Executive Summary: The Fourth Circuit is the latest court to weigh-in on the growing circuit split concerning the Computer Fraud and Abuse Act ("CFAA") and its applicability to employee data theft cases. Like the Fifth, Ninth, and Eleventh Circuits, the Fourth Circuit rejected a broad interpretation of the CFAA that would impose liability on employees who violate a computer usage policy. Instead, it limits CFAA liability to individuals such as computer hackers who obtain data without any authorization.1
Current Circuit Split On Scope Of CFAA: The CFAA imposes civil and criminal liability for any person who "knowingly and with intent to defraud accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value."
The Seventh Circuit interprets the CFAA to apply to employee data theft cases because such conduct is a violation of the employee's duty of loyalty to the employer. Because the employee breached his duty of loyalty, his agency relationship with the employer is terminated at that time, causing the employee to lose any authority to access the employer's computer system.
The Fifth, Ninth, Eleventh – and now Fourth - Circuits take a much narrower view of the CFAA and hold that the terms "without authorization" and "exceeds authorized access" apply only to outside individuals who access computers without permission. These opinions appear to be rooted in a concern for employees who innocently violate an employer's computer usage policy by engaging in harmless behavior such as checking Facebook and the potential criminal consequences imposed by the CFAA.
Fourth Circuit Expressly Rejects Seventh Circuit's "Cessation of Agency" Theory: Former employee Mike Miller resigned from his position as Project Director for WEC Carolina Energy Solutions, Inc. ("WEC"). Just twenty days later, he made a presentation to a potential WEC customer on behalf of a competitor, Arc Energy Services, Inc. ("Arc"), and the customer awarded the business to Arc.
WEC sued Miller, Miller's assistant Emily Kelley, and Arc alleging that they violated the CFAA when Miller downloaded WEC's proprietary information and used that information in Arc's presentation to WEC's potential customer. WEC also alleged nine state causes of action including conversion, tortious interference with contractual relations, civil conspiracy, and misappropriation of trade secrets. The district court dismissed WEC's CFAA claim, holding that CFAA provides no relief for WEC's claims.
The Fourth Circuit affirmed the district court's decision. In doing so, it strongly rejected the "cessation of agency" theory advanced by the Seventh Circuit because of the far-reaching effects unintended by Congress and the imposition of criminal penalties. It noted that WEC was not without any recourse because it could pursue the other legal remedies alleged in the complaint.
Employer's Bottom Line: There appears to be a growing rejection of the applicability of the CFAA to employee data theft cases. If you discover that you are a victim of employee data theft, a misappropriation of trade secrets claim (and other related claims) may be the best avenue to seek relief.
If you have any questions regarding this article, please contact the author, Michelle Abidoye, mabidoye@fordharrison.com, who is an attorney in our Los Angeles office, Jeff Mokotoff, who is an attorney in our Atlanta office and editor of the NonCompete Newsletter, or the FordHarrison attorney with whom you usually work.
1See WEC Carolina Energy Solutions, LLC v. Willie Miller, et al.