Federal Court in California Sheds Light on Computer Fraud and Abuse Act: Allegations of Indirect Access Held Insufficient To State Claim
On March 20, 2015, a California federal court rejected an expansive reading of the Computer Fraud and Abuse Act (“CFAA”) urged by two plaintiff corporations that sought to hold a competitor and two of its directors liable under the CFAA, under an agency theory, for the actions of a former employee who allegedly downloaded and stole the corporations’ confidential trade secrets.
The plaintiffs, Koninklijke Philips N.V. and Philips Lumileds Lighting Company (“Lumileds”) are engaged in the business of Light Emitting Diode (“LED”) technology. They alleged that Dr. Gangyi Chen, while employed, downloaded Lumileds’ trade secrets and confidential business information onto a portable storage device, then resigned and began working for a competitor in China, Elec-Tech International Co., Ltd. (“ETI”). Six months after Dr. Chen began at ETI, in an amount of time that plaintiffs called unprecedented in the lighting industry, ETI announced two new high-energy LED lighting products.
The plaintiffs sued in federal court in California, bringing nine state law claims and one federal CFAA claim against various defendants, including Dr. Chen, ETI and two of ETI’s directors. Plaintiffs’ CFAA allegations were that the defendants exceeded authorized access or otherwise accessed plaintiffs’ computers without authorization. As against Dr. Chen, the allegations were that he directly accessed the data, but as to the other defendants, the allegations essentially were that Dr. Chen acted as an agent and a conduit through which the other agents gained unauthorized access to plaintiffs’ data.
In the decision in Koninklijke Philips N.V. v. Elec-Tech International Co., Ltd. (N.D. Cal. March 20, 2015), the Court dismissed the CFAA claim, first holding that that Dr. Chen was authorized to access the information he allegedly stole from Lumileds, and therefore no CFAA claim was stated. Second, the Court rejected plaintiffs’ indirect access theory of CFAA liability as to the other defendants, neatly summarizing its holding as follows:
If the Court accepted Plaintiffs’ argument here, that the mere pleading of an agency relationship between the insider and an outsider could render the outsider subject to liability under the CFAA, it would effectively federalize all trade secret misappropriation cases where parties use a computer to download sensitive or confidential trade secret information – which would be nearly every trade secret case nowadays, when companies maintain their files electronically rather than in physical cabinets. Plaintiffs are really making a policy argument better directed to Congress instead of this Court, which must follow the clear direction from the Ninth Circuit as to who can and cannot be held liable under the CFAA.
While there have been efforts in Congress in recent years to pass a law creating a federal claim for trade secret misappropriation, Congress has not done so yet. Until it does, this decision by the Northern District of California is a useful reminder that plaintiffs considering asserting claims under the “anti-hacking” CFAA must make sure that the facts fall within that statute’s relatively narrow confines. If they do not, such plaintiffs likely will be limited to state law claims and remedies for trade secret misappropriation and the like, and probably will be constrained to proceed in state court, rather than federal court.