The circuit split over the Computer Fraud and Abuse Act’s (CFAA) “unauthorized-use” statute has been on our radar here at CircuitSplits.com since we first wrote about it back in February. You can read our previous coverage here and here.
To recap, 18 U.S.C. § 1030(a)(5)(C) makes it a crime for current or former employees to intentionally access a protected computer issued or owned by their employer “without authorization” or in a manner that “exceeds authorized access,” resulting in damage and loss. As Judge Marianne Battani of the U.S. District Court for the Eastern District of Michigan noted in last week, “a nationwide split of authority concerning the proper interpretation of the terms ‘without authorization’ and ‘exceeds authorized access.’”
Judge Battani’s opinion offers the following overview of the emerging inter-circuit split over the CFAA:
The split arises from cases in which an employer brings a CFAA claim against an employee who accesses the employer's computer to misappropriate confidential or proprietary business information to start a competing business venture or join a competitor. Courts around the country struggle with whether the CFAA applies in a situation where an employee who had been granted access to his employer's computers uses that access for an improper purpose. The split of authority specifically originates from competing interpretations of the terms "without authorization" and "exceeds authorized access," the statutory predicates for liability
Some courts have construed the terms narrowly, holding that an employee's misuse or misappropriation of an employer's business information is not "without authorization" so long as the employer has given the employee permission to access such information. See LVRC Holdings L.L.C. v. Brekka, 581 F.3d 1127 (9th Cir. 2009) (holding that that the CFAA targets the unauthorized procurement or alteration of information rather than its misuse); Orbit One Commc'ns, Inc. v. Numerex Corp., 692 F.Supp. 2d 373, 385 (S.D.N.Y. 2010) ("The plain language of the CFAA supports a narrow reading. The CFAA expressly prohibits improper 'access' of computer information. It does not prohibit misuse or misappropriation."); Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 965 (D. Ariz. 2008) ("[T]he plain language of the CFAA "target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation."); Int'l Ass'n of Machinists & Aerospace Workers v. Werner-Matsuda, 390 F.Supp.2d 479, 499 (D. Md. 2005) ("[T]he CFAA, however, do[es] not prohibit the unauthorized disclosure or use of information, but rather unauthorized access."). In other words, courts adopting the narrow approach hold that, once an employee is granted "authorization" to access an employer's computer that stores confidential company data, that employee does not violate the CFAA regardless of how he subsequently uses the information.
Other courts have construed the terms broadly, finding that the CFAA covers violations of an employer's computer use restrictions or a breach of the duty of loyalty under the agency doctrine. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). The broad approach holds that "an employee accesses a computer 'without authorization' whenever the employee, without the employer's knowledge, acquires an interest that is adverse to that of his employer or is guilty of a serious breach of loyalty." Guest-Tek Interactive Entm't, Inc. v. Pullen, 665 F. Supp. 2d 42, 45 (D. Mass. 2009) (citations omitted).
Although the Sixth Circuit has not squarely addressed the meaning of "without authorization" or "exceeds authorized access" in the context of an employment dispute, the court favored the narrow interpretation in Pulte Homes, Inc. v. Laborers' Intern. Union of N. Am., 648 F.3d 295, 299 (6th Cir. 2011). In Pulte, the court affirmed the dismissal of a CFAA claim against a defendant labor union who bombarded a plaintiff home builder with spam emails and voicemails in response to its firing of a union employee. Id. at 303. The court found that the defendant's use of unprotected public communication systems to contact the plaintiff defeated the allegation that it accessed the plaintiff's computers "without authorization" under the CFAA. Id. at 304. In reaching this conclusion, the court interpreted the terms "without authorization" and "exceeds authorized access" consistent with the narrow approach, citing Brekka as persuasive authority. Id. Accordingly, Pulte suggests the Sixth Circuit would adopt a narrow interpretation of the CFAA when the issue presents itself in the context of an employment dispute such as the present case.
Moreover, at least two district courts in the Sixth Circuit have specifically confronted the split of authority and expressly adopted the narrow approach. See ReMedPar, Inc. v. AllParts Med., L.L.C., 683 F. Supp. 2d 605, 609 (M.D. Tenn. 2010); Black & Decker, Inc. v. Smith, 568 F. Supp. 2d 929 (W.D. Tenn. 2008); see also Am. Family Mut. Ins. Co. v. Rickman, 554 F. Supp. 2d 766, 771 (N.D. Ohio 2008) (suggesting in dicta that the narrow approach is preferred, noting that "[t]he statute was not meant to cover the disloyal employee who walks off with confidential information. Rather, the statutory purpose is to punish trespassers and hackers. . . .").
After reviewing each line of authority, the Court finds the narrow interpretation the better reasoned approach. The Court agrees with the three rationales offered in support of this view: (1) the plain meaning of the statute compels a court to interpret "authorization" narrowly; (2) the rule of lenity and the statutory canon of avoiding absurd results favor a narrow construction; and (3) the legislative history and congressional intent support such a finding. See Brekka, 581 F.3d at 1132-33 (engaging in a plain meaning analysis of "without authorization" and "exceeds authorized access"); Bell Aerospace Servs., Inc. v. U.S. Aero Servs., Inc., 690 F. Supp. 2d 1267, 1272 (M.D. Ala. 2010) (applying the rule of lenity and the canon of avoiding absurd results); ReMedPar, 683 F.Supp. 2d at 613 (discussing legislative history of the CFAA).
The Court also agrees with the primary criticisms of the broad interpretation:
[Cases adopting the broad approach] identify no statutory language that supports interpreting the CFAA to reach misuse or misappropriation of information that is lawfully accessed. Instead, they improperly infer that "authorization" is automatically terminated where an individual exceeds the purposes for which access is "authorized." But the definition of "exceeds authorized access" in § 1030(e)(6) indicates that Congress did not intend to include such an implicit limitation in the word "authorization." The interpretation of the CFAA adopted in this line of cases would require an analysis of an individual's subjective intent in accessing a computer system, whereas the text of the CFAA calls for only an objective analysis of whether an individual had sufficient "authorization." While a confidentiality agreement or other policies or obligations owed to an employer may prohibit misuse of a company's internal computer system or misappropriation of confidential information therein, the plain text of the CFAA does not.
Furthermore, an interpretation of the CFAA based upon agency principles would greatly expand the reach of the CFAA to any employee who accesses a company's computer system in a manner that is adverse to her employer's interests. This would convert an ordinary violation of the duty of loyalty or of a confidentiality agreement into a federal offense. An employee does not lose "authorization" by accessing a computer with an improper purpose; rather, authorization is controlled by the employer, who may or may not terminate or restrict an employee's access privileges.
U.S. v. Aleynikov, 737 F. Supp. 2d 173, 193 (S.D. N.Y. 2010) (internal quotation marks and citations omitted). Accordingly, a violation for accessing "without authorization" under the CFAA occurs only where initial access is not permitted and a violation for "exceeding authorized access" occurs only where initial access is permitted but the access of certain information is not permitted. See ReMedPar, 683 F. Supp. 2d at 613; Black & Decker, 568 F.Supp.2d at 935; Shamrock, 535 F. Supp. 2d at 965.
You can read the full opinion here: Ajuba Int'l, L.L.C. v. Saharia, Case No. 11-12936 (E.D. Mich. May 14, 2012).