It’s always the same: Employee decides to go work for a competitor. Employee takes confidential information. Employee uses it in new job with competitor. Employer sues.
We see it all the time and, in fact, it is probably the most common scenario of cases asserting claims under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, et seq. This case, however, handed down on April 20, 2011, has an interesting twist.
In Meats by Linz, Inc. v. Dear, 2011 WL 1515028 (N.D. Tex. Apr. 20, 2011), the court handed down a decision denying the Defendant’s Motion to Dismiss the CFAA claim on two distinct grounds: “access” and “loss”.
The Facts, Just the Facts
Steve Dear was employed by Meats by Linz, Inc. (“MBL”) as the general manager of its Dallas sales facility. He had an employment agreement that included a confidentiality / non-disclosure agreement. Dear decided to go work for one of MBL’s competitors but, before announcing he would be leaving, accessed MBL’s password-protected confidential and proprietary information to which only he, and others on a “need to know” basis, had access. In fact, he accessed it at 9:15 p.m. on a Sunday night, downloaded it, and sent an email resignation about two hours later. In the words of Gomer Pyle, “Surprise! Surprise!” … not long afterwards, he was working for a competitor and soliciting MBL’s customers by, according to MBL, using its confidential and proprietary information that he had taken.
MBL sued alleging, among other things, violation of the Computer Fraud and Abuse Act for improperly and illegally accessing its confidential and proprietary information on its computer system “without authorization” or by “exceeding authorization”. Dear moved to dismiss the CFAA claim on two grounds.
“Trilogy of Access Theories”
Dear’s first ground was based on the “access” issue. He argued that he had authorization to access the information and did not exceed his authority by accessing or downloading it. (Opinion p. 5) In essence, Dear was arguing for the Brekka position on the access issue but, to no avail, and for good reason. In United States v. John, 597 F.3d 263, 271 (5th Cir. 2010), the Fifth Circuit solidified its earlier holding in United States v. Phillips, 477 F.3d 215 (5th Cir. 2007), and created on this access issue what appears to be the third line of cases–a trilogy of access theories.
The Trilogy started with the Seventh Circuit in International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (citing Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000)) in which it held that under common law agency principles, an employee’s right to access his employer’s computer is premised on his serving the interests of his employer. Should his loyalties to his employer change and his interests become adverse, so to would his authorization change by becoming unauthorized. Under this “agency theory” the authorization to access was based upon the employee’s own subjective loyalties and interests and, if they changed, his authorization to access the employer’s computer changed with it.
Access Means Access Theory
The Ninth Circuit, however, in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009) refused to follow the Citrin theory and expressly rejected it, holding instead that a strict interpretation of the the CFAA prohibits unauthorized access to the computer rather than unauthorized use of the information. According to Brekka, once an employee was authorized to access the computer, his access continued to be authorized even if his loyalties to his employer changed and began doing “another’s bidding,” so to speak. Regardless of an employee’s subject loyalties and intentions, the only way his authorization could be terminated is by an express act by the employer.
The Fifth Circuit came up with third line of cases analyzing this issue, one that splits the difference between the expansive interpretation of the CFAA under Citrin (the Agency Theory) and the narrow interpretation under Brekka (the Access Means Access Theory).
In United States v. John, 597 F.3d 263, 271 (5th Cir. 2010), the court explained its “intended-use analysis” as follows: access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given is exceeded and the employee is actually aware of those limitations on purpose through policies or contractual agreements. Under this theory, an employee’s own subjective changing of allegiances is not enough by itself to terminate authorization, yet an employer is not required to expressly notify the employee that his access is terminated. Rather, the employer can implement certain restrictions on access and use of information obtained thereby, ahead of time by policies and agreements, that are known by the employee, and if the employee still violates those limitations by accessing information and using it for improper purposes–not for its intended use–that access will be considered as having been unauthorized for purposes of the CFAA.
How Do You Think the Dear Court Ruled on “Access”?
Come on, you read the Trilogy of Access Theories, didn’t you? Now that you know where the Fifth Circuit stands on this issue under the Computer Fraud and Abuse Act so tell us, how do you think the Dear Court ruled?
You’re right! It denied the Motion to Dismiss on the “access” issue, finding that because Dear accessed the information in violation of the restrictive covenants and, therefore, not in furtherance of its intended use, his access was unauthorized. (Opinion p. 3) Just what we expected but now for the twist …
This one caught me a little by surprise. From a CFAA Plaintiff’s perspective, this case is a gift from above as it now allows for more expansive form of “loss” vis-a-vis how some other courts have ruled on this issue. But … I wouldn’t get too excited just yet. Let me explain,
Substantially all of the business related civil claims brought under the Computer Fraud and Abuse Act are brought pursuant to subsection (c)(4)(A)(i)(I) which requires the following be established for the court to have jurisdiction over the claim. There must be a
loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value;
18 U.S.C. § 1030(c)(4)(A)(i)(I). The term loss is defined by the CFAA as
any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.
18 U.S.C. § 1030(e)(11). This issue has been litigated for a while and the courts have been pretty clear on it.
In a recent case out of the Southern District of Texas, M-1 LLC v. Stelly, 2010 WL 3257972, at *12 (S.D. Tex. Aug. 17, 2010) (citing Nexans Wires S.A. v. Sark-USA, Inc., 319 F. Supp. 2d 468, 475 (S.D.N.Y. 2004), aff’d, 166 Fed. Appx. 559, 562-63 (2nd Cir. 2006)), the court analyzed this issue and stated the prevailing view: “case law has consistently interpreted the loss provision to encompass only the costs incurred as a result of investigating or remedying damage to a computer, or costs incurred because the computer’s service was interrupted.”
In an even more recent case the Southern District of Texas stated as follows:
The term “loss” encompasses only two types of harm: costs to investigate and respond to an offense, and costs incurred because of a service interruption.
Alliantgroup, L.P. v. Feingold, 2011 WL 1157315, at *15 (S.D. Tex. Mar. 24, 2011) (citing Quantlab Technologies Ltd. (BVI) v. Godlevsky, 719 F. Supp.2d 766, 776 (S.D. Tex. 2010) (citing Nexans Wires S.A. v. Sark-USA, Inc., 319 F. Supp.2d 468, 472 (S.D.N.Y. 2004), aff’d 166 Fed. Appx. 559, 562-63 (2nd Cir. 2006))).
The Dear case did not involve allegations of interruption of service so we must be talking about the first type of harm: costs to investigate and respond to an offense, right?
In the case Quantlab Technologies Ltd. (BVI) v. Godlevsky, 719 F. Supp.2d 766, 776 (S.D. Tex. 2010), decided on June 23, 2010, the facts were very similar to the Dear case in that a former employee had accessed his employer’s computer while he was was employed and took confidential and proprietary trade secrets that he then used to compete with his former employer. The trade secrets were literally worth millions of dollars but the issue was whether they met the $5,000 jurisdictional loss requirement. They did not. Why?
Because, it is relatively well settled that misappropriated trade secret information, and the conclusory profits that may be earned therefrom are not considered to be costs to investigate and respond to an offense, regardless of how much they may be worth. See Quantlab Technologies Ltd. (BVI) v. Godlevsky, 719 F. Supp.2d 766, 776 (S.D. Tex. 2010).
In Quantlab the court found there was no adequate pleading of loss. Same with with the Alliantgroup, L.P. v. Feingold case cited above, just decided on March 24, 2011–employee took trade secrets then used the information to compete–the information was worth well over $5,000 but it was not a “loss” as defined by the CFAA. Alliantgroup, L.P., 2011 WL 1157315, at *15.
While these cases are certainly not binding precedent, it has seemed as though this issue was becoming fairly well settled. In the Dear case, the court found the facts supporting the pleading of loss was that meat products were sold to specific customers listed in the proprietary information. (Opinion p. 8). In other words, the only “loss” that was pleaded was essentially the loss of trade secrets. Here is a copy of the Complaint for your review, at paragraph 32.
So given how many courts have ruled on this issue I was a bit surprised by the ruling finding that there was an adequate “loss” pleaded:
MBL alleges that Dear’s actions resulted in “damage or loss to MBL aggregating at least $5,000 in value.” Compl. ¶ 32. This allegation is augmented by factual assertions that meat products were sold to specific customers listed in MBL’s Gross Profit Report. These averments make plausible MBL’s theory that Dear obtained confidential business information while exceeding his authorized access, then used this customer data to deprive MBL of sales from regular customers, resulting in lost revenue that could amount to over $5,000 over the course of one year.
(Opinion p. 8 ) Accordingly, the Motion to Dismiss was denied.
The court’s ruling on the “loss” issue does not seem to comport with much of the nonbinding prior case law, which is not unusual for a body of law that is still developing like the CFAA. This case could very well be setting this issue up for the Fifth Circuit to decide given that both the Quantlab and Alliantgroup courts, as well as the Dear Court, are all within the Fifth Circuit. Given this situation, many times when a court decides to depart from one particular line of reasoning and adopt a different one, they acknowledge the other line, explain why it doesn’t apply or why it should be changed, and then explain how they believe the issue should be handled. This happens all of the time and is part of the process for how these issues are refined by judicial reasoning. Moreover, this is how the issues get “framed up” for the appellate courts to then decide. Given that the Dear opinion did not spend much time on this issue, however, I decided to review the briefing to see for myself how extensively the issues were briefed for the court and have linked to the relevant briefing for your review as well: Defendant’s Motion to Dismiss and the Plaintiff’s Response to Motion to Dismiss and Brief in Support.
What are your thoughts?
- Basic Elements of a Computer Fraud and Abuse Act – “Fraud” Claim (shawnetuma.com)
- Taking of Confidential Info Alone Not “Loss” Under CFAA (shawnetuma.com)
- Court Rejects Argument That All First-Time Email Hacking Offenses Are Felonies (eff.org)
- CFAA Not Subject to Rule 9 (shawnetuma.com)
- Former Employee’s Deletion of Data May Constitute CFAA “Damage” (shawnetuma.com)
- Is the Value of Confidential Information Different From Copyrighted Material Under the Computer Fraud & Abuse Act? (shawnetuma.com)
- Should Everyone Who Uses A Phone Or A Computer As Part Of A Crime Get A Longer Sentence? (techdirt.com)
- Customers Sue Apple Over iPhone Location-Data Collection (wired.com)
- Apple sued over location tracking in iOS (news.cnet.com)
- Is Breaking a Website’s Terms of Service a Crime? (neatorama.com)