Courts in Conflict over Computer Hacking Statute

The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §1030, was enacted by Congress in 1986 to criminalize and to deter computer “hacking.” The CFAA has been amended six times – most recently by the U.S.A. Patriot Act and the Identity Theft Enforce­ment and Restitution Act. The statute authorizes the imposition of fines and imprisonment against any person who “intentionally accesses a computer without authorization or exceeds authorized access” and thereby obtains “information from any protected computer.” 18 U.S.C. § 1030 [a][2][c]. The statute prohibits unauthorized access obtained by persons who were physically present at the site of the protected computer as well as from remote locations via the Internet.
The CFAA also provides a limited civil right of action against violators by “any person who suffers damage or loss” (id., §1030(g)) to “1 or more persons during any one-year period … aggregating at least $5,000 in value.” (id., § 1030(c)(4) (A)(i)(I)). “Damage” is defined as any “impairment to the integrity or availability of data, a program, a system or information.” (id., §1030 (e)(8)). “Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or any other consequential damages incurred because of interruption of service.” (id., §1030 (e)(11)). Generally, this civil right of action has been used against rogue employees who access employer computers, often to compete with their former employers.
The CFAA was seen as a potentially powerful federal tool through which an employer could obtain injunctive relief and damages against an employee who steals data or trades secrets. However, its suitability for that purpose has been called into question by recent cases. Decisions handed down in the past year have created a split among the federal circuits. A recent high profile Southern District of New York decision siding with the Ninth Circuit and directly rejecting decisions of the First, Fifth, and Seventh Circuits has further widened the approach taken in interpreting the CFAA. The issue confronting the courts is whether the “authorization” granted to an employee to use an employer’s computer system is extinguished when that employee misuses and misappropriates data and trade secrets. Even in cases where an employee “exceeds authorized access,” courts are split in applying CFAA liability.
The growing trend among federal courts has limited the use of the CFAA by both prosecutors and civil litigants by reasoning that former employees do not access employer’s computers “without authorization” and do not “exceed authorized access” in violation of the CFAA whene it is not clear that authorization has been withdrawn. (See, §1030 (2)). Courts require an employer to identify the policies it has promulgated to the employee that define the acts constituting unauthorized computer access, placeing the burden on the employer to show how the employee exceeded that authorization. Even in cases where access was granted subject to a confidentiality agreement, some courts have rejected the employer’s claim that the employee breached his/her “duty of loyalty” in violation of the CFAA.
The split between the Circuits occurred when the Ninth Circuit held that “an employee with authority to access his employer’s computer system does not violate the CFAA by using his access privileges to misappropriate information.” LVRC Holdings LLC v. Brekka, 581 F. 3d 1127, 1130-31 (9th Cir. 2009). The case arose after Christopher Brekka was hired to conduct internet marketing and regularly e-mailed documents he had generated at work to his personal email address. Brekka had no written employment agreement or confidentiality agreement; nor had the employer promulgated guidelines regarding e-mailing to personal computers. LVRC discovered that the company computer system had been accessed using Brekka’s log-in information, and that financial statements and marketing budgets had been removed. LVRC contacted the FBI and sued Brekka, alleging CFAA violations. The case was dismissed by the district court and LVRC appealed to the Ninth Circuit. The Ninth Circuit concluded that “no language in the CFAA supports LVRC’s argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer’s interest” (id., at 1133). The Court reasoned that, unless the employer had terminated the employee’s right to use the company computer, the employee would have no reason to know that his breach of a “duty of loyalty” to his employer would also constitute a violation of federal law.
In LVRC Holdings, the Ninth Circuit explicitly rejected the Seventh Circuit’s holding in International Airport Centers, LLC v. Citrin, 440 F. 3d 418 (7th Cir. 2006), a case which concluded that a defendant employee’s authority to access his employer’s computer files terminated when he violated his duty of loyalty to his employer. In Citrin, Judge Posner held that the defendant employee, who quit his job to open a competing business, terminated his authorization to access his company laptop when he installed a secure-erasure program and erased all company data from the laptop. Judge Posner’s decision was adopted by a number of district courts soon thereafter.
In contrast, the Ninth Circuit in LVRC Holdings reasoned that the CFAA could not be used against employees who are provided access to the company’s computers and then use access to further a competing business because “Brekka would have acted ‘without authorization’ for purposes of §§ 1030(a)(2) and (4) once his mental state changed from loyal employee to disloyal competitor” (id. at 1134). The Ninth Circuit held that a defendant would have no reason to know that a breach of a duty of loyalty would expose him to criminal liability. Based upon this reasoning, the Court held that a civil action under the CFAA also would not lie (id. at 1134).
Several months after LVRC Holdings was published, it was distinguished by the Fifth Circuit in United States v. John, 597 F.3d 263 (5th Cir. 2010). In John, an account manager at Citibank used her authorized access to take customer account data, intending to make fraudulent charges on the account. The Fifth Circuit reasoned that it was neither improper nor unexpected to interpret “exceed authorized access” to use of an employer’s computer when an employee knows the purpose for the access is in violation of the employer policy and part of an illegal plan. In its ruling, the Fifth Circuit acknowledged the distinctions it made from the Ninth Circuit in how “exceed authorized access” should be construed. Regardless, the Fifth Circuit ruled that an authorized computer user “has reason to know that he or she is not authorized to access data or information in furtherance of a criminally fraudulent scheme” (id., at 273). Thus, within the First, Fifth, Seventh and Eleventh Circuits, civil liability against employees can exist under the CFAA when the employee, who, under agency law has a duty of loyalty, breaches that duty by deleting or removing data without authorization of the company or exceeding whatever level of authorization was granted.
The conflict in reasoning was heightened by United States v. Aleynikov, 2010 WL 3489383 (S.D.N.Y., September 3, 2010), in which Judge Cote dismissed a CFAA count relying on the Ninth Circuit’s decision in LVRC for its holding that an “employee with authority to access his employer’s computer system does not violate the CFAA by using his access privileges to misappropriate information” (id., *16). Aleynikov, a computer programmer employed as a Vice-President in the Equities Division of Goldman Sachs & Co., was charged criminally with misappropriating the computer source code used in Goldman’s high-frequency trading system. On his last day of employment, before moving to a competitor company where he would be responsible for its high-frequency trading, Aleynikov made copies of Goldman’s source code onto his personal computer, encrypted and transported it to Chicago, where he was meeting with his future employer. In dismissing the CFAA charge, the Court relied on LVRC Holdings v. Brekka, (as well as district court decisions within the Second Circuit) in holding that “an employee with authority to access his employer’s computer system does not violate the CFAA by using his access privileges to misappropriate information.” The Court expanded upon LSRV Holdings when Judge Cote ruled, “What use an individual makes of the accessed information is utterly distinct from whether the access was authorized in the first place” (id., *15).
In Aleynikov, the Government argued that the district court in New York should follow the holdings of the Seventh Circuit in Citrin, that an employee’s authorization to access his employer’s computer is predicated on the agency relationship, and the Fifth Circuit in John, in which the court allowed an employer to place limits on the scope of an employee’s access to company computers. It also argued that the court should follow the decision in EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58 (1st Cir. 2001), in which the First Circuit held that the CFAA “permits computer owners to spell out explicitly what is forbidden” to its employees, should be followed (Aleynikov, *16).
Judge Cote rejected each of those Circuit Court holdings as “unpersuasive” (id., *17). Anchoring her decision in the “ordinary” meaning of “authorization,” she held that authorization is not automatically terminated where the individual exceeds the purpose for which access is authorized. Judge Cote further held that an interpretation of the CFAA based upon agency principles would “greatly expand the reach of the CFAA to any employee who accesses a company’s computer system in a manner that is adverse to her employer’s interests” which “would convert an ordinary violation of the duty of loyalty or of a confidentiality agreement into a federal offense” (id. *17). In its analysis, the Court did not consider Carpenter v. U.S., 484 U.S. 19 (1987), in which the Supreme Court held that an employee has a fiduciary obligation to protect confidential information ob­tained during the course of his employment and that intentionally exploiting that information for an employee’s personal benefit was a fraud against his employer in violation of the mail and wire fraud statutes.
Several district court decisions within the Second Circuit have adopted the Ninth Circuit view that misappropriation of information that an employee lawfully accessed does not give rise to CFAA liability (Jet One Group v. Halcyon Jet Holdings, Inc. No. 08 Civ. 3980(JS) 2009 WL 2524864 E.D.N.Y. (Aug 14, 2009); Univ. Sports Pub Co. v. Playmakers No. 09 Civ. 8206(RJH) 2010 WL 2802322 (S.D.N.Y. July 14, 2010); Orbit One Communication, Inc. v. Numerex Corp. 692 F. Supp. 2d 373 (S.D.N.Y. March 10, 2010)). However, two decisions out of the Southern District of New York apply the Seventh Circuit’s agency theory that misappropriating data residing on any employer’s computer system violates the statute by “exceeding authorization.” (Mktg. Tech Solutions v. Medezine LLC, No. 09 Civ. 8122(LLM), 2010 WL 2034404 (S.D.N.Y. May 18, 2010); Calyon v. Mizuho Sec. USA, Inc. 07 Civ. 2441(RO), 2007 WL 2618658 (S.D.N.Y. 2007)). Thus, a decision by the Second Circuit Court of Appeals is needed to clarify the law in this Circuit regarding the scope of a prospective litigant’s access to the CFAA and the injunctive remedies it contains.
Ultimately, a Supreme Court decision will be required in order to resolve the Circuit level conflict. Until then, employee confidentiality agreements will have to be drawn more carefully in order to protect the integrity of confidential data or company trade secrets. Companies are likely to rely, in part, upon state law causes of action such as unfair competition and trespass to chattels in the cases of unauthorized employees who lift confidential material from company databases. Even when a company has clear policies prohibiting access to certain data, if it violates its own policy by providing access of that data to an employee, that company may not prevail on a CFAA claim. An audit of trade secrets and sensitive data is the first step in ensuring that a company’s most confidential information is protected. Clear computer usage policies that are enforced will further strengthen a claim against a rogue employee. Ultimately, the Second Circuit and the Supreme Court will need to provide guidance and resolve the conflict of “authorized access.”
Daniel J. Lefkowitz practices in Huntington, NY, concentrating on technology, communications and intellectual property litigation.