Time and time again, this blog has outlined the ongoing debate in the courts over whether the federal Computer Fraud & Abuse Act (“CFAA”) applies in the context of departing employees.  Namely, federal courts differ over whether the CFAA applies when an employee is accused of misappropriating his or her employer’s confidential information or trade secrets by means of the employer’s computer, to which the employee had authorized access as a result of his or her employment.  A recent opinion by the United States Court of Appeals for the Eleventh Circuit may be seen by some as adding to debate.  

In United States v. Roberto Rodriguez, the 11th Circuit took on the question of whether an employee “exceeds authorized access” under the CFAA by accessing information on a computer in a manner contrary to an employer’s policies.  Rodriguez is a former employee of the Social Security Administration (“SSA”).  The SSA established a policy that prohibits employees from obtaining information from its databases without a business reason.  The SSA notified employees of this policy through training sessions, notices published in the office, and banners that appear on computer screens daily.  Employees were also required to sign forms annually acknowledging the policy.

In apparent disregard of this policy, Rodriguez was accused of repeatedly using SSA databases to obtain personal information concerning people he knew, including women in whom he had romantic interests.  On one occasion, Rodriguez sent flowers on Valentine’s Day to a woman he had met that had not given him her address.  He later arrived at her doorstep uninvited.  Some time later, he called to wish her a happy “half-birthday” even though she had not shared her birthday with him.  He also accessed SSA databases to obtain information concerning several other women he met and to obtain information concerning their family members. 

Rodriguez was charged and later convicted of criminally violating the CFAA by “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] … information from any department or agency of the United States.”  18 U.S.C. § 1030(a)(2)(B).  Although this case involves a criminal indictment and prosecution, it is instructive in civil cases because the 11th Circuit’s decision revolves around an element commonly at issue in civil claims; namely, what it means to access a computer in excess of one’s authority.

Rodriguez argued that he did not violate the CFAA because he accessed only databases that he was authorized to access as an employee of the SSA.  The 11th Circuit found “his argument ignores both the law and the record.”  The Court explained:

“The Act defines the phrase ‘exceeds authorized access’ as ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.’  The policy of the [Social Security] Administration is that use of databases to obtain personal information is authorized only when done for business reasons.  Rodriguez conceded at trial that his access of the victims’ personal information was not in furtherance of his duties as a TeleServices representative and that ‘he did access things that were unauthorized.’  In light of this record, the plain language of the Act forecloses any argument that Rodriguez did not exceed his authorized access.’”

In its decision, the 11th Circuit stated that its opinion was not at odds with the Ninth Circuit’s decision in LVRC Holdings v. Brekka because Brekka could be distinguished: “Brekka is distinguishable because the Administration told Rodriguez that he was not authorized to obtain personal information for nonbusiness reasons.”  Although this is an accurate observation, a California court recently cited Brekka in support of its decision rejecting an employer’s CFAA claim even though the employer argued that the employee accessed information in a manner contrary to company policy.  See prior post Computer Fraud & Abuse Act: Court Rejects Argument That Employer's Corporate Policies Can Make Employee Access "Unauthorized" Under the CFAA.

After the 11th Circuit’s opinion in Rodriguez, one thing remains clear:  employers and employees will continue to interpret and apply the CFAA differently.  A copy of the 11th Circuit's decision in U.S. v. Rodriguez is available in pdf format below.

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or subscribe to this blog's RSS feed.

US v. Rodriguez.pdf (88.81 kb)

No sooner than we posted last week’s blog regarding the dismissal of the United States’ Computer Fraud and Abuse Act (“CFAA”) claims against Sergey Aleynikov in the Goldman Sachs’ high-frequency trading code criminal prosecution, a California federal district court issued a similar noteworthy opinion dismissing CFAA claims against an employee who was accused by his former employer of using the employer’s computer systems to misappropriate trade secrets and confidential information.  Accenture, LLP v. Sidhu,  No. C10-2977-TEH (N.D. Cal., Nov. 9, 2010).  A pdf copy of the Court's opinion is available below.

As readers of this blog know well by now, the CFAA provides a federal, private right of action against any person who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value… .”  18 U.S.C. § 1030(a)(4). 

There is a division within the federal judiciary over whether the CFAA applies to a faithless employee’s misappropriation of his or her employer’s confidential information or trade secrets by means of the employer’s computer, to which the employee had authorized access as a result of his or her employment.  On this legal issue, there is a continuum of interpretations of the CFAA within the federal judiciary.  Some district and appellate courts hold that the CFAA gives employers a federal cause of action against their disloyal departing employees, in what has been perceived as a pro-employer interpretation.  On the other end of this continuum are what would appear to be employee-centric opinions holding that the CFAA does not create such a right in employers.  (Some bloggers, such as our respected colleague, Marc Dobin of Jupiter, Florida openly advocate for the employee centric view.)

Along the continuum of decisions, the Sidhu opinion is more employee-centric, and several aspects of the court’s analysis support this perception.  Sidhu was an employee of Accenture.  Accenture alleges that during an extended medical leave, Sidhu started working for HCL, Accenture's direct competitor.  However, Accenture contends that for the duration of Sidhu's medical leave, Accenture made available to Sidhu its secure online network containing confidential and proprietary information.  According to Accenture, Sidhu downloaded more than 900 documents from Accenture’s proprietary computer KX system while on medical leave and, notably, after he began working for HCL.  Accenture had two company-wide corporate policies that were relevant to its CFAA claims: first, a policy that prohibited employees from transmitting work documents to their personal computers and, second, a policy that prohibited dual-employment.  As is often true in these types of cases, the ultimate facts are likely to be hotly contested.

After Accenture filed suit, Sidhu filed a motion to dismiss, and  the court dismissed Accenture’s CFAA claims.  The court’s analysis was grounded in LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), where an appellate court held that “an employer gives an employee ‘authorization’ to access a company computer when the employer gives the employee permission to use it.”  Brekka, 581 F.3d at 1133.  Under the CFAA, the phrase “exceeds authorized access … means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  18 U.S.C. § 1030(e)(6).  This statutory definition “implies that an employee can violate employer-placed limits on accessing information stored on the computer and still have authorization to access that computer,” the Brekka court observed.  Brekka, 581 F.3d at 1135.  As the court reasoned, an individual only “exceeds authorized access” if he has permission to access a portion of the computer system but uses that access to “obtain or alter information in the computer that [he or she] is not entitled so to obtain or alter.” 

In holding that Sidhu was given access to Accenture’s computers by Accenture, the court rejected Accenture’s arguments that it limited Sidhu’s access through its corporate policies.  First, Accenture argued that it implemented policies that prohibited its employees from transferring documents from work computers to personal computers. Sidhu, at * 9-10.  “[A]ccess is not established by employers’ policies, but by the extent the employer makes the computer system available to the employee,” the court concluded.  Id. at *10. 

Also rejected by the court was a variant of the agency theory of the CFAA’s access provision.  Under this theory, an employee is an agent of his or her employer.  Such agents are authorized to access their employers’ computer systems as long as the agents are loyal.  However, as soon as the employee undertakes a disloyal act – such as misappropriating trade secrets or confidential information in order to compete against the employer – the agency is terminated.  Under this theory, the disloyal employee would be unauthorizedly accessing his or her employer’s computer systems.

The variant of the agency theory argued by Accenture emphasized its policy that prohibited dual employment.  During Sidhu’s medical leave, Accenture argued, Sidhu lied to Accenture’s human resources and began working for Accenture’s competitor.  Given these allegations, and under the agency theory, Sidhu’s access to Accenture’s computer system was unauthorized, according to Accenture.  This argument was rejected by the court as an attempt to “incorporat[e] corporate policy into the substance of the CFAA,” the court held.  Id. at *11.  “Whether Sidhu was deceptive, and whether he would have been fired pursuant to Accenture’s Dual Employment Policy had Accenture learned of his deception, are irrelevant.’  Id. at * 12.

These explicit rejections of an employer’s attempt to restrict access to its computers through corporate policies crystallizes the importance of taking concrete steps in order to limit employee access to trade secrets and confidential information residing on an employer’s computer systems.  Under the reasoning employed in Sidhu, simply saying that an employee may not access information under certain circumstances may not be enough.

Brent Cossrow is a member of Fisher & Phillips' Employee Defection & Trade Secrets Practice Group.  Mr. Cossrow's practice focuses on e-discovery and other electronically stored information issues.  As always, please feel free to share your thoughts and questions in the comment space below.

Accenture v. Sidhu.pdf (81.92 kb)

The recent developments in the criminal prosecution of Sergey Aleynikov for his alleged misappropriation Goldman Sach’s high-frequency trading platform provide more interesting insights in the ongoing debate within the federal judiciary concerning the scope of the federal Computer Fraud and Abuse Act (“CFAA”). Specifically, federal courts continue to debate whether the CFAA applies to the misappropriation of an employer’s electronic trade secrets by departing employees.  In United States v. Aleynikov, the United States District Court for the Southern District of New York said the statute does not apply in this context.  In reaching this conclusion and dismissing the CFAA-based count against Aleynikov, the federal court cited the civil interpretations of the CFAA offered by some recent courts that reached this same conclusion and rejected the holdings taking the opposite interpretation.

Count Three of the Indictment charged Aleynikov with unauthorized computer access and exceeding authorized access in violation of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030(a)(2)(C).  Specifically, Count Three alleged that Aleynikov “unlawfully, intentionally, and knowingly … accessed a computer server maintained by Goldman and copied Goldman's proprietary computer source code ... and then downloaded it to his home computer, all with the intent to use that source code for the economic benefit of himself and his new employer, Teza.”

Aleynikov argued that Section 1030(a)(2) does not encompass an employee's misuse or misappropriation of information that the employee has authority to access.  In response, the United States conceded that Aleynikov was authorized to access the source code for the High-Frequency Trading Platform System that he allegedly stole, but argued that a defendant's purpose or intention is a necessary component of the violation.  According to the Government, the CFAA is therefore violated whenever an individual accesses information with authorization, but does so in violation of a confidentiality agreement or policies or other obligations that the individual owes to the information's owner.

The disagreement between Aleynikov and the United States turns on Section 1030(a)(2) of the CFAA.  It provides that anyone who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer" commits a crime. 18 U.S.C. § 1030(a)(2)(C). The CFAA defines "exceeds authorized  access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." Id. § 1030(e)(6). The CFAA does not, however, define the term "access without authorization" or "authorization."

In order to resolve the dispute and define "authorization," the court looked to its ordinary meaning as provided by dictionaries.  The court concluded that “a person who "accesses a computer without authorization" does so without any permission at all. By contrast, a person who "exceeds authorized access" has permission to access the computer, but not the particular information on the computer that is at issue.”  Interestingly, the court also noted that this interpretation of § 1030(a)(2)(C) was supported by holdings in civil actions by U.S. Court of Appeals for the Ninth Circuit, district courts in the United States Second Circuit and in other circuits, which recently held that an employee with authority to access his employer's computer system does not violate the CFAA by using his access privileges to misappropriate information.    

In dicta, but important to the ongoing debate over the scope of the CFAA, the Court specifically rejected the reasoning of other courts such as in Int'l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) and EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582-84 (1st Cir. 2001).  In its pointed disagreement with the reasoning underlying these cases, the court concluded that:

“an interpretation of the CFAA based upon agency principles would greatly expand the reach of the CFAA to any employee who accesses a company's computer system in a manner that is adverse to her employer's interests. This would convert an ordinary violation of the duty of loyalty or of a confidentiality agreement into a federal offense. An employee does not lose "authorization" by accessing a computer with an improper purpose; rather, authorization is controlled by the employer, who may or may not terminate or restrict an employee's access privileges.” 

This holding could have important implications for employers who want to use the CFAA as an enforcement tool against departing employees.  If this interpretation and reasoning were to become the consensus, then it would foreclose use of the CFAA in cases where employees only misappropriated electronic trade secrets.  A copy of the Court's Opinion is available in pdf format below.

Brent Cossrow is a member of Fisher & Phillips' Employee Defection & Trade Secrets Practice Group.  Mr. Cossrow's practice focuses on e-discovery and other electronically stored information issues.  As always, please feel free to share your thoughts and questions in the comment space below.  Mr. Cossrow has written previously about the Aleynikov prosecution in Risk Management Magazine (pdf copy below) and has been interviewed about it as well.   

US v. Aleynikov.pdf (112.71 kb)

Risk Management Magazine -- Jan-Feb 2010.pdf (1.28 mb)

Since the addition of civil remedies in 1994, the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), has evolved into a potentially powerful claim in the departing employee context.  In addition to the often-included claims for breach of restrictive covenant, misappropriation of trade secrets and/or unfair competition, CFAA claims are being alleged against more and more employees who transfer employment to a competitive firm.  The likelihood of success on CFAA claims against departing employees, however, varies by jurisdiction.  Recently, numerous courts have debated, and issued divergent rulings, on the enforceability of CFAA claims against departing employees.

The debate surrounding the application of CFAA claims against departing employees often focuses on the statute’s “without authorization” or “in excess of one’s authorization” requirement.  In 2000, the United States District Court for the Western District of Washington issued a ruling holding that an employee’s “authorization” to access his or her employer’s computer systems ends when the employee begins to act as another employer’s agent.  See Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 199 F. Supp. 2d 1121 (W.D. Wash. 2000) (“the authority of an agent terminates if, without knowledge of the principal, he acquired adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal”).  Subsequent to the Shurgard opinion, two distinct schools of thought on the CFAA’s “authorization” requirement have emerged.  The majority of courts considering the issue, including the First and Seventh Circuit Courts of Appeal, have followed the Shurgard Court’s analysis, holding that an employee exceeds the scope of his or her authorized access to an employer’s computer systems by acting for a purpose against the employer’s best interests, acting for a competitive purpose and/or acting as someone else’s agent – even if such action takes place when the employee is still employed and technically has “authorization” to utilize the company’s computer systems.  See EF Cultural Travel BV, EF v. Explorica, Inc., 274 F.3d 577 (1^st Cir. 2001); International Airport Centers, LLC v. Citrin, 440 F. 3d 418 (7^th Cir. 2006).  Numerous district courts have accepted this legal theory, concluding that if an employee breaches his or her duty of loyalty to an employer, the employee’s authorization to access the employer’s computer systems terminates and subsequent access may gives rise to a CFAA violation.  See, e.g., Caylon v. Mizuho Securities USA, Inc., No. 07-Civ. 2241, 2007 U.S. Dist. LEXIS (S.D.N.Y. Sept. 5, 2007) (“the plain language of the [CFAA] seems to contemplate that, whatever else, ‘without access’ and ‘exceed authorized access’ would include an employee who is accessing documents on a computer system which that employee had to know was in contravention of the wishes and interests of his employer”); Hub Group, Inc. v. Clancy, No. 05-2046, 2006 WL 208684 (E.D. Pa. Jan. 25, 2006) (finding the employee exceeded the scope of his authorization into his employer’s electronic database of customer information by taking the employer’s information for use at a competitive company).

The diverging school of thought on the CFAA’s “authorization” requirement believes that the statute was enacted to protect against the unauthorized access (i.e. procurement or alteration) of computerized information – not to protect against any subsequent use or misuse of information.  The Ninth Circuit Court of Appeals, in analyzing the CFAA’s “authorization” requirement, has held that if an employee accesses his or her employer’s computer systems during employment and, therefore, with the employer’s authorization, subsequent disloyal treatment of the information accessed does not give rise to a CFAA violation.  See LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9^th Cir. 2009).  A recent decision from the United States District Court for the Western District of Pennsylvania, Consulting Professional Resources, Inc. v. Concise Technologies LLC, Civ. A. No. 09-1201, 2010 WL 1337723 (W.D. Pa., Mar. 9, 2010), follows the Brekka Court’s analysis, dismissing an employer's CFAA claim against a departing employee and stating: “[t]his court likewise declines to construe the CFAA by reliance upon agency principles where the defendant's intent governs whether the access was without authorization or exceeded authorized access.” 

It does not appear that this debate regarding the CFAA’s “authorization” requirement will be resolved any time soon.  As recently as May 27, 2010, a Motion to Dismiss was filed in the United States District Court for the Southern District of New York based, in part, on an argument that the reach of the CFAA does not extend to instances where the employee was authorized to access the information he later transferred and utilized to the detriment of his former employer.  See Aon Risk Services Northeast Inc. v. Kornblau et al., Case No. 10-cv-2244(RMB)(JCF) (Document 31).  If the Aon Court accepts the former employer’s arguments regarding the CFAA’s authorization requirement, the decision would represent another rejection of the enforcement-friendly agency theory of departing employee violations of the CFAA that was the basis of the opinions Shurgard, EF Cultural Travel and Citrin.  Stayed tuned to further blog updates regarding the Aon Court’s decision and further debate among the district courts regarding the CFAA’s “authorization” requirement.