Employment Agreement Restrictions Determined Whether Employees Exceeded Authorized Access Under Computer Fraud and Abuse Act

A recent district court opinion relied on employment agreement restrictions to determine whether the employees exceeded their authorized access to the employer’s computers. In doing so, the court used the Intended-Use Theory of access to determine whether there may have been a violation of the Computer Fraud and Abuse Act (CFAA), highlighting the need for companies to have well-written agreements that objectively establish such intended use.

Specifically, the court looked to two restrictions in the employment agreements that happen to be the same restrictions I make sure my clients have in their employment agreements:

  1. the employee’s use of the computer and data was restricted to the period of employment (limited duration); and
  2. the employee’s use of the computer and data was restricted to being only for the benefit of employer (intended use). 

Notice the italicized text “and data” — that is another restriction that I include in these agreements. Why? Because, most of the agreements that are litigated under the CFAA involve restrictions on the access to and use of the computers but most of the underlying factual scenarios for those same cases involve the usage of the data obtained by the access — not just the access to the computer. The case discussed here is Custom Hardware Engineering & Consulting, Inc. v. Dowell, 2013 WL 252945 (E.D. Mo. Jan. 23, 2013), and it exemplifies this point quite well.

While it is always important to have well written employment agreements and/or acceptable computer use policies, it is even more important to have these in jurisdictions that follow the Intended-Use Theory of access because under this theory the courts look to the restrictions placed upon and known by the employee to determine whether authorized access is exceeded. In United States v. John, 597 F.3d 263, 271 (5th Cir. 2010), the court explained its “intended-use analysis” as follows: access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given is exceeded and the employee is actually aware of those limitations on purpose through policies or contractual agreements.

Trilogy of Access Theories

There are three theories of access under the Computer Fraud and Abuse Act: Intended-Use Theory, Strict Access Theory, and Agency Theory. I explain this trilogy of access theories with more detail in this post: New “Employment” Computer Fraud and Abuse Act case … but with a twist! though the cases under the Strict Access Theory have changed since that time.

The Intended-Use Theory is followed by the following jurisdictions (as of this writing): Fifth Circuit (United States v. John and United States v. Phillips), Eleventh Circuit (United States v. Rodriguez), Eighth Circuit, which includes Missouri (United States v. Teague), Third Circuit (United States v. Tolliver) and possibly the First Circuit (United States v. MorrisUnited States v. Czubinski) as the rationale for the Intended-Use Theory is derived from the second factor in Morris. 

The Strict Access Theory is followed by the Ninth Circuit (United States v. Nosal a/k/a Nosal II) and Fourth Circuit (WEC Carolina Energy Solutions LLC v. Miller).

The Agency Theory is followed by the Seventh Circuit (International Airport Centers, LLC v. Citrin).

TAKEAWAYS: The important takeaways from the Custom Hardware Engineering & Consulting, Inc. v. Dowell case are that your business really needs to have solid employment agreements or acceptable use policies that restrict (1) the duration for which access is authorized, (2) the intended-use for which access is authorized, and (3) that these restrictions apply to not only the computers but also the data that is accessible from those computers.

If you would like to talk with me about legal issues concerning computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

Current Employee May Have Violated Computer Fraud and Abuse Act by Downloading for Secret New Employer

A federal district court in Mississippi refused to dismiss the Computer Fraud and Abuse Act claims against an individual who, during the term of his employment downloaded confidential information for a new employer. While employed by the plaintiff, the defendant had secretly negotiated an employment agreement with a new company but, before announcing his resignation he accessed the plaintiff’s computers and downloaded a substantial amount of its sensitive confidential business information. The District Court found this could be an unauthorized access under the Computer Fraud and Abuse Act: “Several courts have recognized however, that ‘once an employee is working for himself or another, his authority to access the computer ends, even if he or she is still employed at the present employer.'” Unified Brands, Inc. v. Teders, 868 F. Supp.2d 572 (S.D. Miss. 2012) (quoting Continental Group, Inc. v. KW Prop. Mgmt., LLC, 622 F. Supp.2d 1357, 1372 (S.D. Fla. 2009)).

What I find interesting about this case is that it seems to rely on the rationale of the Agency Theory that is followed by the Seventh Circuit as opposed to the Intended Use Theory that is followed by the Fifth Circuit (which includes Mississippi) and the Eleventh Circuit (which includes Florida). Cases following the Agency Theory are becoming a rarity these days (see Citrin Lives!). For a more detailed explanation of the three primary theories of access you can read more HERE. What will be interesting is to see what path the parties take should there be a motion for summary judgment in the future.

Should you or anyone you know need assistance in dealing with possible claims under the Computer Fraud and Abuse Act or just want to talk about the law in general, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com) and I will be more than happy to talk with you!

-Shawn E. Tuma

Citrin Lives! Dist. Ct. applies the agency theory of access in a post-Nosal Computer Fraud and Abuse Act case

The Intended Use Theory of access under the Computer Fraud and Abuse Act (“CFAA”) has been all the rage among since the Ninth Circuit handed down its opinion in United States v. Nosal but that doesn’t mean the Agency Theory has gone by the wayside. Just last week a district court used the Agency Theory (set forth by the Seventh Circuit in International Airport Centers, LLC v. Citrin) to determine that an employee, who after changing loyalties from his existing employer to another, accessed his then-employer’s computer and deleted data from the computer before turning it back in, destroyed data without authorization in violation of the Computer Fraud and Abuse Act. Lawyers, perhaps it isn’t time to forget about the Agency Theory just yet!

The case is LKQ Corporation v. Thrasher, 2011 WL 1984527, — F. Supp.2d — (N.D. Ill. May 23, 2011) and in it the court stated: “no allegation specifically noting that LRQ restricted his access to his company computer is necessary to state a Computer Fraud and Abuse Act claim. LKQ’s allegation of breach of duty are enough to properly allege that Thrasher lost his authorization to access his company computer. See Int’l Airport Ctr. L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006)” and, on this basis, denied Thrasher’s Motion to Dismiss.

It is worth noting that, though Thrasher did have a contractual agreement with LKQ that prohibited him from competing with LKQ, the agreement did not define the permissible uses of LKQ’s computer system or place any restrictions thereon. In the Seventh Circuit, which follows the Citrin Agency Theory of access, this was still a violation of the CFAA. Had this occurred in the Ninth, Eleventh, or Fifth Circuits, it probably would not have been as they follow the Intended Use Theory as set forth in United States v. Nosal, United States v. Rodriguez, and United States v. John, respectively. For a more thorough explanation of this go HERE.

What does this teach you if your company has a computer that others access? That’s right, we lawyers are good for something every so often!

Computer Use Policies – Do They Even Matter?

They Certainly Do!

If a company has a policy or contractual agreement that places limitations on the permissible reasons for accessing the company computer or permissible uses for the data on that computer, it will usually be enforceable according to a majority of the federal courts of appeals that have addressed the issue.

What does this mean?

It means the company can authorize people to have only limited access to the computers for a specific intended use and can only use the data on those computers for the specified intended use. The person accessing the computer must comply with those restrictions. The restrictions can be set forth in a company policy that is promulgated so that everyone knows it; the the restrictions can be in an employment agreement; or, the restrictions can be set forth in any other type of contractual agreement between the company and the people it is authorizing to access its computers.

What can happen?

Continue reading

Bye Bye Brekka–Hello Nosal! Ninth Circuit Warms-up to Intended-Use Theory of “Access” Under the Computer Fraud and Abuse Act

This past Monday I blogged of what I called the “Trilogy of Access Theories” to refer to the 3 lines of circuit court cases that have different theories for interpreting “access” under the Computer Fraud and Abuse Act (“CFAA”).

That was a FAIL!

United States v. Nosal

As of today the trilogy has become a duo with the Ninth Circuit‘s opinion in United States v. Nosal. Honestly, however, I can’t say that it is that much of a surprise that the Ninth Circuit backed off of the hard line it took in LVRC Holdings LLC v. Brekka in which it established the rigid “access means access” theory. The facts of Brekka were quite distinguishable from the facts of United States v. Rodriguez, United States v. John, United States v. Phillips, and International Airport Centers, LLC v. Citrin–the cases in which the Eleventh, Fifth, and Seventh Circuits, respectively, ruled differently on the access issue. Moreover, the Brekka Court left a few clues in its opinion though I am saving those for a different day … but here’s a hint: study those Bluebook signals! 

Case Background

Continue reading

New “Employment” Computer Fraud and Abuse Act case … but with a twist!

It’s always the same: Employee decides to go work for a competitor. Employee takes confidential information. Employee uses it in new job with competitor. Employer sues.

We see it all the time and, in fact, it is probably the most common scenario of cases asserting claims under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, et seq. This case, however, handed down on April 20, 2011, has an interesting twist.

In Meats by Linz, Inc. v. Dear, 2011 WL 1515028 (N.D. Tex. Apr. 20, 2011), the court handed down a decision denying the Defendant’s Motion to Dismiss the CFAA claim on two distinct grounds: “access” and “loss”.

The Facts, Just the Facts

Steve Dear was employed by Meats by Linz, Inc. (“MBL”) as the general manager of its Dallas sales facility. He had an employment agreement that included a confidentiality / non-disclosure agreement. Dear decided to go work for one of MBL’s competitors but, before announcing he would be leaving, accessed MBL’s password-protected confidential and proprietary information to which only he, and others on a “need to know” basis, had access. In fact, he accessed it at 9:15 p.m. on a Sunday night, downloaded it, and sent an email resignation about two hours later. In the words of Gomer Pyle, “Surprise! Surprise!” … not long afterwards, he was working for a competitor and soliciting MBL’s customers by, according to MBL, using its confidential and proprietary information that he had taken.

Employer Sued

Continue reading