On Monday, a federal court in Colorado called attention to a conflict of law that any employee with a company-issued laptop or smart phone would be well-advised to make a mental note of. The case, SBM Site Services, LLC v. Garrett, examines a brief, 18-word provision of the Computer Fraud and Abuse Act (CFAA). No. 10-cv-00385-WJM-BNB (D. Colo. Feb. 27, 2012). Commonly referred to as the CFAA's "unauthorized-access" statute, 18 U.S.C. § 1030(a)(5)(C) makes it a crime for employees or former employees to intentionally access a "protected computer" issued by their employer “without authorization” where such access results in “damage and loss.”
In Garrett, the chief of business development at SBM Site Services, LLC—a company that provides janitorial, recycling, and other support services to industrial facilities—left his employer of 15 years to join forces with a competitor. After tendering his resignation, Mr. Garrett turned his company-issued laptop over to his former employer, but not before allegedly using it to download trade secrets and access customer lists to “lure customers away from SBM” upon his departure. As a result, SBM sued Garrett for, among other things, violating the CFAA's unauthorized-access statute.
In its opinion. the court in Garrett identified a circuit split over the nature of conduct that constitutes access of a company-issued laptop without authorization for purposes of the CFAA. “[U]nder the Seventh Circuit’s approach, whether access to a computer was ‘unauthorized’ depends on the status of the agency relationship between the employer and employee.” For example, in International Airport Centers, LLC v. Citrin, the defendant quit his job to start his own business. 440 F.3d 418 (7th Cir. 2006). Before doing so, however, the employee deleted all of the data stored on his company-issued laptop. In applying the principles of agency law, the Seventh Circuit held that the defendant’s “authorization to access the laptop terminated when, having already . . . decided to quit . . . he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee.” Id. at 420.
The Ninth Circuit, on the other hand, has “taken a more narrow view” by “focus[ing] on whether the employer has specifically rescinded the employee’s access to the computer in determining whether such access was ‘unauthorized.’” Garrett, Civil Case No. 10-cv-00385-WJM-BNB (citing LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009)). Noting that the Tenth Circuit “has not yet taken a position on this issue,” the district court in Garrett ultimately avoided having to pick a side by finding that the plaintiff had stated a claim under either standard to avoid dismissal.
The CFAA’s “unauthorized-access” provision, when taken at face value, criminalizes a staggeringly broad swath of behavior. Consider whether, based on the plain meaning of language used in § 1030(a)(5)(C), an employee who leaves her employer for a new job after surfing job websites with the laptop issued to her by her former employer has accessed the computer with authority. Or how about an attorney who keeps a digital Rolodex on his firm computer. Is he authorized to remove his list of contacts from the computer if he decides to join another firm? When carried to its logical conclusion, § 1030(a)(5)(C) would presumably make it a crime for an employee to send a personal text message or e-mail from her company-issued iPhone while at work. Expect to see this circuit split grow over time as courts struggle to avoid this "parade of horribles" by coming up with a variety of limitations to help cabin the statute's broad and ambiguous language.