A lot of digital ink has been spilled writing about the scope of the Computer Fraud and Abuse Act since the Ninth Circuit created a circuit split over the issue back in April. You can read our coverage of recent developments in the split here, here, here, and here.
Last week the split deepened as the Fourth Circuit joined the Ninth Circuit in adopting a narrow construction of the Act’s “unauthorized access” statute. Under this statute, an employee or former employee may face criminal charges or civil liability where they intentionally access a "protected computer" issued by their employer “without authorization” or in a manner that "exceeds authorized access” resulting in “damage and loss.”
Writing for the Fourth Circuit last week, Judge Henry Franklin Floyd summarized the competing positions taken by his colleagues sitting in sister circuits:
In short, two schools of thought exist. The first, promulgated by the Seventh Circuit and advanced by WEC here, holds that when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it. See Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006). Thus, for example, the Seventh Circuit held that an employee who erased crucial data on his company laptop prior to turning it in at the end of his employment violated the CFAA. Id. at 419-21. It reasoned that his "breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship." Id. at 420-21.
The second, articulated by the Ninth Circuit and followed by the district court here, interprets "without authorization" and "exceeds authorized access" literally and narrowly, limiting the terms’ application to situations where an individual accesses a computer or information on a computer without permission. See United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc); LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1134-35 (9th Cir. 2009). Thus, in Nosal, the Ninth Circuit, sitting en banc, held that the defendant’s co-conspirators, a group of employees at an executive search firm, did not violate the CFAA when they retrieved confidential information via their company user accounts and trans- ferred it to the defendant, a competitor and former employee. Nosal, 676 F.3d at 856, 864. It reasoned that the CFAA fails to provide a remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded. Id. at 863-64. As we explain below, we agree with this latter view.
You can find the full opinion here: WEC Carolina Energy Solutions v. Miller, No. 11-1201 (4th Cir. July 26, 2012).
Earlier this week Orin Kerr of the Volokh Conspiracy discussed several related developments that may affect the Supreme Court’s willingness to resolve the division next term:
Last Thursday, the Fourth Circuit deepened the apparent circuit split by joining the Ninth Circuit in adopting a narrow interpretation of the CFAA in WEC Carolina Energy Solutions v. Miller. A day later, DOJ asked for another extension of the period in which a cert petition could be filed in United States v. Nosal, the Ninth Circuit en banc case. DOJ’s request for more time may have been at least in part a response to the Fourth Circuit’s decision the day before, although I haven’t seen the filing so I don’t actually know. It’s also possible that DOJ wasn’t planning on filing for cert in Nosal but might reconsider in light of WEC. It’s hard to know.
. . . . Chairman Leahy has proposed an amendment to the Cybersecurity Act that would . . . . add a bunch of things DOJ wants, such as enhancing the CFAA’s penalties, . . . . [and would] add the statutory fix to the definition of “exceeds authorized access” that essentially adopts the narrow view of the circuit split on the scope of the CFAA (see Section 8 of the Amendment).
Professor Kerr's post goes on to explain that, if the Supreme Court reviews the issue and ends up adopting the narrow view taken by the Fourth and Ninth Circuits, “then the statutory fix doesn’t have much value.” On the other hand, Kerr points out that “the issue is no longer certworthy” if Congress enacts the statutory fix, effectively codifying the narrow view expressed in WEC Carolina Energy Solutions.
Comments