Let’s say a client calls telling you that a valued former employee has left to work for a competitor. Just before leaving, the employee emailed himself a substantial number of your client’s confidential documents. He’s now made a presentation to a potential customer, using the "stolen" information, and he secured the customer for his new employer.
The client asks what can you sue the rogue employee for. Lots of causes of action come to mind. Violating a non-compete (if there was one). Conversion? Tortious Interference? Misappropriation of trade secrets? Maybe violation of a confidentiality agreement?
What about a claim under the Computer Fraud and Abuse Act? It seems to fit. The CFAA
renders liable a person who (1) "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer," in violation of [18 U.S.C.] § 1030(a)(2)(C); (2) "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value," in violation of § 1030(a)(4); or (3) "intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage[,] or . . . causes damage and loss," in violation of § 1030(a)(5)(B)-(C).
If you had read the Fourth Circuit’s opinion last week in WEC Carolina Energy Solutions LLC v. Miller, you would stop dead in your tracks. In affirming the dismissal of the CFAA claim, Judge Floyd wrote:
Our conclusion here likely will disappoint employers hoping for a means to rein in rogue employees. But we are unwilling to contravene Congress’s intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy
The problem with the claim by WEC was that its former employee had been given access to the confidential information during his employment. CFAA doesn’t provide a remedy for misappropriation, said the appellate court, when the authorization has not been rescinded.
In reaching this conclusion the Fourth Circuit rejected the approach taken by Judge Posner and the Seventh Circuit in Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), which was that an employee who takes data to further interests contrary to those of his employer violates his duty of loyalty and thereby terminates his agency relationship, thus losing his authority to access the computer or any information on it.
Judge Floyd held that "[t]he deficiency of a rule that revokes authorization when an employee uses his access for a purpose contrary to the employer’s interests is apparent." Op. 12. It was as obvious to the Judge as Facebook. He said that:
Such a rule would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer’s use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer’s computer systems.
The Court concluded that Congress didn’t intend to impose criminal liability for a Facebook "frolic."