Another court has rejected the broader interpretation of the Computer Fraud and Abuse Act (“CFAA” or “the Act”) as applying to employees who exceed their authorized use. A recent decision in Minnesota highlights the issue of whether the Act imposes civil liability on employees who have permission to access their employers’ data, but do so with a wrongful purpose. See TripleTree, LLC v. Walcker No. 16-609, 2016 WL 2621954 (D. Minn. May 6, 2016).
The court considered this question in the context of a trade secrets case. A former employee of TripleTree, an investment banking company, was discovered to have accessed the Company’s confidential information and to have engaged in a series of suspicious activities just prior to leaving the Company for a competitor. Id. at *1. TripleTree filed claims against its former employee for, among other things, violating the CFAA and the Minnesota Uniform Trade Secrets Act. Id. at 2.
The court sua sponte considered whether it should dismiss TripleTree’s CFAA claim. Id. at *3. The CFAA sanctions a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from a protected computer.” 18 U.S.C. § 1030(a)(2)(c). Any person who suffers from a violation of the Act may bring a civil claim for damages. 18 U.S.C. § 1030(g). As an employee of TripleTree, the Defendant was permitted to access the Company’s confidential information. The court considered whether the Defendant’s malicious intent in accessing the information transformed an otherwise lawful act (using the Company’s computers) into a violation of the CFAA.
The court held that the CFAA focuses “on the scope of access rather than misuse or misappropriate of information.” 2016 WL 2621954, at *3. While the Act does not define “without authorization,” the court observed that “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. The court reasoned that Congress, if it intended to penalize the misuse of information, would have instead drafted to the Act to prohibit individuals from using “such information in a manner that the accesser is not entitled so to use.” Id. at *4 (emphasis added).
The Defendant, at the time he accessed the Company’s computers, did so with the Company’s permission. Id. TripleTree argued that the Defendant’s authorization to access the Company’s computers was implicitly revoked when he decided to work for a competitor. Id. The court rejected this argument, noting that by this logic, an employee could be liable for violating the CFAA solely by virtue of looking for new employment. Id. It likewise rejected TripleTree’s argument that the Company’s employee manual made the Defendant’s acts unlawful. The manual only restricted employees’ use of Company data, it did not address employees’ scope of access. Id. As such, the court dismissed the Company’s Computer Fraud and Abuse Act claim.[1] Id.
TripleTree does not break any new ground in this ongoing dispute about the scope of the CFAA, as we have previously published on similar outcomes. It does, however, highlight a growing trend to interpret the CFAA as not applying to employees who access information to which they have permission. While the Eighth Circuit has never addressed this issue, other circuits have, resulting in a split in authority. The First, Fifth, Seventh, and Eleventh Circuits have all indicated that an employee exceeds their authorized access when they use their employers’ computer for an unlawful purpose or for a reason inimical to their employers’ interest.[2] On the other hand, the Fourth and Ninth Circuits have held that an employee does not violate the CFAA if they have permission to access the company’s computers, regardless of the employee’s intent.[3]
TripleTree may provide a vehicle for the Eighth Circuit to weigh in on this question that has confounded other circuits. In jurisdictions where the CFAA is construed broadly, it provides a potent tool for employers to recover for employee misfeasance. Employers located in those jurisdictions can help themselves by clearly defining in their manuals what constitutes misuse of company data. The Act’s ambiguous text, however, limits its usefulness in jurisdictions such as the Fourth Circuit, the Ninth Circuit and in Minnesota, which have held that an employee’s intent to misuse company data, alone, does not create liability under the CFAA. Until this question is resolved by the Supreme Court, employers, particularly those that operate in multiple jurisdictions, will have to be cognizant of the differing remedies for employee misconduct in different jurisdictions.
*****
[1] Having dismissed the federal claim, the court was unwilling to exercise its supplemental jurisdiction over the state-law claims, including TripleTree’s allegation that the Defendant violated the Minnesota Uniform Trade Secrets Act.
[2] See United States v. John, 597 F.3d 263 (5th Cir. 2010); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010); see also EF Cultural Travel VS v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) (holding that an employee likely violated the CFAA when he permissibly accessed company information but then disclosed it in violation of his confidentiality agreement).
[3] See United States v. Nosal, 676 F.3d 854, 864 (9th Cir. 2012); WEC Carolina Energy Solutions v. Miller, 687 F.3d 199 (4th Cir. 2012).