Citrin Lives! Dist. Ct. applies the agency theory of access in a post-Nosal Computer Fraud and Abuse Act case

The Intended Use Theory of access under the Computer Fraud and Abuse Act (“CFAA”) has been all the rage among since the Ninth Circuit handed down its opinion in United States v. Nosal but that doesn’t mean the Agency Theory has gone by the wayside. Just last week a district court used the Agency Theory (set forth by the Seventh Circuit in International Airport Centers, LLC v. Citrin) to determine that an employee, who after changing loyalties from his existing employer to another, accessed his then-employer’s computer and deleted data from the computer before turning it back in, destroyed data without authorization in violation of the Computer Fraud and Abuse Act. Lawyers, perhaps it isn’t time to forget about the Agency Theory just yet!

The case is LKQ Corporation v. Thrasher, 2011 WL 1984527, — F. Supp.2d — (N.D. Ill. May 23, 2011) and in it the court stated: “no allegation specifically noting that LRQ restricted his access to his company computer is necessary to state a Computer Fraud and Abuse Act claim. LKQ’s allegation of breach of duty are enough to properly allege that Thrasher lost his authorization to access his company computer. See Int’l Airport Ctr. L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006)” and, on this basis, denied Thrasher’s Motion to Dismiss.

It is worth noting that, though Thrasher did have a contractual agreement with LKQ that prohibited him from competing with LKQ, the agreement did not define the permissible uses of LKQ’s computer system or place any restrictions thereon. In the Seventh Circuit, which follows the Citrin Agency Theory of access, this was still a violation of the CFAA. Had this occurred in the Ninth, Eleventh, or Fifth Circuits, it probably would not have been as they follow the Intended Use Theory as set forth in United States v. Nosal, United States v. Rodriguez, and United States v. John, respectively. For a more thorough explanation of this go HERE.

What does this teach you if your company has a computer that others access? That’s right, we lawyers are good for something every so often!

Computer Use Policies – Do They Even Matter?

They Certainly Do!

If a company has a policy or contractual agreement that places limitations on the permissible reasons for accessing the company computer or permissible uses for the data on that computer, it will usually be enforceable according to a majority of the federal courts of appeals that have addressed the issue.

What does this mean?

It means the company can authorize people to have only limited access to the computers for a specific intended use and can only use the data on those computers for the specified intended use. The person accessing the computer must comply with those restrictions. The restrictions can be set forth in a company policy that is promulgated so that everyone knows it; the the restrictions can be in an employment agreement; or, the restrictions can be set forth in any other type of contractual agreement between the company and the people it is authorizing to access its computers.

What can happen?

Continue reading

Bye Bye Brekka–Hello Nosal! Ninth Circuit Warms-up to Intended-Use Theory of “Access” Under the Computer Fraud and Abuse Act

This past Monday I blogged of what I called the “Trilogy of Access Theories” to refer to the 3 lines of circuit court cases that have different theories for interpreting “access” under the Computer Fraud and Abuse Act (“CFAA”).

That was a FAIL!

United States v. Nosal

As of today the trilogy has become a duo with the Ninth Circuit‘s opinion in United States v. Nosal. Honestly, however, I can’t say that it is that much of a surprise that the Ninth Circuit backed off of the hard line it took in LVRC Holdings LLC v. Brekka in which it established the rigid “access means access” theory. The facts of Brekka were quite distinguishable from the facts of United States v. Rodriguez, United States v. John, United States v. Phillips, and International Airport Centers, LLC v. Citrin–the cases in which the Eleventh, Fifth, and Seventh Circuits, respectively, ruled differently on the access issue. Moreover, the Brekka Court left a few clues in its opinion though I am saving those for a different day … but here’s a hint: study those Bluebook signals! 

Case Background

Continue reading