The CFAA as a Remedy for Employee Theft of Data
Sometimes the greatest threat to a company’s trade secrets is not sophisticated international hackers – it’s the company’s own employees. The potential for corporate espionage by disgruntled insiders and former employees exists anywhere there is competition, from businesses as diverse as welding1 to Major League Baseball.2 Over the last decade, the Computer Fraud and Abuse Act (CFAA) has become one of the most widely used litigation tools to fight the theft of trade secrets by insiders. However, the CFAA’s application to these situations has been highly debated.
On July 8, 2015, Sens. Lindsey Graham (R-SC) and Sheldon Whitehouse (D-RI) introduced legislation that would amend the CFAA to make it easier for companies to recover damages from employees who steal trade secrets. The proposed legislation, known as the “International Cybercrime Prevention Act of 2015,” would resolve a circuit split and make it clear that the CFAA prohibits the unauthorized use of information by insiders.
The Circuit Split
The CFAA was originally designed to prosecute traditional hackers who gain access to a computer “without authority.”3 The statute also applies to insiders, i.e., individuals who have access to a computer, but who “exceed authorized access.”4 The U.S. Courts of Appeals have divided on the scope of the phrase “exceeds authorized access.”5 Some courts have interpreted the phrase broadly and applied the CFAA to situations in which an insider has access to a computer but uses the data on that computer in an unauthorized way.
Other courts have warned that this interpretation could lead to dangerous results. Notably, the Ninth Circuit in Nosal argued that reading the CFAA broadly would make it a federal crime to play Sudoku at work in violation of an employer’s policy limiting the use of work computers to business purposes or to lie about one’s age in violation of a dating website’s terms of service.6 Those courts have adopted a narrow reading of the CFAA, holding that it does not apply to the unauthorized use of information on a computer. Under this narrow interpretation, an employee who steals trade secrets and provides them to a competitor has not violated the CFAA so long as the employee was authorized to access the trade secrets.
The Pending Legislation
The proposed International Cybercrime Prevention Act of 2015 aims to resolve this circuit split by adopting a middle ground. The proposed legislation rejects the narrow view articulated by the Ninth and Fourth Circuits. Instead, it makes it clear that the CFAA can apply to the unauthorized use of information, including insiders who provide trade secrets to a competitor. Specifically, the proposed legislation removes the phrase “exceeds authorized access” from 1030(a)(2),7 and instead states that the CFAA applies to any individual who:
“accesses a protected computer with authorization and thereby knowingly obtains information from such computer that the accessor is not entitled to obtain, or knowingly obtains any information from such computer for a purpose that the accessor knows is prohibited by the computer owner.”
On July 8, 2015, Deputy Assistant Attorney General David M. Bitkower testified before the Senate Judiciary Committee offering support for the proposed legislation. He expressly cited the narrow reading of the CFAA in Nosal and similar holdings as an impediment to protecting misuse of sensitive information by company insiders, stating “as a result of these decisions, insiders may be effectively immunized from punishment even where they intentionally exceed the bounds of their legitimate access to confidential information and cause significant harm to their employers and to the people — often everyday Americans — whose data is improperly accessed.”8
Although rejecting the narrow interpretation, the proposed legislation takes two important steps to eliminate the potentially dangerous results that the Ninth Circuit warned about in Nosal. First, the proposed legislation requires that the “information” at issue be “valued at $10,000” or more. Second, the proposed legislation excludes any conduct that is solely in violation of the terms of service between an Internet service provider and a subscriber. These limitations are designed to remove the possibility that Section 1030(a)(2) can be applied to trivial work place diversions or social media puffery.
If passed, the proposed Act will greatly strengthen the ability of employers to use the CFAA to address the theft of trade secrets by former employees. The facts of WEC Carolina Energy Solutions provide a good example of how the proposed legislation might affect trade secret litigation: a Project Manager at WEC, a wielding company, downloaded numerous sensitive documents from WEC’s servers, including pricing terms, pending projects, and summaries of WEC’s technical abilities.9 He then left WEC and began working for Arc, WEC’s main competitor. At Arc, he allegedly used the sensitive documents to steal a customer from WEC.10
WEC brought a CFAA claim against the Project Manager alleging that even though he had authorization to access the sensitive documents when he was employed by WEC, he nevertheless violated the CFAA because he did not have the authority to provide the sensitive documents to a competitor. The district court dismissed the CFAA claim, and the Fourth Circuit affirmed, holding that, “‘exceeds authorized access’ refers to obtaining or altering information beyond the limits of the employee’s authorized access. It does not address the use of information after access.”11 In other words, the Project Manager could not be prosecuted as a hacker because WEC had given him access to the sensitive documents. It did not matter for CFAA purposes whether WEC had a policy prohibiting him from providing that information to a competitor.
The proposed legislation would change that. According to the allegations by WEC, the Project Manager knowingly used the sensitive documents to aid his new employer, something he was not authorized to do. Assuming that the sensitive documents could be valued at $10,000 or more, WEC would certainly have stated a CFAA violation under the proposed legislation.
1See WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012).
2See New York Times, June 16, 2015 (available at here).
318 U.S.C. 1030(a).
5See United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (exceeds authorization does not include violations of restrictions on the use of information); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) (same); but see United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010) (CFAA includes violations of restrictions of use); United States v. John, 597 F.3d 263 (5th Cir. 2010) (same); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) (same).
6See Nosal, 676 F.3d at 861-862.
7This article focuses on the amendments to Section 1030(a)(2). The proposed legislation makes similar modifications to other parts of Section 1030.
8Testimony of DAAG Bitkower, July 8, 2015 (available here).
9WEC Carolina Energy Solutions, 687 F.3d at 201-202.