Computer Fraud and Abuse Act

James P. Flynn
James P. Flynn

In the recent case of United States v. Nosal, the United States Court of Appeals for the Ninth Circuit confirmed the applicability of both the Computer Fraud and Abuse Act and the Economic Espionage Act as safeguards against theft of trade secrets by departed former employees.  Importantly, Nosal applied such laws to convict a former employee in a case involving domestic businesses and personnel without any alleged overseas connections.  Because of civil enforcement provisions in the CFAA itself and the recently enacted Defend Trade Secrets Act, Nosal represents a possible guide to employers seeking to protect their trade secrets through civil or criminal mechanisms, or both.

In assessing the implication of Nosal, one may consider three framing questions:

  1. How does this case take the trend of criminalization and federalization of trade secret law a step further?

The Nosal case is a great example of three trends coming together to give corporate employer and trade secret owners access to new avenues for relief.

First, Nosal pushes forward the trend that began in 2013 when the Department of Justice announced that trade secret prosecutions would become an area of emphasis.  Since then, DOJ has been much more receptive to business crime claims.

Second, it is the next step in the law’s evolution—the majority decision construed both the Consumer Fraud & Abuse Act and Economic Espionage Act in a complementary manner consistent with their plain language and applied them to common sense circumstances that seemed like theft. The CFAA is written in language beyond that of  a technical anti-hacking statute, and it is important that a federal appeals court has recognized that scope.

Third, and most importantly, Nosal is a step in the right direction on protecting trade secrets whether or not there are later criminal prosecutions on similar theories.  That is because the CFAA and now, since April, the Defend Trade Secrets Act also allow for civil remedies. Nosal’s common sense result was that one is acting without authorization when one uses another’s password because the actor’s password  has been revoked—that holding is not only a tool for prosecutors, but is one that civil litigants could use as well.

2. Why have there been more criminal convictions in trade secrets cases in the past few years?

Changes in in policy, changes in politics, and changes in perceptions.

First, the Obama administration formally issued a written policy in February 2013 announcing ADMINISTRATION STRATEGY ON MITIGATING THE THEFT OF U.S. TRADE SECRETS.  So one is seeing more prosecutions, and convictions, in some sense because DOJ has pursued that policy.

Second, there is a growing sense that these crimes not only hurt individual companies economically, but hurt the United States and its citizens more generally. That is why so many of the higher profile trade secret prosecutions have involved defendants who were foreign nationals or were assisting foreign companies.  Public and political support for pursuing such cases cannot be underestimated.

Finally, in light of the announced policy and the evolving political reality, companies are simply more likely to report such crimes. In the past, victimized companies hesitated to draw attention to their own losses or injuries and thought doing so also required them to give up control of recovery efforts to prosecutors.  Those perceptions have changed, and Nosal and cases like it are examples of such changes.

3. What were the key takeaways from the dissent in Nosal that might gain traction as other circuits address these issues?

The dissent had three main criticisms of the majority opinion.

The first criticism was that, in the dissent’s view, the 9th Circuit improperly expanded the CFAA beyond its anti-hacking roots to apply it to what the dissent described as mere password sharing.

Second, the dissenting judge contended that the decision effectively turns employers’ computer use policies into non-public criminal codes of which defendants have inadequate notice.

Third, and what likely in some ways probably motivates the dissent’s first two points, the dissent observed that this decision potentially empowers corporate employers to have undue influence in criminal prosecutions.

These statutes and the criminal prosecution of trade secret theft continue to be areas of interest that trade secret owners and their counsel should follow, and should consider in enforcing their own rights in these matters.

On March 20, 2015, a California federal court rejected an expansive reading of the Computer Fraud and Abuse Act (“CFAA”) urged by two plaintiff corporations that sought to hold a competitor and two of its directors liable under the CFAA, under an agency theory, for the actions of a former employee who allegedly downloaded and stole the corporations’ confidential trade secrets.

The plaintiffs, Koninklijke Philips N.V. and Philips Lumileds Lighting Company (“Lumileds”) are engaged in the business of Light Emitting Diode (“LED”) technology.  They alleged that Dr. Gangyi Chen, while employed, downloaded Lumileds’ trade secrets and confidential business information onto a portable storage device, then resigned and began working for a competitor in China, Elec-Tech International Co., Ltd. (“ETI”).  Six months after Dr. Chen began at ETI, in an amount of time that plaintiffs called unprecedented in the lighting industry, ETI announced two new high-energy LED lighting products.

The plaintiffs sued in federal court in California, bringing nine state law claims and one federal CFAA claim against various defendants, including Dr. Chen, ETI and two of ETI’s directors.  Plaintiffs’ CFAA allegations were that the defendants exceeded authorized access or otherwise accessed plaintiffs’ computers without authorization.  As against Dr. Chen, the allegations were that he directly accessed the data, but as to the other defendants, the allegations essentially were that Dr. Chen acted as an agent and a conduit through which the other agents gained unauthorized access to plaintiffs’ data.

In the decision in Koninklijke Philips N.V.  v. Elec-Tech International Co., Ltd. (N.D. Cal. March 20, 2015), the Court dismissed the CFAA claim, first holding that that Dr. Chen was authorized to access the information he allegedly stole from Lumileds, and therefore no CFAA claim was stated.  Second, the Court rejected plaintiffs’ indirect access theory of CFAA liability as to the other defendants, neatly summarizing its holding as follows:

If the Court accepted Plaintiffs’ argument here, that the mere pleading of an agency relationship between the insider and an outsider could render the outsider subject to liability under the CFAA, it would effectively federalize all trade secret misappropriation cases where parties use a computer to download sensitive or confidential trade secret information – which would be nearly every trade secret case nowadays, when companies maintain their files electronically rather than in physical cabinets.  Plaintiffs are really making a policy argument better directed to Congress instead of this Court, which must follow the clear direction from the Ninth Circuit as to who can and cannot be held liable under the CFAA.

While there have been efforts in Congress in recent years to pass a law creating a federal claim for trade secret misappropriation, Congress has not done so yet.  Until it does, this decision by the Northern District of California is a useful reminder that plaintiffs considering asserting claims under the “anti-hacking” CFAA must make sure that the facts fall within that statute’s relatively narrow confines.  If they do not, such plaintiffs likely will be limited to state law claims and remedies for trade secret misappropriation and the like, and probably will be constrained to proceed in state court, rather than federal court.

On November 13, 2013, my partner Jim Goodman and I presented a national webinar discussing recent developments in Trade Secrets and Non-Competes. In that webinar, I discussed the split in the Circuits’ interpretation of the Computer Fraud and Abuse Act (CFAA).  (Access to the recording and presentation is by request only.)  I have also blogged on the most recent case that had been decided in the District of Massachusetts dealing with the interpretation of the CFAA, Advanced Micro Devices, Inc. v. Robert Feldstein, C.A. No. 13-40007-TSH, 2013 U.S. Dist. LEXIS 81206 (D. Mass. Jun. 10, 2013).

The issue that the courts are wrestling with is how to interpret the meaning of the terms “exceeds authorized access” and “without authorization,” which are in the CFAA. The issue has unfortunately not been resolved by the United States Supreme Court. Until then, different interpretations will continue to exist in the federal courts.

Recently, Chief Magistrate Judge Leo T. Sorokin rendered the latest opinion in the District of Massachusetts on the issue in MOCA Systems Inc. v. Bernier, C.A. No. 13-10738-LTS, 2013 U.S. Dist. LEXIS 161071 (D. Mass. Nov. 12, 2013). In that case, he refused to dismiss a CFAA claim, but allowed the defendants to bring the claim up later in the case at the summary judgment stage.

MOCA Systems sued Bernier (its former CEO) and Pernier Systems, the company he founded, claiming that Bernier improperly accessed MOCA’s computer systems for the purpose of competing with MOCA. The defendants moved to dismiss the Complaint.

Judge Sorokin quoted the language from the CFAA that has caused the split by the courts which states that a defendant is civilly liable where he or she “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.” 18 U.S.C. § 1030(a)(4) (emphasis added).

Judge Sorokin acknowledged that there are two views that the Courts have taken interpreting this language, commonly referred to as the “narrow” view and the “broad” view. The Courts that take the narrow view interpret the CFAA as limited to hacking. Thus, as long as the individual has authority to access the computer, he or she does not act “without authority” or “exceed” his or her “authorization” even though the employee used the information for personal needs after leaving the company. Those Courts that take the “broad” view focus on unauthorized use by the former employee on the theory that the former employee exceeds his or her authorization when the information is used in a way that is adverse to the company or violated the company’s policy.

In MOCA, the Court acknowledged that in the District of Massachusetts, in Advanced Micro Devices, Inc. v. Feldstein, District Judge Hillman recently found that the narrow construction was “preferable.” The Court also acknowledged that there is even a split in the District of Massachusetts. (See District Judge Gorton’s decision in Guest-Tek Interactive Entm’t, Inc. v. Pullen, 665 F. Supp. 2d 42, 45 (D. Mass. 2009), in which he followed the broader line of cases.) However, in MOCA, Magistrate Judge Sorokin chose to defer the issue until summary judgment just as Judge Hillman did in Advanced Micro Devices and said that he didn’t have to decide whether to adopt the “narrow” or the “broad view” at this early stage since the facts in the case “suffice under either standard.” In reaching this conclusion, he relied on the allegations in the Complaint which, assuming they are true, state that Bernier accessed the company-owned computer after he left the Company, which would support the claim that Bernier acted “without authority.”

This case illustrates once more that Courts are trying to deal with the differing interpretations of the CFAA and defer a final decision on the issue when the facts support that approach. Until the U.S. Supreme Court finally issues a definitive interpretation of the CFAA, we will continue to see different results issued by Courts depending which Court and in some cases, which judge, hears the case.

A California legislator recently introduced two bills in Congress which, if passed, could have profound effects for companies seeking to pursue claims relating to trade secrets and confidential information – one bill would create a new private right of action under federal law for trade secret theft, while the other bill would appear to limit plaintiffs’ abilities to pursue existing remedies for computer fraud and abuse.

In its current form, the Economic Espionage Act allows only federal prosecutors to bring criminal trade secrets charges against persons who have stolen trade secrets. On June 20, 2013, however, Representative Zoe Lofgren (a California Democrat representing a district that includes San Jose and Silicon Valley) introduced a bill titled the “Private Right of Action Against Theft of Trade Secrets Act of 2013” (H.R. 2466) which would amend the Economic Espionage Act to add a civil remedy, by adding two new subsections to 18 U.S.C. §1832:

(c) Any person who suffers injury by reason of violation of this section may maintain a civil action against the violator to obtain appropriate compensatory damages and injunctive relief or other equitable relief. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.

(d) For purposes of this section, the term ‘without authorization’ shall not mean independent derivation or working backwards from a lawfully obtained known product or service to divine the process which aided its development or manufacture.

If passed, this proposed amendment could result in a dramatic uptick of trade secrets lawsuits filed in federal courts. Currently, companies pursuing trade secret misappropriation claims are largely limited to state law remedies, and as a result often find themselves limited to state court.

While the Private Right of Action Against Theft of Trade Secrets Act of 2013 would provide additional ammunition against persons who steal trade secrets, a companion bill that seeks to clarify a controversial provision in the Computer Fraud and Abuse Act (“CFAA”) could restrict companies’ ability to pursue claims under the CFAA.

On the same day as the above-discussed amendment to the Economic Espionage Act was introduced, Representative Lofgren co-sponsored a bill (“Aaron’s Law Act of 2013,” H.R. 2454) that would narrow the scope of the CFAA. As stated on Rep. Lofgren’s website, this bill, among other things:

Establishes that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. By using legislative language based closely on recent important 9th and 4th Circuit Court opinions, the bill would instead define ‘access without authorization’ under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls – such as password requirements, encryption, or locked office doors. Hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would continue to be fully prosecutable under strong CFAA provisions this bill does not modify.

As we have blogged about previously here, here and here, when companies sue their former employees under the CFAA, the employees frequently argue that the CFAA prohibits unauthorized access to protected computers, not unauthorized use of those computers and the confidential information thereon. This issue — the application of the CFAA to alleged employee computer abuse — is the subject of numerous court decisions across the country, some of which interpret the CFAA’s “without authorization” language broadly, and some of which interpret it narrowly, as former employees commonly urge. The recently introduced H.R. 2454 bill, if passed, would enact as law the narrow, pro-employee view of the CFAA.

While these bills were only recently introduced and have a long way to go before they might become law, their potential consequences for employers and attorneys make them important ones to follow.
 

In a recent case, the United States District Court for the District of Massachusetts issued the latest opinion regarding whether former employees violated the Computer Fraud and Abuse Act (“CFAA” or the “Act”) before they joined a competitor by downloading electronic information without authorized access. The CFAA, 18 U.S.C. §1030, makes it unlawful to take information from a protected computer of an employer by unlawful means.

In Advanced Micro Devices, Inc. v. Robert Feldstein, et al., USDC (D.Mass.), Civil Action No. 13-40007-TSH, decided on June 10, 2013, the Court adopted the “narrow view” in interpreting the CFAA, ruling that the former employees had not violated the Act where the employees had downloaded confidential information “with authorization” to do so. Judge Hillman, writing for the Court, rejected the alternative “broad view” which states that even though the former employees had authorization to access the information, the former employees nevertheless violate the CFAA when they “exceed their authorization.” The Court said that “[p]roponents of the narrower interpretation suggest that Congress’s intent in passing the CFAA was to address computer hacking activities and not to supplement state misappropriation of trade secrets laws.”

In this case, four former employees worked for Advanced Micro Devices, Inc. (“AMD”), a microprocessor manufacturer. All had authorization from AMD to access confidential technical and business strategy information during their employment. They all left AMD to work for a competitor. AMD sued the former employees claiming that they had copied proprietary data from AMD’s computers before they left the company.

Different courts have taken different interpretations of the CFAA regarding these alternative views. Compare, for example, United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) with United States v. Rodriquez, 628 F.3d 1258 (11th Cir. 2010).

Judge Hillman also held that, at the time of his ruling, the First Circuit had not clearly articulated its position. See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).

As the courts deal with these very interesting theories, we will continue to write about the latest developments by the courts in interpreting the CFAA.

 

Practitioners in the area of trade secret protection and employee mobility law are still trying to sort out the impact of a federal court jury verdict in San Francisco last month finding former Korn Ferry executive David Nosal guilty of two criminal counts stemming from his alleged misappropriation of the Company’s proprietary information after his departure. The long-running legal saga of Mr. Nosal, whose name is undoubtedly destined to become synonymous with several critical issues related to computer law, has been the subject of a previous post on our Trade Secret and Non-Compete blog. In short, following a script we have read many times before, Mr. Nosal was accused of leading a conspiracy of existing and former employees of Korn Ferry, the executive placement behemoth, with the intent of setting up a competing firm with a business model based largely on misappropriation of Korn Ferry’s proprietary information regarding potential placement prospects. The case was an unusual one because the alleged theft was so significant and brazen that it resulted in criminal prosecution of Nosal in federal court under the Computer Fraud and Abuse Act (CFAA).

The case has dragged on for nearly eight years. For a time, it looked as if the prosecution was on the ropes after the Ninth Circuit, in a much-anticipated en banc decision, ruled that six of the federal charges against Nosal could not be brought under the CFAA. The court of appeals decision, written by the famously tech-savvy Chief Judge Alex Kozinski ruled essentially that the alleged efforts by Nosal and his co-conspirators to purloin Korn Ferry’s critical database of prospects was not within the scope for the CFAA because it did constitute computer “hacking” as that term is commonly understood. The Ninth Circuit’s decision was at odds with the holdings of several other courts of appeal on similar issues. The Justice Department declined to challenge the Ninth Circuit’s decision in the Supreme Court, but the issue regarding the applicability of the CFAA in the context of trade secret misappropriation by employees or former employees seems inevitably destined for eventual High Court review.

Despite having its case dramatically trimmed in size, the government managed to secure a conviction of Nosal on two counts. His attorneys have already vowed an appeal. Perhaps it will be the Ninth Circuit’s decision in “Nosal II” that will make it to the High Court.

Criminal prosecutions in the context of trade secret misappropriations are of course rare but the Nosal case has been closely watched by attorneys who seek to protect trade secrets through civil litigation. The verdict obtained in San Francisco in this case may make federal prosecutors more willing to consider prosecution under the CFAA in egregious cases of trade secret theft involving computers, breathing some life back into the potential threat of criminal prosecution as the ultimate weapon in the employer’s arsenal of means to prevent or address trade secret misappropriation.

The circumstances of the Nosal case also show that the basic elements of an employer’s strategy for protecting its trade secrets remain the same. First, it is critical that the employer’s computer use policies be carefully drafted to define the proper limits of employee use and that they reflect the realities of how the employer conducts its business on a day-to-day basis. In its en banc decision, the Ninth Circuit rejected application of the CFAA on the facts presented, in part, out of fear that a broad application of the statute to an employee who violates his or her employer’s computer use policies could turn vast numbers of people into unwitting criminals. Judge Kozinski noted that employers’ computer use policies are typically “lengthy, opaque, subject to change, and seldom read.” Your Company’s computer use policies must be clear, current to business conditions, and verifiably published to employees.

Second, an employer that wishes to take full advantage of trade secret protection must in fact protect its trade secrets. In the Nosal appeal, Judge Kozinski also voiced concern that making an employee’s misuse of a work-provided computer a federal crime under the CFAA would be improper because such “crimes” are rarely prosecuted, which gives prosecutors excessive discretion to pursue selective prosecution. In the civil context, we see over and again situations where the employer is hobbled in getting injunctive relief to address trade secret theft because of its weak record of actually taking affirmative steps to protect the information at issue from misuse or disclosure. If a certain type of business information has real competitive value to your business – or to the competition – take demonstrable steps to protect it on a day-to-day basis, not just when an employee leaves to compete against you. Doing this takes discipline and conscious development of a corporate culture around this issue.

Third, the employer that wants real protection of its trade secrets must act quickly, aggressively, and effectively when misappropriation occurs. The forensic investigation supporting a claim for civil relief must be technically unassailable and understandable by a court in the context of the often hurried consideration of an application for temporary injunctive relief. Going to court quickly, effectively and frequently when trade secret misappropriation occurs can assist an employer in developing a reputation that it is not to be “messed with” regarding its proprietary information. Such a reputation can have a real prophylactic effect on employees contemplating possible trade secret mischief on their way out the door.

The Nosal saga continues on. This will not be our last word on this story.
 

Common scenario: Employee plans to resign from employer and join competitor. Prior to resigning, employee uses his company computer to access confidential and proprietary information and then sends the information to his personal e-mail account to use for the benefit of his new employer. Employer sues former employee for misappropriation and other state law claims, and seeks federal jurisdiction by asserting a claim under the Computer Fraud and Abuse Act (“CFAA”).

Dilemma: Does CFAA state a claim when the employee had permission to “access” the computer and company documents, but not “use” it for an improper purpose such as to benefit a new employer?

Just last week, the U.S. Court of Appeals for the Fourth Circuit entered the fray over the scope of liability under CFAA, and sided with the Ninth Circuit in adopting a narrow reading of the statute. In WEC Carolina Energy Solutions v. Willie Miller; Emily Kelley; ARC Energy Services, Inc., a former employee of WEC allegedly downloaded confidential information while still employed by WEC but prior to his resignation to work for a competitor, and then used that information unlawfully to compete against WEC on behalf of his new employer. WEC claimed that the former employee’s unauthorized “use” of its computers to gain access to proprietary information violated CFAA’s “without authorization” or “exceeds authorized access” provisions. The trial court dismissed the complaint for failing to state a claim under CFAA, and the Fourth Circuit affirmed.

In affirming the dismissal, the Court adopted “a narrow reading of the terms ‘without authorization’ and ‘exceeds authorized access’ and held that they apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which is authorized to access.” The Fourth Circuit further rejected any CFAA liability grounded on an agency theory, noting that such a theory for liability has far-reaching effects unintended by Congress.

The Fourth Circuit joins the Ninth Circuit in its narrow reading of the CFAA, in contrast to the more expansive view held by a majority of the other circuit courts of appeals, including the Seventh Circuit. With the courts of appeals split on this critical issue of liability under CFAA, it will eventually be up to the U.S. Supreme Court to declare once and for all whether an employee’s improper use and access of confidential and proprietary information is unlawful. Notably, it is likely that the Ninth Circuit’s en banc opinion in United States v. Nosal, will be the first case to reach the Supreme Court on CFAA’s jurisdictional reach, although the government’s deadline to file its petition has been extended until September 7, 2012. Often in cases alleging misappropriation of trade secrets, CFAA provides the only avenue for federal court jurisdiction. Thus, whether employers will be able to rely on this statute as an additional claim (and path into federal court) against rogue employees departing for competitors remain to be seen.

In the meantime, employers should carefully review their computer use policies to determine whether the policies could be used effectively to limit unauthorized access and use. In addition, knowing the state of the law in your state will be critical to know whether a CFAA claim would be a viable litigation strategy or a roadblock to federal court jurisdiction when proceeding with a misappropriation of trade secrets claim against an employee.
 

Earlier this year, Aon Risk Services Northeast Inc. (“Aon”) brought suit in the United States District Court for the Southern District of New York against Marsh USA Inc., Marsh & McLennan Companies, Inc. (together, “Marsh”), and three former employees. In its Amended Complaint, Aon asserted that the defendants transferred a “pre-packaged book of business” to Marsh, primarily by the former employees’ “illegal downloading of Aon proprietary trade secret information.” Aon asserted a claim under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §1030, against the three former employees, and asserted nine common law claims, including misappropriation of trade secrets, breach of contract and unfair competition, under New York state law against Marsh and the former employees.

The Court issued an Order granting an application by defendants to dismiss all of the state law claims, on the grounds that they are different from and substantially predominate over Aon’s lone federal claim under the CFAA. See Aon Risk Servs. Northeast, Inc. v. Kornblau, 10 Civ. 2244 (RMB), 2010 U.S. Dist. LEXIS 38140 (S.D.N.Y. Apr. 19, 2010). The state law claims were dismissed without prejudice to their renewal in an appropriate forum. On April 23, 2010, Aon re-filed its nine state law claims in the Supreme Court of the State of New York, New York County, Index No. 601058/10.

The three former employees have now moved to dismiss the only remaining claim, under the CFAA. In their brief, they argue that the CFAA claim is deficient because they did not exceed their authorized access to Aon’s computers. The former employees state that the CFAA prohibits unauthorized access to protected computers, not unauthorized use of those computers and the confidential information thereon. This issue — the application of the CFAA to alleged employee computer abuse — is the subject of numerous court decisions across the country, some of which interpret the CFAA’s “without authorization” language broadly, and some of which interpret it narrowly, as the former Aon employees urge.

The procedural history of the case so far shows that Aon’s pairing of the CFAA claim with its state law claims — the gravamen of its Complaint — has not worked out well. If the CFAA claim was included in order to secure federal jurisdiction over the dispute, it was unsuccessful; the Court’s Order dismissing the state law claims led Aon to commence a second action in state court. While the Court has yet to rule on the former employees’ motion to dismiss the CFAA claim, Aon’s CFAA claim may lack the requisite allegations to withstand the motion to dismiss. If so, Aon’s efforts to go on the offensive against the alleged unfair competitors will result in two setbacks straight out of the gate.
 

On January 14, 2010, Berkeley HeartLab, Inc. filed suit against Health Diagnostic Laboratory, Inc., and several former employees for trade secret violations and breach of contract. The suit was filed two weeks after a mass departure in which five sales representatives resigned from Berkeley.

Berkeley claims that in October 2008 a former Senior Vice President founded Health Diagnostic in Richmond, Virginia with the alleged intent to compete with Berkeley by providing diagnostic clinical tests that target cardiovascular disease and disease management similar to Berkeley’s clinical programs. On January 1, 2010, five sales representatives resigned from Berkeley within thirty minutes of each other, and allegedly began working for Health Diagnostic soon thereafter. The complaint asserts that within the first two weeks of January, several health care providers, who had previously conducted business with Berkeley, had switched their business to Health Diagnostic, causing an approximate 35% decline in Berkeley’s sales volume from the previous year. The complaint further alleges that the former employees had signed a Proprietary Information and Invention Agreement intended to protect Berkeley’s confidential information and customer goodwill, and their pre-resignation conduct as well as subsequent employment at Health Diagnostic breached their agreements.

The lawsuit, filed in the Eastern District of Virginia (known as the “rocket docket” for its swift processing of cases), alleges state law claims of breach of contract, breach of fiduciary duty, tortious interference, conspiracy, unfair competition, as well as a federal law claim under the Computer Fraud and Abuse Act (CFAA). While unclear from the court papers, it appears that Berkeley’s support for its CFAA claim is its allegation that two individual defendants accessed their Berkeley work computers without authorization, or in excess of their authorization, while still employed by Berkeley, to remove data to benefit Health Diagnostic.

This case could be of interest to employers and attorneys alike who are following the split in the courts across the country as to whether computer access while an employee meets the statutory test for “without authorization” under CFAA. As we reported on this blog on September 17, 2009, the U.S. Court of Appeals for the Ninth Circuit recently split with the U.S. Court of Appeals for the Seventh Circuit over the meaning of “authorization” under CFAA. The Ninth Circuit adopted the narrow view that CFAA only reaches conduct by individuals who do not have any permission to access the computer system (e.g., a hacker or terminated employee). The Seventh Circuit has adopted the more expansive view that a statutory claim could be made whenever an employee accesses a computer with an adverse interest in breach of his duty of loyalty without the employer’s knowledge. The U.S. Court of Appeals for the Fourth Circuit has not weighed in on this legal split under CFAA yet, and the issue will likely have to be resolved by the U.S. Supreme Court.

Berkeley is seeking preliminary and permanent injunctive relief, including an order restricting the defendants from using or disclosing confidential or proprietary information, misrepresenting Berkeley’s ability to perform clinical tests, soliciting healthcare providers, and soliciting Berkeley employees. Berkeley is also seeking an order to prevent the individual defendants from working at Health Diagnostic, and $350,000 in punitive damages from each defendant.
 

This week the Ninth Circuit Court of Appeals issued a published opinion rejecting an employer’s argument that its former employee violated the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, when he emailed company client lists and financial data to himself for personal use. LVRC Holdings LLC v. Brekka, ___ F.3d ___, 2009 WL 2928952 (9th Cir. 2009).

The Seventh Circuit reached the opposite conclusion in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), reasoning that when an employee breaches his duty of loyalty to the employer, the agency relationship terminates and the employee is no longer “authorized” to access the employer’s computer within the meaning of the CFAA.

The Ninth Circuit rejected this statutory interpretation as contrary to the rule that where a statute has both criminal and noncriminal applications, courts should interpret it consistently in both contexts and resolve ambiguity in favor of lenity, avoiding interpretations that are “surprising and novel.” Because the employee in LVRC Holdings was authorized to use the company computer and to access the information, he did not violate the statute regardless of his motivation.

The opinion suggests that the result might have been different if the employer had a policy prohibiting employees from emailing company data to their personal email accounts or requiring employees to return or destroy confidential information upon the conclusion of their employment.