Businesses often store proprietary information in automated systems, and it is much easier to pilfer proprietary information. It can be done with a few keystrokes. In a commendable burst of foresight, in 1986 Congress saw this problem looming on the horizon and enacted the Computer Fraud and Abuse Act (“CFAA”), 18 USC §1030. The CFAA was designed principally to prevent outsiders from hacking into computer systems and not to prevent theft by employees. However, depending on the circumstances, the CFAA can also cover theft by corporate employees. The statue makes it a crime to intentionally access a computer “without authorization” or to “exceed authorized access” to obtain information on the computer. The CFAA is a criminal law, and, although the general rule is that criminal laws do not create private causes of action, in the CFAA Congress expressly created a private cause of action, allowing a private party to obtain compensatory damages and injunctive relief.
Recently, the U.S. Court of Appeals for the 4th Circuit decided a case applying the CFAA in a civil action involving an employee’s alleged theft of trade secrets. WEC Carolina Energy Solutions, LLC v. Miller, et al., 4th Cir. No. 11-1201 (26 July 2012). The defendant, Miller, was an employee of the plaintiff, WEC, and WEC authorized Miller to access WEC’s computers. WEC alleged that Miller transferred the company’s trade secrets from the company’s computers to a competitor. WEC alleged, inter alia, that Miller violated the CFAA. The case presented the following issue: If a company authorizes an employee to access the company’s computers and to access the information on the computers, and if the employee, acting within the scope of his authorization, transfers information to a competitor, does the employee violate the CFAA? The Court acknowledged that there are two conflicting decisions in other courts reaching opposite conclusions. Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); United States v. Nosal, 676 F.3d 854 (9th Cir. 2012)(en banc).
In WEC, the Fourth Circuit Court focused on the “plain language of the statute, seeking first and foremost to implement congressional intent,” saying that the words of the statute should be given their ordinary, contemporary and common meaning. The Court noted that because the statute has criminal penalties the Court must strictly construe the statue applying the so-called “rule of lenity,” rejecting interpretations not strictly warranted by the text. The Court concluded that based on the ordinary and common meaning of “authorization,” an employee is authorized access to a computer when the employer approves his admission to that computer. Thus, an employee accesses a computer without authorization only if he gains admission to that computer without the employer’s approval. Similarly, the Court concluded that an employee “exceeds authorized access” when he has approval to access the computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access. For example, if the employee accesses files that are outside the scope of his authorization. According to the Fourth Circuit, the CFAA does not reach the improper use of information validly accessed. For example if the employer authorizes the employee to access the information, and the employee then improperly uses the information by transferring the information to a competitor, the employee has not violated the CFAA.
The WEC decision does not leave employers without remedies for the theft of trade secrets. Employers can still sue for violation of state trade secrets laws, breach of fiduciary duty, and, depending on the facts, fraud. However, in cases like the WEC case, employers cannot sue for violation of the CFAA.
Author John Polk is Special Counsel at the D.C. regional business law firm of Berenzweig Leonard, LLP. He can be reached at jpolk@berenzweiglaw.com.