The Courts Continue To Wrestle With The Interpretation Of The Computer Fraud And Abuse Act

On November 13, 2013, my partner Jim Goodman and I presented a national webinar discussing recent developments in Trade Secrets and Non-Competes. In that webinar, I discussed the split in the Circuits’ interpretation of the Computer Fraud and Abuse Act (CFAA).  (Access to the recording and presentation is by request only.)  I have also blogged on the most recent case that had been decided in the District of Massachusetts dealing with the interpretation of the CFAA, Advanced Micro Devices, Inc. v. Robert Feldstein, C.A. No. 13-40007-TSH, 2013 U.S. Dist. LEXIS 81206 (D. Mass. Jun. 10, 2013).

The issue that the courts are wrestling with is how to interpret the meaning of the terms “exceeds authorized access” and “without authorization,” which are in the CFAA. The issue has unfortunately not been resolved by the United States Supreme Court. Until then, different interpretations will continue to exist in the federal courts.

Recently, Chief Magistrate Judge Leo T. Sorokin rendered the latest opinion in the District of Massachusetts on the issue in MOCA Systems Inc. v. Bernier, C.A. No. 13-10738-LTS, 2013 U.S. Dist. LEXIS 161071 (D. Mass. Nov. 12, 2013). In that case, he refused to dismiss a CFAA claim, but allowed the defendants to bring the claim up later in the case at the summary judgment stage.

MOCA Systems sued Bernier (its former CEO) and Pernier Systems, the company he founded, claiming that Bernier improperly accessed MOCA’s computer systems for the purpose of competing with MOCA. The defendants moved to dismiss the Complaint.

Judge Sorokin quoted the language from the CFAA that has caused the split by the courts which states that a defendant is civilly liable where he or she “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.” 18 U.S.C. § 1030(a)(4) (emphasis added).

Judge Sorokin acknowledged that there are two views that the Courts have taken interpreting this language, commonly referred to as the “narrow” view and the “broad” view. The Courts that take the narrow view interpret the CFAA as limited to hacking. Thus, as long as the individual has authority to access the computer, he or she does not act “without authority” or “exceed” his or her “authorization” even though the employee used the information for personal needs after leaving the company. Those Courts that take the “broad” view focus on unauthorized use by the former employee on the theory that the former employee exceeds his or her authorization when the information is used in a way that is adverse to the company or violated the company’s policy.

In MOCA, the Court acknowledged that in the District of Massachusetts, in Advanced Micro Devices, Inc. v. Feldstein, District Judge Hillman recently found that the narrow construction was “preferable.” The Court also acknowledged that there is even a split in the District of Massachusetts. (See District Judge Gorton’s decision in Guest-Tek Interactive Entm’t, Inc. v. Pullen, 665 F. Supp. 2d 42, 45 (D. Mass. 2009), in which he followed the broader line of cases.) However, in MOCA, Magistrate Judge Sorokin chose to defer the issue until summary judgment just as Judge Hillman did in Advanced Micro Devices and said that he didn’t have to decide whether to adopt the “narrow” or the “broad view” at this early stage since the facts in the case “suffice under either standard.” In reaching this conclusion, he relied on the allegations in the Complaint which, assuming they are true, state that Bernier accessed the company-owned computer after he left the Company, which would support the claim that Bernier acted “without authority.”

This case illustrates once more that Courts are trying to deal with the differing interpretations of the CFAA and defer a final decision on the issue when the facts support that approach. Until the U.S. Supreme Court finally issues a definitive interpretation of the CFAA, we will continue to see different results issued by Courts depending which Court and in some cases, which judge, hears the case.
 

Congress Considers Companion Bills That Could Have Far Reaching Consequences For Companies Facing Trade Secret Theft And/Or Computer Fraud And Abuse

A California legislator recently introduced two bills in Congress which, if passed, could have profound effects for companies seeking to pursue claims relating to trade secrets and confidential information – one bill would create a new private right of action under federal law for trade secret theft, while the other bill would appear to limit plaintiffs’ abilities to pursue existing remedies for computer fraud and abuse.

In its current form, the Economic Espionage Act allows only federal prosecutors to bring criminal trade secrets charges against persons who have stolen trade secrets. On June 20, 2013, however, Representative Zoe Lofgren (a California Democrat representing a district that includes San Jose and Silicon Valley) introduced a bill titled the “Private Right of Action Against Theft of Trade Secrets Act of 2013” (H.R. 2466) which would amend the Economic Espionage Act to add a civil remedy, by adding two new subsections to 18 U.S.C. §1832:

(c) Any person who suffers injury by reason of violation of this section may maintain a civil action against the violator to obtain appropriate compensatory damages and injunctive relief or other equitable relief. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.

(d) For purposes of this section, the term ‘without authorization’ shall not mean independent derivation or working backwards from a lawfully obtained known product or service to divine the process which aided its development or manufacture.

If passed, this proposed amendment could result in a dramatic uptick of trade secrets lawsuits filed in federal courts. Currently, companies pursuing trade secret misappropriation claims are largely limited to state law remedies, and as a result often find themselves limited to state court.

While the Private Right of Action Against Theft of Trade Secrets Act of 2013 would provide additional ammunition against persons who steal trade secrets, a companion bill that seeks to clarify a controversial provision in the Computer Fraud and Abuse Act (“CFAA”) could restrict companies’ ability to pursue claims under the CFAA.

On the same day as the above-discussed amendment to the Economic Espionage Act was introduced, Representative Lofgren co-sponsored a bill (“Aaron’s Law Act of 2013,” H.R. 2454) that would narrow the scope of the CFAA. As stated on Rep. Lofgren’s website, this bill, among other things:

Establishes that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. By using legislative language based closely on recent important 9th and 4th Circuit Court opinions, the bill would instead define 'access without authorization' under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls – such as password requirements, encryption, or locked office doors. Hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would continue to be fully prosecutable under strong CFAA provisions this bill does not modify.

As we have blogged about previously here, here and here, when companies sue their former employees under the CFAA, the employees frequently argue that the CFAA prohibits unauthorized access to protected computers, not unauthorized use of those computers and the confidential information thereon. This issue -- the application of the CFAA to alleged employee computer abuse -- is the subject of numerous court decisions across the country, some of which interpret the CFAA’s “without authorization” language broadly, and some of which interpret it narrowly, as former employees commonly urge. The recently introduced H.R. 2454 bill, if passed, would enact as law the narrow, pro-employee view of the CFAA.

While these bills were only recently introduced and have a long way to go before they might become law, their potential consequences for employers and attorneys make them important ones to follow.
 

Massachusetts Federal Court Weighs In On Computer Fraud And Abuse Act

In a recent case, the United States District Court for the District of Massachusetts issued the latest opinion regarding whether former employees violated the Computer Fraud and Abuse Act (“CFAA” or the “Act”) before they joined a competitor by downloading electronic information without authorized access. The CFAA, 18 U.S.C. §1030, makes it unlawful to take information from a protected computer of an employer by unlawful means.

In Advanced Micro Devices, Inc. v. Robert Feldstein, et al., USDC (D.Mass.), Civil Action No. 13-40007-TSH, decided on June 10, 2013, the Court adopted the “narrow view” in interpreting the CFAA, ruling that the former employees had not violated the Act where the employees had downloaded confidential information “with authorization” to do so. Judge Hillman, writing for the Court, rejected the alternative “broad view” which states that even though the former employees had authorization to access the information, the former employees nevertheless violate the CFAA when they “exceed their authorization.” The Court said that “[p]roponents of the narrower interpretation suggest that Congress’s intent in passing the CFAA was to address computer hacking activities and not to supplement state misappropriation of trade secrets laws.”

In this case, four former employees worked for Advanced Micro Devices, Inc. (“AMD”), a microprocessor manufacturer. All had authorization from AMD to access confidential technical and business strategy information during their employment. They all left AMD to work for a competitor. AMD sued the former employees claiming that they had copied proprietary data from AMD’s computers before they left the company.

Different courts have taken different interpretations of the CFAA regarding these alternative views. Compare, for example, United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) with United States v. Rodriquez, 628 F.3d 1258 (11th Cir. 2010).

Judge Hillman also held that, at the time of his ruling, the First Circuit had not clearly articulated its position. See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).

As the courts deal with these very interesting theories, we will continue to write about the latest developments by the courts in interpreting the CFAA.

 

Fallout From Nosal Verdict

Practitioners in the area of trade secret protection and employee mobility law are still trying to sort out the impact of a federal court jury verdict in San Francisco last month finding former Korn Ferry executive David Nosal guilty of two criminal counts stemming from his alleged misappropriation of the Company’s proprietary information after his departure. The long-running legal saga of Mr. Nosal, whose name is undoubtedly destined to become synonymous with several critical issues related to computer law, has been the subject of a previous post on our Trade Secret and Non-Compete blog. In short, following a script we have read many times before, Mr. Nosal was accused of leading a conspiracy of existing and former employees of Korn Ferry, the executive placement behemoth, with the intent of setting up a competing firm with a business model based largely on misappropriation of Korn Ferry’s proprietary information regarding potential placement prospects. The case was an unusual one because the alleged theft was so significant and brazen that it resulted in criminal prosecution of Nosal in federal court under the Computer Fraud and Abuse Act (CFAA).

The case has dragged on for nearly eight years. For a time, it looked as if the prosecution was on the ropes after the Ninth Circuit, in a much-anticipated en banc decision, ruled that six of the federal charges against Nosal could not be brought under the CFAA. The court of appeals decision, written by the famously tech-savvy Chief Judge Alex Kozinski ruled essentially that the alleged efforts by Nosal and his co-conspirators to purloin Korn Ferry’s critical database of prospects was not within the scope for the CFAA because it did constitute computer “hacking” as that term is commonly understood. The Ninth Circuit’s decision was at odds with the holdings of several other courts of appeal on similar issues. The Justice Department declined to challenge the Ninth Circuit’s decision in the Supreme Court, but the issue regarding the applicability of the CFAA in the context of trade secret misappropriation by employees or former employees seems inevitably destined for eventual High Court review.

Despite having its case dramatically trimmed in size, the government managed to secure a conviction of Nosal on two counts. His attorneys have already vowed an appeal. Perhaps it will be the Ninth Circuit’s decision in “Nosal II” that will make it to the High Court.

Criminal prosecutions in the context of trade secret misappropriations are of course rare but the Nosal case has been closely watched by attorneys who seek to protect trade secrets through civil litigation. The verdict obtained in San Francisco in this case may make federal prosecutors more willing to consider prosecution under the CFAA in egregious cases of trade secret theft involving computers, breathing some life back into the potential threat of criminal prosecution as the ultimate weapon in the employer’s arsenal of means to prevent or address trade secret misappropriation.

The circumstances of the Nosal case also show that the basic elements of an employer’s strategy for protecting its trade secrets remain the same. First, it is critical that the employer’s computer use policies be carefully drafted to define the proper limits of employee use and that they reflect the realities of how the employer conducts its business on a day-to-day basis. In its en banc decision, the Ninth Circuit rejected application of the CFAA on the facts presented, in part, out of fear that a broad application of the statute to an employee who violates his or her employer’s computer use policies could turn vast numbers of people into unwitting criminals. Judge Kozinski noted that employers’ computer use policies are typically “lengthy, opaque, subject to change, and seldom read.” Your Company’s computer use policies must be clear, current to business conditions, and verifiably published to employees.

Second, an employer that wishes to take full advantage of trade secret protection must in fact protect its trade secrets. In the Nosal appeal, Judge Kozinski also voiced concern that making an employee’s misuse of a work-provided computer a federal crime under the CFAA would be improper because such “crimes” are rarely prosecuted, which gives prosecutors excessive discretion to pursue selective prosecution. In the civil context, we see over and again situations where the employer is hobbled in getting injunctive relief to address trade secret theft because of its weak record of actually taking affirmative steps to protect the information at issue from misuse or disclosure. If a certain type of business information has real competitive value to your business – or to the competition – take demonstrable steps to protect it on a day-to-day basis, not just when an employee leaves to compete against you. Doing this takes discipline and conscious development of a corporate culture around this issue.

Third, the employer that wants real protection of its trade secrets must act quickly, aggressively, and effectively when misappropriation occurs. The forensic investigation supporting a claim for civil relief must be technically unassailable and understandable by a court in the context of the often hurried consideration of an application for temporary injunctive relief. Going to court quickly, effectively and frequently when trade secret misappropriation occurs can assist an employer in developing a reputation that it is not to be “messed with” regarding its proprietary information. Such a reputation can have a real prophylactic effect on employees contemplating possible trade secret mischief on their way out the door.

The Nosal saga continues on. This will not be our last word on this story.
 

Fourth Circuit Adopts "Narrow Reading" of Authorization under the Computer Fraud and Abuse Act

Common scenario: Employee plans to resign from employer and join competitor. Prior to resigning, employee uses his company computer to access confidential and proprietary information and then sends the information to his personal e-mail account to use for the benefit of his new employer. Employer sues former employee for misappropriation and other state law claims, and seeks federal jurisdiction by asserting a claim under the Computer Fraud and Abuse Act (“CFAA”).

Dilemma: Does CFAA state a claim when the employee had permission to “access” the computer and company documents, but not “use” it for an improper purpose such as to benefit a new employer?

Just last week, the U.S. Court of Appeals for the Fourth Circuit entered the fray over the scope of liability under CFAA, and sided with the Ninth Circuit in adopting a narrow reading of the statute. In WEC Carolina Energy Solutions v. Willie Miller; Emily Kelley; ARC Energy Services, Inc., a former employee of WEC allegedly downloaded confidential information while still employed by WEC but prior to his resignation to work for a competitor, and then used that information unlawfully to compete against WEC on behalf of his new employer. WEC claimed that the former employee’s unauthorized “use” of its computers to gain access to proprietary information violated CFAA’s “without authorization” or “exceeds authorized access” provisions. The trial court dismissed the complaint for failing to state a claim under CFAA, and the Fourth Circuit affirmed.

In affirming the dismissal, the Court adopted “a narrow reading of the terms ‘without authorization’ and ‘exceeds authorized access’ and held that they apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which is authorized to access.” The Fourth Circuit further rejected any CFAA liability grounded on an agency theory, noting that such a theory for liability has far-reaching effects unintended by Congress.

The Fourth Circuit joins the Ninth Circuit in its narrow reading of the CFAA, in contrast to the more expansive view held by a majority of the other circuit courts of appeals, including the Seventh Circuit. With the courts of appeals split on this critical issue of liability under CFAA, it will eventually be up to the U.S. Supreme Court to declare once and for all whether an employee’s improper use and access of confidential and proprietary information is unlawful. Notably, it is likely that the Ninth Circuit’s en banc opinion in United States v. Nosal, will be the first case to reach the Supreme Court on CFAA’s jurisdictional reach, although the government’s deadline to file its petition has been extended until September 7, 2012. Often in cases alleging misappropriation of trade secrets, CFAA provides the only avenue for federal court jurisdiction. Thus, whether employers will be able to rely on this statute as an additional claim (and path into federal court) against rogue employees departing for competitors remain to be seen.

In the meantime, employers should carefully review their computer use policies to determine whether the policies could be used effectively to limit unauthorized access and use. In addition, knowing the state of the law in your state will be critical to know whether a CFAA claim would be a viable litigation strategy or a roadblock to federal court jurisdiction when proceeding with a misappropriation of trade secrets claim against an employee.
 

The "Authorized Access" Issue Under the Computer Fraud and Abuse Act

Earlier this year, Aon Risk Services Northeast Inc. (“Aon”) brought suit in the United States District Court for the Southern District of New York against Marsh USA Inc., Marsh & McLennan Companies, Inc. (together, “Marsh”), and three former employees. In its Amended Complaint, Aon asserted that the defendants transferred a “pre-packaged book of business” to Marsh, primarily by the former employees’ “illegal downloading of Aon proprietary trade secret information.” Aon asserted a claim under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §1030, against the three former employees, and asserted nine common law claims, including misappropriation of trade secrets, breach of contract and unfair competition, under New York state law against Marsh and the former employees.

The Court issued an Order granting an application by defendants to dismiss all of the state law claims, on the grounds that they are different from and substantially predominate over Aon’s lone federal claim under the CFAA. See Aon Risk Servs. Northeast, Inc. v. Kornblau, 10 Civ. 2244 (RMB), 2010 U.S. Dist. LEXIS 38140 (S.D.N.Y. Apr. 19, 2010). The state law claims were dismissed without prejudice to their renewal in an appropriate forum. On April 23, 2010, Aon re-filed its nine state law claims in the Supreme Court of the State of New York, New York County, Index No. 601058/10.

The three former employees have now moved to dismiss the only remaining claim, under the CFAA. In their brief, they argue that the CFAA claim is deficient because they did not exceed their authorized access to Aon’s computers. The former employees state that the CFAA prohibits unauthorized access to protected computers, not unauthorized use of those computers and the confidential information thereon. This issue -- the application of the CFAA to alleged employee computer abuse -- is the subject of numerous court decisions across the country, some of which interpret the CFAA’s “without authorization” language broadly, and some of which interpret it narrowly, as the former Aon employees urge.

The procedural history of the case so far shows that Aon’s pairing of the CFAA claim with its state law claims -- the gravamen of its Complaint -- has not worked out well. If the CFAA claim was included in order to secure federal jurisdiction over the dispute, it was unsuccessful; the Court’s Order dismissing the state law claims led Aon to commence a second action in state court. While the Court has yet to rule on the former employees’ motion to dismiss the CFAA claim, Aon’s CFAA claim may lack the requisite allegations to withstand the motion to dismiss. If so, Aon’s efforts to go on the offensive against the alleged unfair competitors will result in two setbacks straight out of the gate.
 

Clinical Lab Sues Former Executives and Sales Representatives For Competing with Rival Business and Soliciting Clients and Employees

On January 14, 2010, Berkeley HeartLab, Inc. filed suit against Health Diagnostic Laboratory, Inc., and several former employees for trade secret violations and breach of contract. The suit was filed two weeks after a mass departure in which five sales representatives resigned from Berkeley.

Berkeley claims that in October 2008 a former Senior Vice President founded Health Diagnostic in Richmond, Virginia with the alleged intent to compete with Berkeley by providing diagnostic clinical tests that target cardiovascular disease and disease management similar to Berkeley’s clinical programs. On January 1, 2010, five sales representatives resigned from Berkeley within thirty minutes of each other, and allegedly began working for Health Diagnostic soon thereafter. The complaint asserts that within the first two weeks of January, several health care providers, who had previously conducted business with Berkeley, had switched their business to Health Diagnostic, causing an approximate 35% decline in Berkeley’s sales volume from the previous year. The complaint further alleges that the former employees had signed a Proprietary Information and Invention Agreement intended to protect Berkeley’s confidential information and customer goodwill, and their pre-resignation conduct as well as subsequent employment at Health Diagnostic breached their agreements.

The lawsuit, filed in the Eastern District of Virginia (known as the “rocket docket” for its swift processing of cases), alleges state law claims of breach of contract, breach of fiduciary duty, tortious interference, conspiracy, unfair competition, as well as a federal law claim under the Computer Fraud and Abuse Act (CFAA). While unclear from the court papers, it appears that Berkeley’s support for its CFAA claim is its allegation that two individual defendants accessed their Berkeley work computers without authorization, or in excess of their authorization, while still employed by Berkeley, to remove data to benefit Health Diagnostic.

This case could be of interest to employers and attorneys alike who are following the split in the courts across the country as to whether computer access while an employee meets the statutory test for “without authorization” under CFAA. As we reported on this blog on September 17, 2009, the U.S. Court of Appeals for the Ninth Circuit recently split with the U.S. Court of Appeals for the Seventh Circuit over the meaning of “authorization” under CFAA. The Ninth Circuit adopted the narrow view that CFAA only reaches conduct by individuals who do not have any permission to access the computer system (e.g., a hacker or terminated employee). The Seventh Circuit has adopted the more expansive view that a statutory claim could be made whenever an employee accesses a computer with an adverse interest in breach of his duty of loyalty without the employer’s knowledge. The U.S. Court of Appeals for the Fourth Circuit has not weighed in on this legal split under CFAA yet, and the issue will likely have to be resolved by the U.S. Supreme Court.

Berkeley is seeking preliminary and permanent injunctive relief, including an order restricting the defendants from using or disclosing confidential or proprietary information, misrepresenting Berkeley’s ability to perform clinical tests, soliciting healthcare providers, and soliciting Berkeley employees. Berkeley is also seeking an order to prevent the individual defendants from working at Health Diagnostic, and $350,000 in punitive damages from each defendant.
 

Ninth Circuit Disagrees with Seventh Circuit Citrin Case and Holds that the Computer Fraud and Abuse Act Is Not Violated When a Disloyal Employee Accesses Electronically Stored Information for Personal Gain

This week the Ninth Circuit Court of Appeals issued a published opinion rejecting an employer’s argument that its former employee violated the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, when he emailed company client lists and financial data to himself for personal use. LVRC Holdings LLC v. Brekka, ___ F.3d ___, 2009 WL 2928952 (9th Cir. 2009).

The Seventh Circuit reached the opposite conclusion in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), reasoning that when an employee breaches his duty of loyalty to the employer, the agency relationship terminates and the employee is no longer “authorized” to access the employer’s computer within the meaning of the CFAA.

The Ninth Circuit rejected this statutory interpretation as contrary to the rule that where a statute has both criminal and noncriminal applications, courts should interpret it consistently in both contexts and resolve ambiguity in favor of lenity, avoiding interpretations that are “surprising and novel.” Because the employee in LVRC Holdings was authorized to use the company computer and to access the information, he did not violate the statute regardless of his motivation.

The opinion suggests that the result might have been different if the employer had a policy prohibiting employees from emailing company data to their personal email accounts or requiring employees to return or destroy confidential information upon the conclusion of their employment.
 

How Employers Can Use CFAA to Get Back Laptops

Employers looking to protect their intellectual property and proprietary information, and wondering whether they can punish the departing employees that ignore demands to return laptops and other transportable electronic devices that hold such data, may now have a newly invigorated weapon at their disposal — the Computer Fraud and Abuse Act.  A recent federal district court decision found that an employer establishes the required “loss” and “damage” elements of a CFAA claim against a former employee by showing that such employees “refused to return their computers” when requested, that such employees “deleted information from their computers,” and that the employer “had to perform a forensic investigation to determine what information was deleted from” these laptops. Because the CFAA provides a statutory claim that applies to all electronically stored information (confidential or not), provides for federal court subject matter and allows for the recovery of a variety of damages and costs, including those related to expert fees, employers and intellectual property owners may find it attractive. For further details and analysis of these issues, see, by clicking here, the May 5, 2009 article by Jim Flynn appearing in IP Law 360 and Employment Law 360.