4th Circuit Limits the Reach of the Computer Fraud and Abuse Act – WEC Carolina Energy Solutions v. Miller
[Post by Venkat Balasubramani, with comments from Eric]
WEC Carolina Energy Solutions LLC v. Miller, et al., 2012 WL 3039213 (4th Cir.; July 26, 2012)
We’ve blogged about the Computer Fraud and Abuse Act being stretched by plaintiffs in civil (particularly employment) cases. The Ninth Circuit in Nosal recently gave the statute a more limited interpretation, although it left some things unclear. (Here’s our blog post on the Nosal en banc panel opinion: “Comments on the Ninth Circuit’s En Banc Ruling in U.S. v. Nosal.”) The Fourth Circuit recently followed Nosal’s approach and went one step further. Both of these rulings make it much more difficult for employers to use the Computer Fraud and Abuse Act against departing employees.
Miller worked at WEC. He resigned and made a proposal to a WEC customer on behalf of WEC’s competitor, Arc Energy Services. WEC alleged that Miller used WEC proprietary information when he made this presentation and that, at Arc’s direction, he downloaded these materials before he left WEC.
Like most companies, WEC had a policy in place that restricted employees from misusing confidential information and trade secrets. The policy prohibited employees from using WEC information without authorization and also prohibited them from downloading the information to their personal computers. The key question was whether use of information in violation of the policy–but which was obtained from a computer that Miller was otherwise authorized to access–violated the access “without authorization” or “exceed[ed] authorized access” provisions of the CFAA.
The court notes the differing schools of thought on this issue, including the narrower interpretation embraced by the Ninth Circuit in Nosal. Given the CFAA is a criminal statute that also provides for a civil cause of action, the court says it should be construed strictly and courts should avoid interpretations “not clearly warranted by the text” (so potential defendants get fair warning that their conduct is unauthorized). Looking to the dictionary definition of “authorization” and the CFAA’s definition of “exceeds authorized access,” the court says that (1) without authorization refers to a situation where someone is not authorized to access a computer and accesses it, and (2) exceeds authorized access refers to when someone:
Has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access. . . . Notably, neither of these definitions extends to the improper use of information validly accessed.
WEC pushed the position embraced by the original Nosal panel (that was subsequently vacated on rehearing) that inclusion of the word “so” in the definition of exceeds authorized access referred to the manner of access. Under this theory, if you violate a company policy when you use information, you have accessed the information “in a manner” that you are not authorized to do so. The Fourth Circuit says this conclusion is a “non sequitur.” In any event, the Fourth Circuit says that the Ninth Circuit’s en banc decision abandoning this approach made more sense.
The Fourth Circuit actually goes one step further and says that although Miller and the other defendants downloaded the information to their personal computers (which is arguably a “manner of access” expressly not authorized under WEC’s network policy and may even under the Nosal en banc panel’s approach be enough to state a claim), even this is insufficient to state a cause of action under the CFAA. The Fourt Circuit says that inclusion of the word “so” in the definition of “exceeds authorized access” could just be a connector or included for emphasis, and doesn’t necessarily indicate an intent to prohibit the manner of access. Given that this is a criminal statute, the court is reluctant to construe it in a way that creates liability where the language is not 100% clear. (The court also notes that Nosal’s approach—that focuses on the manner of access—would capture the well intentioned employee who has no fraudulent intent but happens to download materials to his or her personal computer in order to work from home.)
The court also expressly rejects the “cessation-of-agency” theory espoused by the Seventh Circuit. Under this theory, if you use the network in breach of your implied duties, or you technically violate the policy and therefore are no longer authorized to utilize your employer’s network, your ongoing access of your employer’s network is in violation of the CFAA. The court says that this approach would suck in “millions of ordinary citizens” who happen to check Facebook or sporting event scores while at work.
As the court acknowledges at the end of its opinion, this basically (mostly) shuts the door on employers using the Computer Fraud and Abuse Act against employees. While acknowledging that the decision will “likely will disappoint employers hoping for a means to rein in rogue employees,” the court notes that employers are not necessarily out of luck. They have a panoply of other claims available to them, including misappropriation of trade secrets, conversion, tortious interference, and civil conspiracy.
I’m not a Court watcher, but the CFAA cases were long thought to have been likely candidates for Supreme Court review, given the differing interpretations of the Circuit courts. I would think this case makes the possibility of such review even more likely.
I’m curious about how this case affects the availability of a CFAA claim in the scraping context. I thought the court’s comment about the viability of a CFAA claim where an employee is authorized to access a computer or network but not necessarily authorized to access certain categories of information left things somewhat unclear. Is the court talking about technical restrictions on the access to information or a policy-based restriction? Obviously the latter approach still leaves some room for employers to limit authorization for the access to information by certain employees and bring CFAA claims when these employees access such information.
1) This case answers one of the open questions from the Nosal case: was Nosal limited to criminal CFAA prosecutions, or would it extend to civil cases as well? Following in Nosal’s footsteps, this court interprets the civil CFAA claim narrowly in light of the statute’s criminal angle. This bodes well for reining in the CFAA’s footprints across all types of CFAA cases, not just employment cases.
2) Overall, this case illustrates how the CFAA wasn’t designed for the employment context, and especially not for an era when many employees have company-issued computing devices (computers, laptops, tablets, PDAs, cellphones, etc., etc.). Like Nosal, this court implicitly rejects the argument that the CFAA automatically regulates the workplace simply because everyone uses company-supplied technology as part of their ordinary work patterns.
3) As a result, although plaintiff lawyers will keep pleading CFAA in employment cases for years, I think we’re nearing the end of the CFAA as a standard claim in employer lawsuits against ex-employees.
4) While that may be good news, readers should pay close attention to the Protecting American Trade Secrets and Innovation Act of 2012. Perhaps the bill will go nowhere, but if it does, it would be a major step towards creating a general purpose federal cause of action for trade secret misappropriation. So as the CFAA wanes in importance in the employment context, a new federal trade secret claim ultimately could eclipse it.
9th Cir: Access of Computer in Violation of Employer’s Use Policy Violates Computer Fraud and Abuse Act — US v. Nosal (original panel opinion, vacated on rehearing)