There is now a full-blown and growing split between the federal courts of appeal over the scope of the Computer Fraud and Abuse Act (CFAA). On Thursday, July 26, 2012, the U.S. Court of Appeals for the Fourth Circuit adopted the reasoning of the U.S. Court of Appeals for the Ninth Circuit in its April 12, 2012 decision in U.S. v. Nosal, narrowly applied the CFAA, and dismissed an employer’s complaint against a former employee for copying confidential information from his work computer. (A PDF copy of the opinion can be found below).
In WEC Carolina Energy v. Miller, the Fourth Circuit has found that the CFAA will only be applied to hacking incidents and not to the theft of trade secrets. (A hat tip to Kenneth Vanko who spent his Saturday detailing this development in his Legal Developments in Non-Competition Agreements Blog. Venkat Balasubramani and Eric Goldman’s takes on the case can be found in their Technology & Marketing Law Blog and Josh Durham of Poyner Spruill also has a thorough write up).
Factual Background: Miller, a former employee of WEC, was alleged to have copied confidential and proprietary information before leaving to join his new employer, Arc Energy Services. WEC Carolina had computer usage policies that forbade employees from using confidential information or copying information to their personal computers. WEC alleged that Miller had taken that information and used it for a presentation to a customer on behalf of Arc, a presentation that allegedly won that client over to Arc. In short, not the most compelling trade secrets case.
The U.S. District Court of South Carolina dismissed the CFAA claim, reasoning that because the policies in question only addressed improper “use” and not “access,” WEC Carolina could not establish that Miller acted without authorization or exceeded that authorization when he accessed the confidential information. The district court declined to exercise supplemental jurisdiction over the remaining state law claims and dismissed the case.
Fourth Circuit’s Reasoning: Because the CFAA provides for criminal as well as civil penalties, the Fourth Circuit applied the rule of strict construction to the CFAA. Focusing on the key phrases in the CFAA, the Fourth Circuit concluded, based on its application of “ordinary contemporary, common meaning,” that the word “authorization” meant that an employee is authorized to access a computer when his employer approves or sanctions “his admission to that computer.” Applying that definition, the Fourth Circuit reasoned that an employee accesses a computer “without authorization” when he gains admission to a computer without approval. Similarly, the Fourth Circuit concluded that an employee “exceeds authorized access” when he has approval to access a computer but uses that access to obtain or alter information outside the bounds of his approved access.
Applying these definitions, the Fourth Circuit found that neither forbade Miller’s “use” of information that was validly accessed in the first place. The Fourth Circuit acknowledged that its holding would “disappoint employers hoping for a means to rein in rogue employees.” But the Fourth Circuit emphasized that it was “unwilling to contravene Congress’s intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy.” (Query: if the policy had forbid accessing information for purposes other than furthering WEC Carolina’s business, would that policy have been sufficient to trigger a claim under the CFAA?).
The Takeaway: There is now an even greater impetus for the U.S. Solicitor General to appeal from the ruling in Nosal. We now have, on the one side, the Fourth Circuit and Ninth Circuit holding that violations of computer use policies do not amount to a violation of the CFAA, and the Fifth, Seventh and Eleventh Circuits on the other side holding that violations of those policies do qualify as violations of the CFAA.
In the meantime, employers in Maryland, North Carolina, South Carolina, Virginia and West Virginia will not be able to use a violation of a computer use policy as a basis for a claim under the CFAA. They will have to rely instead on the Uniform Trade Secrets Act and common law claims in any trade secret disputes against employees whom the employers believe used their work electronic devices to take confidential information.