Earlier this month, the District Court for the Northern District of California addressed the scope of the Computer Fraud and Abuse Act (“CFAA”), drawing a firm line between causes of action based on improper access of an employer’s computer, and causes of action based on improper use of the employer’s data. Because of the narrow view taken within the Ninth Circuit as to the scope of claims properly falling under the CFAA, the district court held that there was no viable claim under the CFAA.
In SunPower Corporation v. SunEdison, Inc., Case No. 15cv2462-WHO, SunPower, an energy services provider, alleged that the Defendants, former employees who had left SunPower to form SunEdison, accessed and copied thousands of SunPower’s confidential files in violation of their employment agreements, which required them to keep such information confidential. Plaintiff brought a variety of claims against the Defendants, including breach of contract, violation of the California Uniform Trade Secrets Act (“CUTSA”), and violation of sections 1030(a)(2) and (a)(4) of the CFAA. Defendants brought a motion to dismiss SunPower’s claims for violation of Section 1030 of the CFAA pursuant to Fed. Rule of Civ. Proc. 12(b)(6).
CFAA sections (a)(2) forbids an individual from intentionally accessing a computer without authorization or exceeding their authorized access, and obtaining information. Section(a)(4) of the CFAA forbids knowingly and with the intent to defraud, accessing a computer without authorization or exceeding authorized access, in furtherance of a fraud.
The court first distinguished between claims brought under the CUTSA and the CFAA, noting that the CFAA “targets ‘the unauthorized procurement or alteration of information, not its misuse or misappropriation.’” (citing United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012).) Specifically, “the phrase exceeds authorized access in the CFAA does not extend to violations of use restrictions.” Nosal, 676 F.3d at 863. The court emphasized the distinction between the CFAA’s purpose of punishing hackers, and CUTSA’s purpose of protecting confidential information.
After noting this distinction, the court turned to the specific allegations against the Defendants. SunPower claimed that the individual Defendants violated the CFAA by breaching SunPower’s computer use policies when they connected USB drives or other non-authorized equipment to SunPower’s systems and copied SunPower’s files to those devices. The court first noted the well-established rule that an employee who is authorized to access their employer’s system is generally not liable for a violation of the CFAA, because they did not “hack” into the system. Rather, if the employee was authorized to access the system at the time of access, the employee’s access was not “without authorization” or “exceeding authorized access” as defined in the CFAA. The court rejected the argument that the use of a USB device to transfer data off of SunPower’s systems constituted hacking by bypassing “technological barriers.”
Ultimately, the court found that the conduct alleged described misappropriation of confidential information, but not a violation of the CFAA. This is an important distinction for employers. Subject to certain claims that might arise under Section 1030(a)(5) of the CFAA (which section does not hinge on whether the defendant “exceeded authorized acces”), employers looking to bring claims in federal court cannot use the CFAA to pave the way for other state law claims. Federal courts appear to be making a clear distinction: CFAA claims target improper access of information, and trade secret claims target the type of information taken. Employers wishing to bring claims based on improper access of their systems are likely limited to state law claims, such as claims for violation of Cal. Penal Code § 502(c). As it turns out, this may wind up being more favorable for employers.