Ex-Employee’s Access/Misuse of Employer Files States CFAA Claim — Weingand v. Harland Financial
[Post by Venkat Balasubramani with comments by Eric]
Weingand v. Harland Financial Solutions, C 11 3109 EMC (N.D. Cal.; June 19, 2012)
Weingand involves claims brought by an employee, and proposed counterclaims brought by the employer against the employee. Nor surprisingly, the employer tried to assert claims under the Computer Fraud and Abuse Act (and California Penal Code section 502, a state anti-hacking statute). The court grants the employer’s motion for leave to amend, finding that the counterclaims would survive a 12(b)(6) motion.
The facts are similar to other employee CFAA cases in the sense that the employer alleges that the employee accessed the network and misused the employer’s information, but there’s a small twist. The employee allegedly accessed the employer’s network after he left the company. He gained access to the network by telling the employer that he wanted to access some of his personal files. According to the employer, the employee then accessed some 2,700 business files of the employer, “all of which contained non-public information, copyrighted information, and/or confidential and propriety [sic] information.” The big question is whether this constitutes access without authorization, or access in excess of authorization, under the CFAA.
CFAA: The court first addresses whether Harland Financial states a claim under the CFAA. Weingand argued that since he was authorized to access the network, he could not be held liable under the CFAA. Citing to Nosal, Weingand contended that:
[the] level of verbal . . . authorization was irrelevant because the only ‘authorization’ to which the statue speaks is ‘code’ authorization (i.e., whether someone is literally blocked from certain files by some security measure such as a password).
The court disagrees and says that Nosal draws a distinction between access and use, not between types of authorization pertaining to access. According to the court, you can be held liable if you access something without authorization, but not if you use information that you were authorized to access in a way that’s unauthorized.
Cal. Penal Code sec. 502: Section 502 is a state anti-hacking statute that was central to Facebook’s claim against Power Ventures. In that case Judge Ware said that a violation of the statute had to be premised on circumvention of technical measures (even circumvention of IP-address blocking could suffice, but there had to be something). Judge Chen declines to follow this approach, instead following Facebook v. ConnectU where Judge Seeborg held that access in violation of Facebook terms using log-in information supplied by registered users was sufficient to state a claim under Section 502. In other words, an employee’s violation of an employer’s network policy may state a claim under Section 502 because it’s the same as unauthorized access.
Other miscellaneous claims: Finally, the court says that the employer’s claims for conversion, breach of contract, unjust enrichment, interference with prospective economic advantage, and unfair competition (under California’s UCL statute) would survive a 12(b)(6) motion.
A question left open by Nosal is to what extent that decision would gut employer claims under the CFAA. Nosal (and the WEC Carolina Energy case from the Fourth Circuit) seemed to leave open the possibility that, if an employee is not authorized to access certain information at all (even though she is authorized to access “the network”), this may amount to unauthorized access under the CFAA. The court here seizes upon that–Weingand is authorized to access the network but not the information in question. However, it’s worth noting that the factual scenario here is somewhat unique because the access occurred after the employment relationship ended (which would support some sort of access-obtained-by-fraud argument on the part of the employer). A similar factual scenario was presented in LVRC v. Brekka where the Ninth Circuit held that (1) access during employment in contravention of a policy is not sufficient to state a CFAA claim, and (2) while post-employment access may support a CFAA claim, the employer in that case failed to present sufficient evidence of post-employment access to withstand the employee’s motion for summary judgment.
The court in this case doesn’t delve into the precise exchange between the employer and employee relating to the access. Did the employee already have access and merely give the employer the heads-up that he was logging into the network? Had the employer terminated access (and revoked the password) and did the employer reinstate it to allow the employee to access the network? If it’s the former, it’s tough to make a principled distinction between Nosal (and WEC Carolina Energy) and this case, and the court certainly does not delve into this issue. In any event, as Eric explores below, CFAA jurisprudence remains murky, and as a result, employers will probably re-draft their network policies and continue to push the envelope on CFAA claims.
The fact that the employer here was able to assert numerous other claims illustrates that (as argued by the court in WCE Carolina Energy) the CFAA did not need to be interpreted as expansively as employers contend–i.e., they have adequate other remedies available.
I think it’s safe to declare that the CFAA jurisprudence is officially a mess. (Apropos of this, see this Reuters recap). There are multiple scenarios that the courts keep jumbling up:
Scenario #1: defendant never has authorization to access the protected computer or the information on the protected computer (i.e., the bad hacker scenario)
Scenario #2: defendant does not have authorization to access the protected computer but does have authorization to information on the computer (i.e., maybe this describes the Lori Drew situation)
Scenario #3: defendant has authorization to access the protected computer but doesn’t have authorization for information on the computer (i.e., employee misappropriation of trade secrets stored on company computers)
Scenario #4: defendant has both authorization to access the protected computer and information on it
Scenario #1 is the easy CFAA case. Scenario #4 should not result in any CFAA liability. Scenarios #2 and #3 are vexing the courts.
I had thought after Nosal and WEC that Scenario #3 wasn’t actionable under the CFAA but would be actionable under the laws protecting the information (such as trade secret misappropriation). This case seems to disagree. This case also seems to imply that employers could simply redraft their employee computer use policies to say that employees aren’t authorized to access the computers if they subsequently misuse the information on the computers, and that such a policy would revive the CFAA claim. This drafting workaround seems way too easy.
Another way of reading the situation is that CFAA law distinguishes between non-employees and employees. Perhaps there’s no circumstance where employees can violate the CFAA when accessing their employee’s computers, but all bets are off the moment they leave employment. If this latter distinction is true, then the CFAA remains a potent threat in the scraping context.
Putting aside the CFAA issues for a moment, what in the world was the employer thinking providing an ex-employee unrestricted/unsupervised access to its computers? This is a huge no-no. Cf. Meyerkord v. Zipatoni; Ground Zero Museum v. Wilson. Even ex-employees who left on the best of terms should not be given this power. At most, the employer should have had an HR person do the downloading him/herself.
9th Cir: Access of Computer in Violation of Employer’s Use Policy Violates Computer Fraud and Abuse Act — US v. Nosal (original panel opinion, vacated on rehearing)