Computer Fraud & Abuse Act (CFAA)

Another court has rejected the broader interpretation of the Computer Fraud and Abuse Act (“CFAA” or “the Act”) as applying to employees who exceed their authorized use.  A recent decision in Minnesota highlights the issue of whether the Act imposes civil liability on employees who have permission to access their employers’ data, but do so with a wrongful purpose.  See TripleTree, LLC v. Walcker No. 16-609, 2016 WL 2621954 (D. Minn. May 6, 2016).

The court considered this question in the context of a trade secrets case.  A former employee of TripleTree, an investment banking company, was discovered to have accessed the Company’s confidential information and to have engaged in a series of suspicious activities just prior to leaving the Company for a competitor.  Id. at *1.  TripleTree filed claims against its former employee for, among other things, violating the CFAA and the Minnesota Uniform Trade Secrets Act.  Id. at 2. 

The court sua sponte considered whether it should dismiss TripleTree’s CFAA claim.  Id. at *3.  The CFAA sanctions a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains  . . . information from a protected computer.”  18 U.S.C. § 1030(a)(2)(c).  Any person who suffers from a violation of the Act may bring a civil claim for damages.  18 U.S.C. § 1030(g).  As an employee of TripleTree, the Defendant was permitted to access the Company’s confidential information.  The court considered whether the Defendant’s malicious intent in accessing the information transformed an otherwise lawful act (using the Company’s computers) into a violation of the CFAA.


Continue Reading Recent Case Highlights Circuit Split on Important Computer Fraud and Abuse Act Question

Earlier this month, a federal judge ruled that a copycat trade secrets theft claim could not be re-litigated in federal court, having already been dismissed in a state court action. That decision came out of a complex dispute between a stem cell company and its prior President and CEO.

After former CEO Alan Smith left Cognate Bioservices Inc. in 2010, he sued Cognate for wage violations in Maryland state court. Cognate then counterclaimed for misappropriation of trade secrets alleging that Smith failed to return his company computer and passwords and misappropriated Cognate’s trade secrets. Meanwhile, Cognate filed a separate lawsuit in Maryland federal court alleging that Smith violated the Computer Fraud and Abuse Act and misappropriated Cognate’s trade secrets, among other things. Both the state court and federal court actions ran in parallel until May 2014 when the state court action went to a jury trial. The jury found against Cognate on its misappropriation counterclaim. Smith accordingly moved to dismiss the federal suit.


Continue Reading State Trade Secrets Claim Cannot Be Re-Litigated in Federal Court

Earlier this month, the District Court for the Northern District of California addressed the scope of the Computer Fraud and Abuse Act (“CFAA”), drawing a firm line between causes of action based on improper access of an employer’s computer, and causes of action based on improper use of the employer’s data.  Because of the narrow view taken within the Ninth Circuit as to the scope of claims properly falling under the CFAA, the district court held that there was no viable claim under the CFAA.
Continue Reading Access v. Use: An Important Distinction in the Computer Fraud and Abuse Act

Last week, the Ninth Circuit  issued an important decision for employers in United States v. Christensen, No. 08-50531, 2015 WL 5010591, at *14 (9th Cir. Aug. 25, 2015). In that case, the Court of Appeals held that employees who misuse their access to their employers’ computer systems can be held criminally liable under California Penal Code § 502(c)(2). While many lower-court decisions within the Ninth Circuit had questioned the scope of Section 502(c) and certain of its sub-parts, and some considered it to be primarily an “anti-hacking statute,” the Ninth Circuit’s decision makes clear that § 502(c) applies even to an employee who accesses a database or system with a valid password, but proceeds to take, copy, or use data without permission to do so.
Continue Reading Access Denied — Christensen Sets the Standard for Violations of Penal Code § 502(c)

Congress continues to show interest in refining federal trade secret law to meet the challenges of the internet age. Two bills potentially impacting a company’s ability to protect its trade secrets have been introduced. The first, “Aaron’s Law Act of 2013,” seeks to resolve the Circuit split under the Computer Fraud and Abuse Act (CFAA)

In a blow to victims of data theft, the Ninth Circuit in United States v. Nosal held that the Computer Fraud and Abuse Act (CFAA) was not an available remedy where the alleged thief had authorized access to the computer system from which data was stolen. The Northern District Court of California’s recent decision in