Employment Agreement Restrictions Determined Whether Employees Exceeded Authorized Access Under Computer Fraud and Abuse Act

TAKEAWAYS: The important takeaways from the Custom Hardware Engineering & Consulting, Inc. v. Dowell case are that your business really needs to have solid employment agreements or acceptable use policies that restrict (1) the duration for which access is authorized, (2) the intended-use for which access is authorized, and (3) that these restrictions apply to not only the computers but also the data that is accessible from those computers.

A district court opinion relied on employment agreement restrictions to determine whether the employees exceeded their authorized access to the employer’s computers. In doing so, the court used the Intended-Use Theory of access to determine whether there may have been a violation of the Computer Fraud and Abuse Act (CFAA), highlighting the need for companies to have well-written agreements that objectively establish such intended use.

Specifically, the court looked to two restrictions in the employment agreements that happen to be the same restrictions I make sure my clients have in their employment agreements:

  1. the employee’s use of the computer and data was restricted to the period of employment (limited duration); and
  2. the employee’s use of the computer and data was restricted to being only for the benefit of employer (intended use). 

Notice the italicized text “and data” — that is another restriction that I include in these agreements. Why? Because, most of the agreements that are litigated under the CFAA involve restrictions on the access to and use of the computers but most of the underlying factual scenarios for those same cases involve the usage of the data obtained by the access — not just the access to the computer. The case discussed here is Custom Hardware Engineering & Consulting, Inc. v. Dowell, 2013 WL 252945 (E.D. Mo. Jan. 23, 2013), and it exemplifies this point quite well.

While it is always important to have well written employment agreements and/or acceptable computer use policies, it is even more important to have these in jurisdictions that follow the Intended-Use Theory of access because under this theory the courts look to the restrictions placed upon and known by the employee to determine whether authorized access is exceeded. In United States v. John, 597 F.3d 263, 271 (5th Cir. 2010), the court explained its “intended-use analysis” as follows: access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given is exceeded and the employee is actually aware of those limitations on purpose through policies or contractual agreements.

Trilogy of Access Theories

There are three theories of access under the Computer Fraud and Abuse Act: Intended-Use Theory, Strict Access Theory, and Agency Theory. I explain this trilogy of access theories with more detail in this post: New “Employment” Computer Fraud and Abuse Act case … but with a twist! though the cases under the Strict Access Theory have changed since that time.

The Intended-Use Theory is followed by the following jurisdictions (as of this writing): Fifth Circuit (United States v. John and United States v. Phillips), Eleventh Circuit (United States v. Rodriguez), Eighth Circuit, which includes Missouri (United States v. Teague), Third Circuit (United States v. Tolliver) and possibly the First Circuit (United States v. MorrisUnited States v. Czubinski) as the rationale for the Intended-Use Theory is derived from the second factor in Morris. 

The Strict Access Theory is followed by the Ninth Circuit (United States v. Nosal a/k/a Nosal II) and Fourth Circuit (WEC Carolina Energy Solutions LLC v. Miller).

The Agency Theory is followed by the Seventh Circuit (International Airport Centers, LLC v. Citrin).

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Related articles

13 thoughts on “Employment Agreement Restrictions Determined Whether Employees Exceeded Authorized Access Under Computer Fraud and Abuse Act

  1. Pingback: Computer Fraud and Abuse Act Incorporates Traditional Principles of Tort Causation « Shawn E. Tuma
  2. Pingback: Court Finds Computer Fraud and Abuse Act Claim is Subject to Arbitration Agreement « Shawn E. Tuma
  3. Pingback: Computer Fraud and Abuse Act Cases Update (March 6, 2013) | Shawn E. Tuma
  4. Pingback: When leaving your job, make sure you do this if you really want to violate the Computer Fraud and Abuse Act! | Shawn E. Tuma
  5. Pingback: Advanced Micro Devices, Inc. v. Feldstein | CFAA digest
  6. Pingback: District Court Finds Breach of Contractual Limits on Access Violates the CFAA | Shawn E. Tuma
  7. Pingback: Why is PNC Bank Accusing Morgan Stanley of Corporate Espionage and Trade Secret Theft? | Shawn E. Tuma
  8. Pingback: Here is a “Computer Fraud” Case that is NOT Covered by the Computer Fraud and Abuse Act! | Shawn E. Tuma
  9. Pingback: Friday Wrap-Up (February 8, 2013): Noteworthy Trade Secret, Non-Compete and Cybersecurity News from the Web | The Trade Secret Litigator
  10. Pingback: Advanced Micro Devices, Inc. v. Feldstein, et al., 2013 WL 2666746 (D. Mass. June 10, 2013) | business cyber risk | law
  11. Pingback: Texas Broadens Unauthorized Access of Computer Law to Specifically Address Insider Misuse | business cyber risk | law
  12. Pingback: Departing Employee Taking Data from “Restricted” but Unsecured Folder Doesn’t Violate CFAA – Cybersecurity Business Law Blog
  13. Pingback: 3 Important Points on Computer Use Policies | Cybersecurity Business Law

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: