A federal district court in Mississippi refused to dismiss the Computer Fraud and Abuse Act claims against an individual who, during the term of his employment downloaded confidential information for a new employer. While employed by the plaintiff, the defendant had secretly negotiated an employment agreement with a new company but, before announcing his resignation he accessed the plaintiff’s computers and downloaded a substantial amount of its sensitive confidential business information. The District Court found this could be an unauthorized access under the Computer Fraud and Abuse Act: “Several courts have recognized however, that ‘once an employee is working for himself or another, his authority to access the computer ends, even if he or she is still employed at the present employer.'” Unified Brands, Inc. v. Teders, 868 F. Supp.2d 572 (S.D. Miss. 2012) (quoting Continental Group, Inc. v. KW Prop. Mgmt., LLC, 622 F. Supp.2d 1357, 1372 (S.D. Fla. 2009)).
What I find interesting about this case is that it seems to rely on the rationale of the Agency Theory that is followed by the Seventh Circuit as opposed to the Intended Use Theory that is followed by the Fifth Circuit (which includes Mississippi) and the Eleventh Circuit (which includes Florida). Cases following the Agency Theory are becoming a rarity these days (see Citrin Lives!). For a more detailed explanation of the three primary theories of access you can read more HERE. What will be interesting is to see what path the parties take should there be a motion for summary judgment in the future.
-Shawn E. Tuma
Related articles
- Fifth Circuit Finds Company Not Liable for Alleged Violations of CFAA and ECPA by Its Regional Manager (shawnetuma.com)
- White Hacker Faces Jail Time For Exposing AT&T’s Incompetence (vr-zone.com)
- Experts question guilty verdict for AT&T ‘hackers’ (networkworld.com)
Okay, I am truly intrigued by this case and the accompanying “agency” vs. “intended use” authorisations of access. I’m just a bit confused as to the difference between the two, so I’m going to have to be stupid here, and use small words. (Yeah, it’s been one of those days.) So – I understand the “intended use”, which (I assume) determines whether data retrieval and usage is legal or not based upon the party’s intended use of the data – hence the name. I’m unclear as to the “agency” issue – does that mean that the mere act of retrieving the data, once the person’s allegiance to the company has changed, can be considered an illegal act? I’d appreciate any enlightenment you can bring – IQ points are at a minimum with me today. Thanks!