As Professor Stevenson and I have previously noted (here, here, and here), the Computer Fraud and Abuse Act’s (CFAA) “unauthorized-use” statute makes it a crime for current or former employees to intentionally access a protected computer issued or owned by their employer “without authorization” or in a manner that “exceeds authorized access,” resulting in damage and loss.
The nationwide split in authority over the proper scope of the terms “without authorization” and “exceeds authorized access” continues to percolate in the lower courts. Last Friday, Judge Robert H. Bell of the U.S. District Court for the Western District of Michigan issued his opinion in Dana Ltd. v. Am. Axle & Mfg. Holdings, in which he outlines the competing views on this issue:
A. Broad View
“One line of authorities takes a broad view of the statute, holding that ‘an employee accesses a computer 'without authorization' whenever the employee, without the employer's knowledge, acquires an interest that is adverse to that of his employer or is guilty of a serious breach of loyalty.’” Dana Ltd. v. Am. Axle & Mfg. Holdings, File No. 1:10-CV-450 (W.D. Mich. June 29, 2012) (quoting Guest-Tek Interactive Entm't, Inc. v. Pullen, 665 F. Supp. 2d 42, 45 (Dist. Mass. 2009)). The court pointed out that the Fifth, Seventh, and Eleventh Circuits have each adopted a broad view of the statute:
- United States v. John, 597 F.3d 263 (5th Cir. 2010) (holding that the CFAA encompasses limits placed on the use of information obtained by permitted access to a computer system "at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime").
- Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006) (holding that employee's breach of his duty of loyalty terminated his agency relationship with his employer, and with it his authority to access his employer's computer).
- United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010) (holding that Social Security Administration employee violated the CFAA when he accessed personal records for nonbusiness reasons in violation of SSA policy).
B. Narrow View
“The other line of cases takes a narrow view of the statute, holding that the CFAA prohibits improper ‘access’ of computer information, rather than misuse or misappropriation of such information.” Dana Ltd. v. Am. Axle & Mfg. Holdings, File No. 1:10-CV-450 (W.D. Mich. June 29, 2012). As the court in Dana Ltd. reiterated, the Ninth Circuit as well as several district courts have recently adopted a more narrow view:
- LVRC Holdings L.L.C. v. Brekka, 581 F.3d 1127 (9th Cir. 2009) (noting that the plain language of the CFAA does not support the argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer's interest, and further noting that because the CFAA is a criminal statute, any ambiguity must be resolved in favor of lenity); United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012).
- Orbit One Commc'ns, Inc. v. Numerex Corp., 692 F. Supp. 2d 373, 385 (S.D.N.Y. 2010) ("The plain language of the CFAA supports a narrow reading. The CFAA expressly prohibits improper 'access' of computer information. It does not prohibit misuse or misappropriation.").
- Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 965 (Dist. Ariz. 2008) (holding that the plain language of the CFAA, its legislative history, and principles of statutory construction support a narrow reading of "authorization").
- Int'l Ass'n of Machinists & Aerospace Workers v. Werner-Matsuda, 390 F. Supp. 2d 479, 499 (Dist. Md. 2005) (holding that the CFAA does not proscribe "authorized access for unauthorized or illegitimate purposes").
- Ajuba Int'l, L.L.C. v. Saharia, Case No. 11-12936 (E.D. Mich. May 14, 2012) (adopting the narrow approach and holding that allegation that employee lost any authorization he had to access employer's computers, or, exceeded his authorization when he accessed the computers in violation of confidentiality and use limitations, failed to state a claim under the CFAA).
- ReMedPar, Inc. v. AllParts Med., L.L.C., 683 F. Supp. 2d 605, 609 (M.D. Tenn. 2010) (construing "without authorization" narrowly, and dismissing CFAA claim based on use of information the employee was authorized to obtain in a fashion that was adverse to the employer's interests).
- Black & Decker, Inc. v. Smith, 568 F. Supp. 2d 929 (W.D. Tenn. 2008) (rejecting Citrin's agency analysis, and dismissing CFAA claim that was based not on the employee's accessing of information, but on his later misuse thereof).
- Am. Family Mut. Ins. Co. v. Rickman, 554 F. Supp. 2d 766, 771 (N.D. Ohio 2008) (noting in dicta that the CFAA "was not meant to cover the disloyal employee who walks off with confidential information. Rather, the statutory purpose is to punish trespassers and hackers.").
Although the Sixth Circuit has yet to squarely address the issue, the court in Dana Ltd. speculated that the Sixth Circuit would join the “growing number of cases” that have adopted the narrow view based on its heavy reliance on the Ninth Circuit’s definition of the term "without authorization.” The court further explained that the rule of lenity, the plain meaning of the statutory text, and the CFAA's legislative history lend support to the court's narrow interpretation.
We will continue to follow this issue closely as it continues to make its way up to the Supreme Court.