Circuit Splits: U.S. District Court for the Western District of Tennessee

July 02, 2012

Courts Continue to Grapple with Employee Computer Crimes Under the Computer Fraud and Abuse Act

As Professor Stevenson and I have previously noted (here, here, and here), the Computer Fraud and Abuse Act’s (CFAA) “unauthorized-use” statute makes it a crime for current or former employees to intentionally access a protected computer issued or owned by their employer “without authorization” or in a manner that “exceeds authorized access,” resulting in damage and loss.

The nationwide split in authority over the proper scope of the terms “without authorization” and “exceeds authorized access” continues to percolate in the lower courts. Last Friday, Judge Robert H. Bell of the U.S. District Court for the Western District of Michigan issued his opinion in Dana Ltd. v. Am. Axle & Mfg. Holdings, in which he outlines the competing views on this issue:

A. Broad View

“One line of authorities takes a broad view of the statute, holding that ‘an employee accesses a computer 'without authorization' whenever the employee, without the employer's knowledge, acquires an interest that is adverse to that of his employer or is guilty of a serious breach of loyalty.’” Dana Ltd. v. Am. Axle & Mfg. Holdings, File No. 1:10-CV-450 (W.D. Mich. June 29, 2012) (quoting Guest-Tek Interactive Entm't, Inc. v. Pullen, 665 F. Supp. 2d 42, 45 (Dist. Mass. 2009)). The court pointed out that the Fifth, Seventh, and Eleventh Circuits have each adopted a broad view of the statute:

United States v. John, 597 F.3d 263 (5th Cir. 2010) (holding that the CFAA encompasses limits placed on the use of information obtained by permitted access to a computer system "at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime").

Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006) (holding that employee's breach of his duty of loyalty terminated his agency relationship with his employer, and with it his authority to access his employer's computer).

United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010) (holding that Social Security Administration employee violated the CFAA when he accessed personal records for nonbusiness reasons in violation of SSA policy).

B. Narrow View

“The other line of cases takes a narrow view of the statute, holding that the CFAA prohibits improper ‘access’ of computer information, rather than misuse or misappropriation of such information.” Dana Ltd. v. Am. Axle & Mfg. Holdings, File No. 1:10-CV-450 (W.D. Mich. June 29, 2012). As the court in Dana Ltd. reiterated, the Ninth Circuit as well as several district courts have recently adopted a more narrow view:

LVRC Holdings L.L.C. v. Brekka, 581 F.3d 1127 (9th Cir. 2009) (noting that the plain language of the CFAA does not support the argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer's interest, and further noting that because the CFAA is a criminal statute, any ambiguity must be resolved in favor of lenity); United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012).

Orbit One Commc'ns, Inc. v. Numerex Corp., 692 F. Supp. 2d 373, 385 (S.D.N.Y. 2010) ("The plain language of the CFAA supports a narrow reading. The CFAA expressly prohibits improper 'access' of computer information. It does not prohibit misuse or misappropriation.").

Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 965 (Dist. Ariz. 2008) (holding that the plain language of the CFAA, its legislative history, and principles of statutory construction support a narrow reading of "authorization").

Int'l Ass'n of Machinists & Aerospace Workers v. Werner-Matsuda, 390 F. Supp. 2d 479, 499 (Dist. Md. 2005) (holding that the CFAA does not proscribe "authorized access for unauthorized or illegitimate purposes").

Ajuba Int'l, L.L.C. v. Saharia, Case No. 11-12936 (E.D. Mich. May 14, 2012) (adopting the narrow approach and holding that allegation that employee lost any authorization he had to access employer's computers, or, exceeded his authorization when he accessed the computers in violation of confidentiality and use limitations, failed to state a claim under the CFAA).

ReMedPar, Inc. v. AllParts Med., L.L.C., 683 F. Supp. 2d 605, 609 (M.D. Tenn. 2010) (construing "without authorization" narrowly, and dismissing CFAA claim based on use of information the employee was authorized to obtain in a fashion that was adverse to the employer's interests).

Black & Decker, Inc. v. Smith, 568 F. Supp. 2d 929 (W.D. Tenn. 2008) (rejecting Citrin's agency analysis, and dismissing CFAA claim that was based not on the employee's accessing of information, but on his later misuse thereof).

Am. Family Mut. Ins. Co. v. Rickman, 554 F. Supp. 2d 766, 771 (N.D. Ohio 2008) (noting in dicta that the CFAA "was not meant to cover the disloyal employee who walks off with confidential information. Rather, the statutory purpose is to punish trespassers and hackers.").

Although the Sixth Circuit has yet to squarely address the issue, the court in Dana Ltd. speculated that the Sixth Circuit would join the “growing number of cases” that have adopted the narrow view based on its heavy reliance on the Ninth Circuit’s definition of the term "without authorization.” The court further explained that the rule of lenity, the plain meaning of the statutory text, and the CFAA's legislative history lend support to the court's narrow interpretation.

We will continue to follow this issue closely as it continues to make its way up to the Supreme Court.

May 22, 2012

Federal Judge Highlights Dissension Over Computer Fraud and Abuse Act

The circuit split over the Computer Fraud and Abuse Act’s (CFAA) “unauthorized-use” statute has been on our radar here at CircuitSplits.com since we first wrote about it back in February. You can read our previous coverage here and here.

To recap, 18 U.S.C. § 1030(a)(5)(C) makes it a crime for current or former employees to intentionally access a protected computer issued or owned by their employer “without authorization” or in a manner that “exceeds authorized access,” resulting in damage and loss. As Judge Marianne Battani of the U.S. District Court for the Eastern District of Michigan noted in last week, “a nationwide split of authority concerning the proper interpretation of the terms ‘without authorization’ and ‘exceeds authorized access.’”

Judge Battani’s opinion offers the following overview of the emerging inter-circuit split over the CFAA:

The split arises from cases in which an employer brings a CFAA claim against an employee who accesses the employer's computer to misappropriate confidential or proprietary business information to start a competing business venture or join a competitor. Courts around the country struggle with whether the CFAA applies in a situation where an employee who had been granted access to his employer's computers uses that access for an improper purpose. The split of authority specifically originates from competing interpretations of the terms "without authorization" and "exceeds authorized access," the statutory predicates for liability

Some courts have construed the terms narrowly, holding that an employee's misuse or misappropriation of an employer's business information is not "without authorization" so long as the employer has given the employee permission to access such information. See LVRC Holdings L.L.C. v. Brekka, 581 F.3d 1127 (9th Cir. 2009) (holding that that the CFAA targets the unauthorized procurement or alteration of information rather than its misuse); Orbit One Commc'ns, Inc. v. Numerex Corp., 692 F.Supp. 2d 373, 385 (S.D.N.Y. 2010) ("The plain language of the CFAA supports a narrow reading. The CFAA expressly prohibits improper 'access' of computer information. It does not prohibit misuse or misappropriation."); Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 965 (D. Ariz. 2008) ("[T]he plain language of the CFAA "target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation."); Int'l Ass'n of Machinists & Aerospace Workers v. Werner-Matsuda, 390 F.Supp.2d 479, 499 (D. Md. 2005) ("[T]he CFAA, however, do[es] not prohibit the unauthorized disclosure or use of information, but rather unauthorized access."). In other words, courts adopting the narrow approach hold that, once an employee is granted "authorization" to access an employer's computer that stores confidential company data, that employee does not violate the CFAA regardless of how he subsequently uses the information.

Other courts have construed the terms broadly, finding that the CFAA covers violations of an employer's computer use restrictions or a breach of the duty of loyalty under the agency doctrine. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). The broad approach holds that "an employee accesses a computer 'without authorization' whenever the employee, without the employer's knowledge, acquires an interest that is adverse to that of his employer or is guilty of a serious breach of loyalty." Guest-Tek Interactive Entm't, Inc. v. Pullen, 665 F. Supp. 2d 42, 45 (D. Mass. 2009) (citations omitted).

Although the Sixth Circuit has not squarely addressed the meaning of "without authorization" or "exceeds authorized access" in the context of an employment dispute, the court favored the narrow interpretation in Pulte Homes, Inc. v. Laborers' Intern. Union of N. Am., 648 F.3d 295, 299 (6th Cir. 2011). In Pulte, the court affirmed the dismissal of a CFAA claim against a defendant labor union who bombarded a plaintiff home builder with spam emails and voicemails in response to its firing of a union employee. Id. at 303. The court found that the defendant's use of unprotected public communication systems to contact the plaintiff defeated the allegation that it accessed the plaintiff's computers "without authorization" under the CFAA. Id. at 304. In reaching this conclusion, the court interpreted the terms "without authorization" and "exceeds authorized access" consistent with the narrow approach, citing Brekka as persuasive authority. Id. Accordingly, Pulte suggests the Sixth Circuit would adopt a narrow interpretation of the CFAA when the issue presents itself in the context of an employment dispute such as the present case.

Moreover, at least two district courts in the Sixth Circuit have specifically confronted the split of authority and expressly adopted the narrow approach. See ReMedPar, Inc. v. AllParts Med., L.L.C., 683 F. Supp. 2d 605, 609 (M.D. Tenn. 2010); Black & Decker, Inc. v. Smith, 568 F. Supp. 2d 929 (W.D. Tenn. 2008); see also Am. Family Mut. Ins. Co. v. Rickman, 554 F. Supp. 2d 766, 771 (N.D. Ohio 2008) (suggesting in dicta that the narrow approach is preferred, noting that "[t]he statute was not meant to cover the disloyal employee who walks off with confidential information. Rather, the statutory purpose is to punish trespassers and hackers. . . .").

After reviewing each line of authority, the Court finds the narrow interpretation the better reasoned approach. The Court agrees with the three rationales offered in support of this view: (1) the plain meaning of the statute compels a court to interpret "authorization" narrowly; (2) the rule of lenity and the statutory canon of avoiding absurd results favor a narrow construction; and (3) the legislative history and congressional intent support such a finding. See Brekka, 581 F.3d at 1132-33 (engaging in a plain meaning analysis of "without authorization" and "exceeds authorized access"); Bell Aerospace Servs., Inc. v. U.S. Aero Servs., Inc., 690 F. Supp. 2d 1267, 1272 (M.D. Ala. 2010) (applying the rule of lenity and the canon of avoiding absurd results); ReMedPar, 683 F.Supp. 2d at 613 (discussing legislative history of the CFAA).

The Court also agrees with the primary criticisms of the broad interpretation:

[Cases adopting the broad approach] identify no statutory language that supports interpreting the CFAA to reach misuse or misappropriation of information that is lawfully accessed. Instead, they improperly infer that "authorization" is automatically terminated where an individual exceeds the purposes for which access is "authorized." But the definition of "exceeds authorized access" in § 1030(e)(6) indicates that Congress did not intend to include such an implicit limitation in the word "authorization." The interpretation of the CFAA adopted in this line of cases would require an analysis of an individual's subjective intent in accessing a computer system, whereas the text of the CFAA calls for only an objective analysis of whether an individual had sufficient "authorization." While a confidentiality agreement or other policies or obligations owed to an employer may prohibit misuse of a company's internal computer system or misappropriation of confidential information therein, the plain text of the CFAA does not.

Furthermore, an interpretation of the CFAA based upon agency principles would greatly expand the reach of the CFAA to any employee who accesses a company's computer system in a manner that is adverse to her employer's interests. This would convert an ordinary violation of the duty of loyalty or of a confidentiality agreement into a federal offense. An employee does not lose "authorization" by accessing a computer with an improper purpose; rather, authorization is controlled by the employer, who may or may not terminate or restrict an employee's access privileges.

U.S. v. Aleynikov, 737 F. Supp. 2d 173, 193 (S.D. N.Y. 2010) (internal quotation marks and citations omitted). Accordingly, a violation for accessing "without authorization" under the CFAA occurs only where initial access is not permitted and a violation for "exceeding authorized access" occurs only where initial access is permitted but the access of certain information is not permitted. See ReMedPar, 683 F. Supp. 2d at 613; Black & Decker, 568 F.Supp.2d at 935; Shamrock, 535 F. Supp. 2d at 965.

You can read the full opinion here: Ajuba Int'l, L.L.C. v. Saharia, Case No. 11-12936 (E.D. Mich. May 14, 2012).

April 05, 2012

Wide Divide Over the Right to Reject Unwanted Sexual Advances in the Workplace

In 1998 the Supreme Court construed Title VII to prohibit "sexual harassment so severe or pervasive as to alter the conditions of [the victim's] employment and create an abusive working environment." Faragher v. City of Boca Raton, 524 U.S. 775, 807 (1998) (construing 42 U.S.C. § 2000e-2(a)(1)). Where an employee partakes in a “protected activity,” Title VII similarly prohibits employers from retaliating against them for engaging in that protected activity.

Today’s post looks at whether an employee’s rejection of their colleague or supervisor’s unwanted sexual advances is a “protected activity” within the meaning of Title VII. As Judge Richard Roberts of the U.S. District Court for the District of Columbia pointed out last week, the courts are deeply divided over the issue. Dozier-Nix v. District of Columbia, Civil Action No. 09-593 (RWR) (Dist. D.C. Mar. 31, 2012) (mem. op.). Here is a look at where the courts stand on the issue:

1. Rejecting unwanted sexual advances is a protected activity under Title VII.

Farrell v. Planters Lifesavers Co., 22 F. Supp. 2d 372, 392 (Dist. N.J. 1998), aff'd in part, rev'd in part on other grounds, 206 F.3d 271 (3d Cir. 2000).

Ogden v. Wax Works, 214 F.3d 999, 1007 (8th Cir. 2000).

Williams v. Verizon Wash. D.C., 266 F. Supp. 2d 107, 122-23 (Dist. D.C. 2003).

Frentz v. City of Elizabethtown, Civil Action No. 08-621, 2010 U.S. Dist. LEXIS 118565, 2010 WL 4638768, at *5 (W.D. Ky. Nov. 4, 2010).

Roberts v. Cnty. of Cook, No. 01-C-9373, 2004 U.S. Dist. LEXIS 8089, 2004 WL 1088230 at *4-5 (N.D. Ill. May 12, 2004) (mem. op.).

Black v. City & Cnty. of Honolulu, 112 F. Supp. 2d 1041, 1049 (D. Haw. 2000).

Fleming v. South Carolina Dep't of Corrections, 952 F. Supp. 283, 288 (Dist. S.C. 1996).

Armbruster v. Epstein, 1996 U.S. Dist. LEXIS 7459, No. Civ. A 96-CV-1059, 1996 WL 289991, at *3 (E.D. Pa. May 31, 1996).

EEOC v. Domino's Pizza, 909 F. Supp. 1529, 1536 (M.D. Fla. 1995).

Burrell v. City Univ. of New York, 894 F. Supp. 750, 761 (S.D.N.Y. 1995).

Boyd v. James S. Hayes Living Health Care Agency, Inc., 671 F. Supp. 1155, 1167 (W.D. Tenn. 1987).

2. Rejecting unwanted sexual advances is not a protected activity under Title VII.

LeMaire v. La. Dep't of Transp. & Dev., 480 F.3d 383, 389-90 (5th Cir. 2007).

Jones v. Cnty. of Cook, 2002 U.S. Dist. LEXIS 13075, No. 01 C 9876, 2002 WL 1611606, at *4 (N.D. Ill. July 17, 2002).

Rachel-Smith v. FTData, Inc., 247 F. Supp. 2d 734, 748-49 (D. Md. 2003).

Fitzgerald v. Henderson, 36 F. Supp. 2d 490, 499 (N.D.N.Y. 1998), aff'd in part, rev'd in part on other grounds, 251 F.3d 345 (2d Cir. 2001).

Del Castillo v. Pathmark Stores, Inc., 941 F. Supp. 437, 438-39 (S.D.N.Y. 1996).

Please feel free to add to this list by leaving a comment.

Circuit Splits

July 02, 2012

Courts Continue to Grapple with Employee Computer Crimes Under the Computer Fraud and Abuse Act

May 22, 2012

Federal Judge Highlights Dissension Over Computer Fraud and Abuse Act

April 05, 2012

Wide Divide Over the Right to Reject Unwanted Sexual Advances in the Workplace

Search

Search by

Recent Posts

Archives

Masthead