Beyond Trade Secret Protection: What Employers and Employees Should Know About the Computer Fraud and Abuse Act

November 15, 2010
by Carlo D’Itri

Companies increasingly rely on information (for example, customer lists, business plans, sales data, etc.) as a source of competitive advantage. But protecting that information can be tricky. Some information may not be protectable under traditional intellectual property doctrines such as copyright, patent, and trademark. Instead, it may be necessary to rely on trade secret protection, which generally protects information that a company takes reasonable efforts to keep secret, and which has independent economic value as a result of being kept secret. While trade secret protection is a valuable tool, it can sometimes require a substantial commitment of legal resources to enforce. In an increasingly digital world, a federal law, the Computer Fraud and Abuse Act (“CFAA“)¹ , offers an additional source of protection to companies for certain information taken from protected computer systems. Both employers and employees should be aware of this wide-reaching law and the potential consequences of misappropriating electronic information.

Origins and Evolution of the CFAA:

The CFAA, enacted in 1984, was originally intended “to enhance the government’s ability to prosecute computer crimes” by targeting “hackers who accessed computers to steal information or to disrupt or destroy computer functionality.”² In 1994, Congress amended the law to allow private parties to sue for damages caused by actions that constitute crimes under the CFAA.³ In the years since, application of the CFAA has increasingly broadened, and it is now routinely used in the employment context in fact patterns evocative of trade secret misappropriation. However, use of the CFAA in this context is not without controversy, as seen in the split among federal courts discussed below.

A Typical Claim:

One of the more typical employee liability claims under the CFAA is based on 18 U.S.C. 1030(a)(2)(C), under which one violates the CFAA by “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] … information from any protected computer … .” One key to liability in this and other CFAA claims lies in the element of accessing a computer without authorization orexceeding authorized access.

A typical fact pattern might look something like this: an employee has access to her employer’s entire computer database. While employed by the company, the employee emails herself some sensitive company information. Three months later, the employee quits her job and uses the sensitive information to start her own venture that competes with the former employer.

The employer sues, alleging a criminal violation of the CFAA as well as a host of other state law claims. The pivotal question under the CFAA will likely turn on whether the employee’s access to the information was authorized or exceeded any authorization granted. Unfortunately, the federal courts are split on this subject, so the answer is not entirely clear.

The Circuit Split:

The Broad Approach – Employees Can Be Liable for Misusing Otherwise Validly Obtained Information.

Under the broad approach, the employee in our scenario would probably be found to have obtained the information without authorization. In Int’l Airport Centers, LLC v. Citrin⁴ , the Seventh Circuit held that when an employee breaches his or her duty of loyalty to the employer, authorization to access the information can be absent or exceeded under the CFAA. The court explained that the breach of the duty of loyalty terminates an employee’s agency relationship with the employer, and when that agency relationship is terminated, the authorization to access is terminated, because authorization was only ever granted on the basis of the agency relationship.

The Narrow Approach – Initial Authorization Cannot Be Exceeded Merely Because of the Employee’s Subsequent Misuse of the Information.

Other courts embrace a narrower view of the meaning of “authorization” under the CFAA, as illustrated by the Ninth Circuit’s opinion in LVRC Holdings LLC v. Brekka⁵. In that case, the employee emailed himself information that he later used in a competing business. At the time he emailed himself the information, he was employed by the employer and was authorized to access the information. The Ninth Circuit expressly rejected the Seventh Circuit’s holding in Citrin.

The Brekka court explained that the CFAA is a criminal statute, and any ambiguity in a criminal statute must be resolved against liability. The court explained that the plain language of the CFAA shows that “authorization” depends on actions of the employer, not subsequent actions by the employee. The court held that a person acts “without authorization” under the CFAA when he or she “has not received permission to use the computer for any purpose … or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.”⁶ Therefore, the narrower view holds that initial authorization to access the information precludes a CFAA claim, regardless of the employee’s subsequent misuse of the information.

Implications:

Federal Jurisdiction Over and Expanded Protection for Trade Secret-Type Claims.

Far from its original purpose of criminalizing hacking into restricted computer systems, the modern application of the CFAA in the employment context starts to look a lot like trade secret misappropriation claims. This is especially true under the more permissive broad view of “authorization,” under which conceivably any misuse of an employer’s electronic information can subject an employee to liability, regardless of whether access was restricted. This federal protection of trade secret-type claims has several important implications.

First, state law trade secret claims are normally brought in state courts and can only be brought in federal courts if there is an independent basis – e.g. the existence of a federal claim or in a dispute between parties from different states. By using the CFAA, though, an employer can typically take its state law claim and have it heard in federal court.

Second, the CFAA lacks several of the hurdles present in a typical trade secret misappropriation claim. For example, California trade secret law only protects information that (i) derives independent economic value from not being generally known to the public or to other persons who can obtain economic value from its disclosure or use and (ii) has been the subject of reasonable efforts to maintain its secrecy.⁷ The trade secret law thus imposes limits on what is protectable. However, the CFAA extends similar protection to any information whatsoever, as long as it is located on a protected computer. This represents a significant expansion of an employer’s rights to protect its information.

What Are the Implications for Employers?

Because of the uncertainty of the CFAA’s application in the employment context, employers must make sure they are covered even if the CFAA is unavailable. To this effect, employers will want to implement a robust trade secret policy and program to ensure protection for information that qualifies for trade secret protection. Additionally, employers should obtain comprehensive confidentiality agreements from their employees.

Employers will also want to carefully craft and communicate their authorization policies, in case the broader application of the CFAA prevails. For example, employers should consider implementing policies that grant authorization only during paid working hours and that automatically cease upon any termination of employment. And although it is questionable whether the following would succeed in supporting a CFAA claim, the employer might also consider expressly conditioning any authorization to access a computer on the use of information solely for purpose of carrying out the employees’ duties in the best interest of the company.

A final lesson that can be learned from the CFAA “authorization” discussion, regardless of whether the narrow or broad view prevails, is that employers should carefully evaluate their digital information and determine whether access can be cost-effectively and logically restricted based on the identity of employees or classes of employees. Blocking access to sensitive information from employees who have no use for it can eliminate a significant potential liability. If employees cannot access it, they cannot misappropriate it. And if they access it nonetheless by hacking into it, the CFAA should apply regardless of the circuit split on the proper application of the statute.

What Are the Implications for Employees?

Employees should make sure they have read and are familiar with their employer’s company policies regarding information and computer access. If the policies are particularly restrictive, an employee could be more likely to end up defending a lawsuit in federal court.

Employees working in “narrow view” jurisdictions should not have a lax attitude toward use of the employer’s information. Even if the CFAA wouldn’t apply, the company may still be protected by a variety of state laws.

In addition to CFAA and trade secret claims, employees should also carefully review any confidentiality or other agreements they have entered into with their employer, as those agreements can further define permissible uses of information both during and after employment.
¹U.S.C. §1030.
²LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130 (9th Cir. 2009).
³Pub. L. No. 103-322, 108 Stat. 1796.
⁴440 F.3d 418, 420-421 (7th Cir. 2006).
⁵581 F.3d 1127 (9th Cir. 2009).
⁶Id. at 1135.
⁷Cal. Civ. Code 3426.1.