Cyber law - dismissing employer's claim under the CFAA against former employees who allegedly misappropriated trade secrets.

• Author: Coffin, Abbey P.
• Position: Computer Fraud and Abuse Act of 1986 - Case note

Cyber Law--Dismissing Employer's Claim Under the CFAA Against Former Employees Who Allegedly Misappropriated Trade Secrets--WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012), cert. dismissed, 133 S. Ct. 831 (2013)

Among other things, the Computer Fraud and Abuse Act (CFAA) provides for civil and criminal penalties when a person, "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer." (1) Employers have increasingly sought relief under the CFAA against errant employees who download confidential and proprietary information from the employer's network files for their own benefit or for the benefit of a competitor. (2) In WEC Carolina Energy Solutions LLC v. Miller, (3) the Fourth Circuit Court of Appeals determined whether WEC Carolina Energy Solutions LLC (WEC) could maintain a CFAA claim against former employees and a competitor who allegedly misappropriated WEC's proprietary information. (4) The Fourth Circuit affirmed the district court's dismissal of the CFAA claim, holding WEC failed to adequately allege that former employees accessed its confidential and proprietary information "without authorization" or "exceed[ed] authorized access" as required under the statute. (5)

WEC had employed Mike Miller as a project director. (6) Emily Kelley was his assistant. (7) While working for WEC, Miller was provided with a laptop computer, a cell phone, and authorization to access the company's intranet and computer servers, which stored confidential and proprietary trade secret information. (8) Miller resigned from WEC on April 30, 2010, and subsequently began working at Arc Energy Services, Inc. (Arc). (9) WEC suspected that prior to resigning, Miller, or Kelley acting on behalf of Miller, downloaded a substantial amount of WEC's confidential information and forwarded it to a personal e-mail address. (10) Additionally, WEC suspected that Miller used the downloaded information in a presentation on behalf of Arc shortly after resigning. (11)

In October 2010, WEC sued Miller, Kelley, and Arc in federal district court alleging violations of the CFAA and nine state law causes of action. (12) WEC claimed Miller's and Kelley's actions impaired the "integrity of its data, programs, systems or information," and that as a result, it suffered economic damages. (13) The defendants moved to dismiss the federal CFAA claim and the district court granted dismissal, finding that WEC failed to state a claim under which the CFAA provided relief. (14) On appeal, the Fourth Circuit affirmed the district court's dismissal of the CFAA claim. (15) By affirming, the Fourth Circuit adopted a narrow reading of the provisions of the CFAA, holding that an employee accesses a computer "without authorization" or "exceeds authorized access" only when the employee accesses a computer without permission, or obtains or alters information beyond their authorized level of access. (16)

Early prosecutions of computer-misuse crimes relied on traditional property law notions of theft. (17) The crime of theft, however, was poorly equipped to handle the proliferation of computer offenses where deprivation of property was lacking. (18) Unsatisfactory application of traditional property laws and the absence of specific computer-misuse legislation led to heightened congressional interest and the passage of the Counterfeit Access Device and Computer Fraud and Abuse Act in 1984. (19) The CFAA has since been amended numerous times, and its scope broadened to include both criminal and civil liability, as well as application to all computers used in or affecting commerce. (20)

Although the original focus of the CFAA was primarily to deter computer hacking, it has been increasingly used by employers against "employee-hackers" who access and use confidential information in an anticompetitive or fraudulent manner. (21) The CFAA is an attractive alternative (or complement) to state law claims because it creates a basis for federal jurisdiction, provides injunctive relief, and does not require an employer to prove that the information accessed was secret. (22) While there is little debate on the damage employers face as a result of employees' hacking activity, courts have struggled to both uniformly apply the CFAA in the employment context and to interpret key provisions of the statute--namely, when do employees access information "without authorization" or "exceed[] authorized access?" (23) Consequently, a circuit split has emerged. (24)

Courts broadly interpreting the CFAA have based employee violations on agency principles. (25) Other courts, unwilling to embrace an agency approach, have determined that employers can define the limits of employee authorized access through company policies and other employment contracts. (26) Finally, courts reluctant to extend CFAA liability to employees have adopted a narrow interpretation of the key statutory provisions, finding violations only in instances where initial access to information was not permitted. (27) This conflict has left employers with different remedies in different jurisdictions, and has led to much academic debate over which interpretation of the CFAA most closely follows Congress's intent. (28) However, a clear trend is emerging towards adopting the narrower interpretation of the statute, making it difficult for employers to succeed on such claims. (29) Furthermore, Congress has introduced legislation to amend the CFAA, which is colloquially referred to as "Aaron's Law Act," attempting to codify the more narrow interpretation of the statute. (30)

In WEC Carolina Energy Solutions LLC v. Miller, the Fourth Circuit decided, as a matter of first impression, whether an employer could maintain a CFAA claim against former employees who downloaded and used confidential information in violation of the employer's policies. (31) The court reviewed the divergent interpretations of the statute by its sister circuits and agreed with the literal and narrow approach promulgated by the Ninth Circuit in United States v. Nosal. (32) In support of this approach, the court recognized that the CFAA provided for both criminal and civil penalties, thus necessitating observation of the rule of lenity. (33) Additionally, in reviewing the ordinary meaning of the terms "without authorization" and "exceeds authorized access" the court noted that neither definition extends to offensive use of information otherwise validly accessed. (34)

In furtherance of its holding, the court declined to adopt an interpretation of the conjunction "so"--as used in the definition of the term "exceeds authorized access"--to mean "in that manner," reasoning that such an interpretation would impute CFAA liability to...