 270


September 26, 2022

Subscribe to Latest Legal News and Analysis

Computer Fraud and Abuse Act No Help to Employer Suing Employee Who Took Proprietary Business Info

An employer had no cause of action under the Computer Fraud and Abuse Act (“CFAA”) against an employee who accessed its computer systems to misappropriate confidential and proprietary business information to start a competing business, the U.S. District Court for the Southern District of Ohio has held. Cranel Inc. v. Pro Image Consultants Group, LLC, 2014 U.S. Dist. LEXIS 137347 (S. D. Ohio Sept. 29, 2014).

The employer alleged that the employee emailed himself certain Microsoft Excel, Microsoft Word and PDF files containing the employer’s confidential, proprietary, or trade secret information and convinced a co-worker to send him a proprietary pricing tool that he could not access. The employer claimed that this employee and his competing business violated, among other things, subsection (a)(2)(C) of the CFAA, which prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing]… information from any protected computer.”

Judge James Graham recognized that courts across the country have struggled with whether a valid CFAA claim exists where an employee accesses his employer’s computer to misappropriate confidential information. Judge Graham noted a split in opinion on the issue, with some courts construing “without authorization” and “exceeding authorized access” broadly and others interpreting these words narrowly, holding that once an employee is granted access to the employer’s computer system, he does not violate the CFAA regardless of how he subsequently uses the information. The court determined the narrow interpretation was more appropriate in light of the CFAA’s definition of “exceeds authorized access.”

The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. §1030(e)(6). The court cited LVRC Holding L.L.C. v. Brekka, 581 F.3d 1127 (9th Cir. 2009), with approval and found that an employee authorized to access the employer’s computer systems does not exceed such authorization, as defined under the CFAA, unless he accesses information on the computer to which he is not permitted.

Based on its narrow interpretation of the statute, the court found the employer failed to state a claim under the CFAA because the employee had authorization to access the confidential and proprietary documents that he later emailed to himself, even if he used the documents for an improper purpose. Additionally, because the employee did not access the proprietary pricing tool himself (he persuaded his colleague who has access to the tool to send it to him), he did not “exceed his authorization.”

The lesson for employers is to restrict access to confidential and proprietary information on their systems to employees with a business need for the information. Employers also should make sure that appropriate security measures are in place to prevent employees from sharing this confidential and proprietary information with co-workers without prior approval.

Jackson Lewis P.C. © 2022National Law Review, Volume IV, Number 298

About this Author

Michelle T. Hackim, Jackson Lewis, employee discipline attorney, lawful discharge lawyer

Michelle Todd Hackim is an Associate in the Cleveland, Ohio, office of Jackson Lewis P.C. She represents management exclusively in a variety of employment and labor law matters before state and federal courts.

Ms. Hackim also works with employers to avoid litigation by drafting and developing employment policies and implementing preventative strategies in the workplace.

Prior to attending law school, Ms. Hackim managed and reviewed the loan portfolios of small business clients at...