Computer Fraud and Abuse Act No Help to Employer Suing Employee Who Took Proprietary Business Info
An employer had no cause of action under the Computer Fraud and Abuse Act (“CFAA”) against an employee who accessed its computer systems to misappropriate confidential and proprietary business information to start a competing business, the U.S. District Court for the Southern District of Ohio has held. Cranel Inc. v. Pro Image Consultants Group, LLC, 2014 U.S. Dist. LEXIS 137347 (S. D. Ohio Sept. 29, 2014).
The employer alleged that the employee emailed himself certain Microsoft Excel, Microsoft Word and PDF files containing the employer’s confidential, proprietary, or trade secret information and convinced a co-worker to send him a proprietary pricing tool that he could not access. The employer claimed that this employee and his competing business violated, among other things, subsection (a)(2)(C) of the CFAA, which prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing]… information from any protected computer.”
Judge James Graham recognized that courts across the country have struggled with whether a valid CFAA claim exists where an employee accesses his employer’s computer to misappropriate confidential information. Judge Graham noted a split in opinion on the issue, with some courts construing “without authorization” and “exceeding authorized access” broadly and others interpreting these words narrowly, holding that once an employee is granted access to the employer’s computer system, he does not violate the CFAA regardless of how he subsequently uses the information. The court determined the narrow interpretation was more appropriate in light of the CFAA’s definition of “exceeds authorized access.”
The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. §1030(e)(6). The court cited LVRC Holding L.L.C. v. Brekka, 581 F.3d 1127 (9th Cir. 2009), with approval and found that an employee authorized to access the employer’s computer systems does not exceed such authorization, as defined under the CFAA, unless he accesses information on the computer to which he is not permitted.
Based on its narrow interpretation of the statute, the court found the employer failed to state a claim under the CFAA because the employee had authorization to access the confidential and proprietary documents that he later emailed to himself, even if he used the documents for an improper purpose. Additionally, because the employee did not access the proprietary pricing tool himself (he persuaded his colleague who has access to the tool to send it to him), he did not “exceed his authorization.”
The lesson for employers is to restrict access to confidential and proprietary information on their systems to employees with a business need for the information. Employers also should make sure that appropriate security measures are in place to prevent employees from sharing this confidential and proprietary information with co-workers without prior approval.