Thursday, May 12, 2011

District of Columbia Limits Applicability of Computer Fraud and Abuse Act

In a case of first impression, a federal district court in the District of Columbia has joined those courts that restrict the applicability of the federal Computer Fraud and Abuse Act. Previously, we have written about the growing number of cases that have adopted a broad reading of this Act in a way that permits a claim to be made where an employee has accessed an employer's computer and removed proprietary data after deciding to accept a new job. See posts dated March 27, 2009 and September 7, 2010.

The CFAA protects companies from the misappropriation of proprietary information by someone who does not have authorized access to the computer or who has been authorized to access the computer, but who exceeds that authorization. The cases attempt to define the limits of authorized access.

A number of courts following the 7th Circuit's opinion in Int'l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) have held that an employee who has been given access to his employer's computer network, loses that right of access as a matter of law when he has decided to accept a new job and downloads proprietary information from the network to use in his new position. Courts adopting this logic posit that such conduct violates the employee's duty of loyalty owed to his employer because, once he has made the decision to leave and has accepted the new position, the employee's interests become adverse to the interests of his current employer. Those courts find that accessing the computer, and copying proprietary information under such circumstances, exceed the authorization that the current employer has provided and violate the CFAA.

Not so in the District of Columbia according to a recent opinion by Magistrate Judge John Facciola in Lewis-Burke Associates, Ltd. v. Widder, 725 F. Supp.2d 187 (D.D.C. 2010), click here. There, the court relied upon the analysis of the 9th Circuit in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which held that, once an employer has authorized an employee to access the company computer, even if for limited purposes, that access is still authorized even if the employee violates those limitations. Id. at 1133. According to Brekka, whether an employee has authorization to access a computer is dependent upon whether the employer has terminated that authorization.

In the District of Columbia case, before he left his job, Widder copied proprietary and confidential electronic files onto a thumb drive that he took with him to his new employer. Some of the copying took place on his last day of work. The court found the Citrin standard to be unworkable and confusing. Instead, it held that Widder did not exceed his authorized access to the system even if he accessed and copied documents he was not entitled to see. Accordingly, the court dismissed the CFAA claim.

Based upon this decision, the CFAA is not an available remedy or a means of creating federal question subject matter jurisdiction in the District of Columbia for the theft of proprietary electronic information, except where the employer has terminated the employee's access rights before the theft occurs.