The days when a disloyal departing employee would sneak into the office at night and, by the light of a flashlight, pack up a briefcase full of documents containing his employer's trade secrets and other confidential information in order to start up a competing business or to give them to his new employer have, for the most part, passed. Today, that same employee may download the same information off the very laptop his employer provided to him to do his job or he may email it from the office during lunch or via remote access from the comfort of his home, while watching American Idol.
While the tools available to the disgruntled employee have multiplied as a result of the computer revolution, the oft-used arrows in the quiver of the employer - such as filing for immediate injunctive relief based on theories of breach of restrictive covenants, breach of duty of loyalty, misappropriation, conversion, unfair competition, tortious interference - may be supplemented with a claim under the less familiar and infrequently used Computer Fraud and Abuse Act ("CFAA").1
The CFAA, passed in 1984 as the "Counterfeit Access Device and Computer Fraud and Abuse Act of 1984," was intended to supplement mail and wire fraud statutes. Its target was protecting classified, financial and credit information on government and financial institution computers ("federal interest computers"). Because it only prohibited unauthorized access or hacking,2 it did not protect against improper use by authorized users.
Initially providing only criminal penalties (fines and imprisonment), the CFAA was amended by the Computer Abuse Amendments Act of 1994, which added civil remedies (compensatory damages and injunctive and other equitable relief), expanded protection to include damage or loss by both outsiders and by insiders or other authorized users, and criminalized certain types of reckless conduct and intentional acts.
With the proliferation of computers in businesses and homes and the creation of the Internet, computer use has become increasingly interstate in nature and, therefore, subject to the CFAA. Today, the most common civil causes of action under the CFAA are brought under either:
1. 18 U.S.C. 1030(a)(2)(C), which requires a showing that a person (1) "intentionally," (2) accessed a computer, (3) "without authorization" or "exceeded authorized access," (4) and obtained information from any "protected computer,"3 (5) if the conduct involved an interstate or foreign communication;
2. 18 U.S.C. 1030(a)(4) which requires a showing that a person has (1) "knowingly and with intent to defraud," (2) accessed a "protected computer," (3) "without authorization," and thus (4) has furthered the intended fraudulent conduct and obtained "anything of value"; or
3. 18 U.S.C. 1030(a)(5) which requires a showing that a person (1) "knowingly," (2) caused transmission of a program, information, code or command and, (3) as a result, "intentionally" (4) caused damage, (5) "without authorization," (6) to a "protected computer," or (7) "intentionally," (8) accessed a "protected computer," (9) "without authorization," and (10) caused damage" and "loss" aggregating at least $5,000.00.4
The Seminal CFAA Civil Case Against Former Employees Wrongfully Using Information From A Former Employer's Computer System
Most early cases brought under the CFAA involved hacking activities, actionable as "unauthorized access" under 18 U.S.C. 1030(4). YourNetDating, LLC v. Mitchell 5 was the first reported case which, though decided as an "unauthorized access" case, bridged the gap from a straight hacking claim to an employer-employee dispute. YourNetDating, LLC ("YND"), an Internet dating service, sought a temporary restraining order under the CFAA, enjoining a former employee who had hacked into its website, diverting customers - via a blind link (which made it impossible to return to the dating website) - to Sexetera, a pornographic site operated by his new company. The court granted temporary restraints, holding that, if YND's allegations were true, the conduct violated the CFAA.
Because no prior reported cases had dealt exclusively with a CFAA claim in the context of a current employee exceeding his authorization and pilfering his employer's trade secrets and confidential information for his own benefit and the benefit of a new employer, the opinion of the District Court for Western District of Washington in Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc. 6 became the seminal opinion on how each of the three sections of the CFAA cited above applies when an insider steals his employer's trade secrets or confidential information.
Shurgard Storage Center, Inc. ("Shurgard") was an industry leader in self storage in the United States and Europe. It attributed its growth to its having developed "a sophisticated system of creating market plans, identifying appropriate development sites, and evaluating whether a site will provide a high return on an investment." Shurgard claimed to have expended "significant resources in creating its marketing teams for each potential market."
Safeguard Self Storage, Inc. ("Safeguard") began operating as a direct competitor of Shuregard in 1997. In late 1999, Safeguard began courting Eric Leland, a Regional Development Manager at Shurgard. While still employed by Shurgard and without its knowledge or permission, Leland, who had full access to Shurgard's confidential business and expansion plans, as well as other trade secrets, began emailing proprietary information and trade secrets to Safeguard. In October 1999, Leland was hired by Safeguard, where he continued to provide his new employer with confidential and proprietary information belonging to his former employer. In addition, Safeguard lured away other Shurgard key employees with intimate knowledge of Shurgard's business models and practices.
Shurgard sued, claiming that Safeguard had embarked on a systematic scheme to raid its key employees in order to steal its trade secrets. Safeguard moved to dismiss Shurgard's CFAA claims on several grounds. Safeguard first challenged Shurgard's claim under 18 U.S.C. 1030(a)(2)(C) on the basis that all Shurgard employees accused of transferring confidential information to Safeguard had full access to that information, and therefore, Shurgard could not claim that they acted without authorization or that they exceeded their authorized access to Shurgard's computers. The court rejected that argument, holding that, pursuant to Restatement (Second) of Agency 112 (1958), the disloyal employees' authority to access Shurgard's computers ended when they began acting as agents of Safeguard.
Safeguard next argued that CFAA section 18 U.S.C. 1030(a)(2)(C) did not apply because it was intended to protect only entities whose information affected the national economy. The Court rejected that argument, holding that the statute simply prohibits taking information from "any protected computer if the conduct involved an interstate or foreign communication." Because the pilfered information traveled over the Internet, the conduct was interstate in nature and, therefore, it was covered by the CFAA.
The third argument advanced by Safeguard was that, in order to satisfy the CFAA requirement of 18 U.S.C. 1030(a)(4) to prove "intent to defraud," Shurgard would have to prove the common law elements of fraud. The Court disagreed, holding that the proper standard for fraud under the CFAA was satisfied by the allegation that Safeguard had "participated in dishonest methods to obtain [Shurgard's] secret information."
Next, Safeguard argued that 18 U.S.C. 1030(a)(5)(C) only applied to "outsiders," not employees. The court held that, since the CFAA prohibits "whoever intentionally accesses ," it was unambiguously applicable to the conduct at issue.
Finally, Safeguard argued that Shurgard failed to sufficiently plead a claim under 18 U.S.C. 1030(a)(5)(C) because it did not plead that it suffered the required "damage," since the loss of information does not constitute "damage" under the CFAA. The Court rejected this agreement. Looking at the legislative history and the examples cited therein, it held that by virtue of the fact that Safeguard "allegedly infiltrated [Shurgard's] computer network collected and disseminated confidential information," its conduct constituted "damage" under the statute.
In sum, a review of the plain language of the CFAA, its amendments, and its legislative history, led the court to conclude that the statute was "intended to punish those who illegally use computers for commercial advantage [and] was intended to encompass actions such as those allegedly undertaken by [Safeguard]."
"Without Authorization" v. "Exceeded Authorization"
Approximately one year later, in EF Cultural Travel BV, EF v. Explorica, Inc., 7 the First Circuit Court of Appeals provided additional guidance regarding the elements of a winning CFAA claim in the employer-employee arena. EF Cultural Travel BV, EF ("EF"), the world's largest private student travel organization, sued Explorica, Inc. ("Explorica"), a competitor which had hired a group of EF's former employees, one of whom oversaw the development of a "scraper" used to access EF's website and obtain pricing information for its tours. The scraper program ran twice, downloading the equivalent of eight telephone directories worth of information. The pricing information allowed Explorica to systematically undercut EF's prices. EF filed suit.
The key issue on appeal was whether the use of the scraper was "without authorization" or "exceeded authorization" as defined in 18 U.S.C. 1030(a)(4). The First Circuit concluded that because each of the individual defendants had signed broad confidentiality agreements and because the creation of the scraper program derived from proprietary information and know-how they obtained from EF, their actions "exceeded authorized access" and, thus, violated the CFAA.
Recently, in International Airport Centers, L.L.C. v. Citrin 8 , the Seventh Circuit Court of Appeals provided additional support for the notion that, though "paper thin," the difference between "without authorization" and "exceeding authorized access" in 18 U.S.C. 1030(a)(4) is "not quite invisible." A discussion of that case and the remedies potentially available to employers under the CFAA are the subject of Part 2 of this article.
1 18 U.S.C. §1030.
2 "[E]xplor[ing] and manipulat[ing] the workings of a computer or other technological device or system, either for the purpose of understanding how it works or to gain unauthorized access." Physicians Interactive v. Lathian Systems Inc., 2003 U.S. Dist. LEXIS 22868 (E.D. Va. December 5, 2003 n.1 (quoting Microsoft Encarta College Dictionary 644 (1st ed. 200)
3 The term "protected computer" is defined as a computer "which is used in interstate or foreign commerce or communication." 18 U.S.C. §1030(e)(2)(B).
4 18 U.S.C. §1030(a)(4) and (5)
5 88 F.Supp. 2d 870 (N.D. Ill. 2000).
6 119 F.Supp. 2d 1121 (W.D. Wash. 2000).
7 274 F.3d 577 (1st Cir. 2001).
8 2006 U.S. App. LEXIS 5772 (7th Cir. March 8, 2006).
David W. Garland is Co-Chair of the Employment and Labor Practice Group of Sills Cummis Epstein & Gross P.C. Linda B. Katz is a Member of the Firm, practicing in the Employment and Labor Practice Group.