Lenity on Me: Lvrc Holdings Llc v. Brekka Points the Way Toward Defining Authorization and Solving the Split Over the Computer Fraud and Abuse Act

• Publication year: 2010

Georgia State University Law Review‌‌‌‌

Volume 27

Issue 2 Winter 2011 Article 14

1-1-2011

Lenity on Me: LVRC Holdings LLC v. Brekka Points the Way Toward Defining Authorization and Solving the Split Over the Computer Fraud and Abuse Act

Warren Thomas

Follow this and additional works at: http://digitalarchive.gsu.edu/gsulr

Part of the LawCommons

Recommended Citation

Thomas, Warren (2010) "Lenity on Me: LVRC Holdings LLC v. Brekka Points the Way Toward Defining Authorization and Solving the Split Over the Computer Fraud and Abuse Act," Georgia State University Law Review: Vol. 27: Iss. 2, Article 14.

Available at: http://digitalarchive.gsu.edu/gsulr/vol27/iss2/14

This Article is brought to you for free and open access by the College of Law Publications at Digital Archive @ GSU. It has been accepted for inclusion in Georgia State University Law Review by an authorized administrator of Digital Archive @ GSU. For more information, please contact digitalarchive@gsu.edu.

LENITY ON ME: LVRC HOLDINGS LLC V. BREKKA POINTS THE WAY TOWARD DEFINING AUTHORIZATION AND SOLVING THE SPLIT OVER THE COMPUTER FRAUD AND ABUSE ACT

Warren Thomas*

INTRODUCTION

According to one recent survey, almost 60% of employees who leave their jobs take company data with them.1 Indeed, technological advances have made it easier than ever for employees to walk out the door with confidential information:2 “The digital world is no friend to trade secrets.”3 Companies’ data loss prevention programs have struggled to keep up with such advances during the current economic downturn.4 In recent years, employers have increasingly filed lawsuits using the Computer Fraud and Abuse Act (CFAA)5 to

* J.D. Candidate, 2011, Georgia State University College of Law. Thanks to Professor Mark Budnitz and Aaron Danzig for their time and input, and thanks to my wife Lindsay for her love and encouragement.

1. PONEMON INSTITUTE LLC, DATA LOSS RISKS DURING DOWNSIZING 3 (2009),

   http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/Data%20Loss%20Risks%20During

   %20Downsizing%20FINAL%201.pdf; Brian Krebs, Data Theft Common by Departing Employees, WASH. POST, Feb. 26, 2009, http://www.washingtonpost.com/wp-dyn/content/article/2009/02/26/ AR2009022601821.html (summarizing the report’s findings).

2. Victoria A. Cundiff, Reasonable Measures to Protect Trade Secrets in a Digital Environment, 49 IDEA 359, 361 (2009) (comparing the traditional thief who might steal company information by “back[ing] up a tractor-trailer truck to the office in the dead of night and load[ing] up several boxes” and the “new ways . . . to perform the same task . . . [because] [t]oday’s thief could simply walk out with the information on his digital music player [or] . . . e-mail the information to its intended destination”).

3. Id.

4. See PRICEWATERHOUSECOOPERS, TRIAL BY FIRE: WHAT GLOBAL EXECUTIVES EXPECT OF

   INFORMATION SECURITY—IN THE MIDDLE OF THE WORLD’S WORST ECONOMIC DOWNTURN IN THIRTY

   YEARS 14–15 (2009), http://www.pwc.com/en_GX/gx/information-security-survey/pdf/ pwcsurvey2010_report.pdf (finding over forty percent of survey respondents believe security incidents are more likely “due to employee layoffs and risks associated with business partners and suppliers weakened by the downturn”); accord PONEMON INSTITUTE, supra note 1, at 2 (discussing increased data loss risks during the recession).

5. Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474, 100 Stat. 1213 (1986) (codified as

   amended at 18 U.S.C. § 1030 (2006)). “Technically speaking, . . . [the] acronym CFAA refer[s] only to the 1986 amendments. In practice, however, courts and commentators use both labels to refer to the entire federal unauthorized access statute . . . .” Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596, 1598 n.11 (2003)

   
   

   379

   
   

   
   

   380

   GEORGIA STATE UNIVERSITY LAW REVIEW [Vol. 27:2

   
   

   punish employees who absconded with company data and to deter further abuses.6

   The CFAA defines several violations that include access “without authorization” as a necessary element for the plaintiff to allege and prove. For example, the statute creates liability for “[w]hoever . . . intentionally accesses a protected computer without authorization, and as a result of such conduct causes damage and loss.”7 Many cases ultimately turn on whether the former employees accessed their computers without authorization or in excess of authorization.8 However, the statute does not define authorization9 and “[c]ourts have struggled over how to interpret the provisions of the CFAA” in the context of employer litigation over employees’ misappropriation of data.10 The landscape of conflicting opinions is so treacherous that one court recently suggested it was relieved that it “need not parse through the complex issues” to interpret the statute.11

   A widening split among circuit and district courts over the meanings of without authorization and exceeds authorized access in the CFAA continues to cause confusion among litigants and threatens to improperly expose defendants to greater criminal liability if expansive interpretations remain unchecked.12 In 2003, Professor

   
   

   
   

   [hereinafter Kerr, Cybercrime’s Scope]. 18 U.S.C. § 1030(g) (2006) provides the basis for a civil action in the otherwise criminal statute.

6. See generally, e.g., Richard Warner, The Employer’s New Weapon: Employee Liability Under the Computer Fraud and Abuse Act, 12 EMP. RTS. & EMP. POL’Y J. 11 (2008); Graham M. Liccardi, Note, The Computer Fraud and Abuse Act: A Vehicle for Litigating Trade Secrets in Federal Court, 8 J. MARSHALL REV. INTELL. PROP. L. 155 (2008); Nick Akerman, When Workers Steal Data to Use at New Jobs: Despite Some Negative Case Law, The Computer Fraud and Abuse Act is an Effective Tool for Employers, NAT’L L. J., July 6, 2009, at 18.

7. 18 U.S.C.A. § 1030(a)(5)(C) (West Supp. 2010).

1. See discussion infra Parts II–III.

2. See generally § 1030. Cf. 18 U.S.C. § 1030(e)(6) (2006) (defining exceeds authorized access in terms of the undefined authorization).

3. ES & H, Inc. v. Allied Safety Consultants, Inc., No. 3:08-CV-323, 2009 WL 2996340, at *2

   (E.D. Tenn. Sept. 16, 2009).

4. Id. at *3–4 (finding the plaintiff’s inadequate allegation of “loss” dispositive and dismissing the CFAA claims).

5. Kerr, Cybercrime’s Scope, supra note 5, at 1598–99 (discussing the “uncertain scope” of

   unauthorized access statutes as it applies to contracts between computer owners and users granted authorized access).

   
   

   2011] COMPUTER FRAUD AND ABUSE ACT 381

   
   

   Orin Kerr13 worried about the implications of an increasingly broad scope of conduct found to violate the CFAA: “These precedents have arisen in the civil context, and have not yet been applied to criminal cases. . . . [B]road judicial interpretations of unauthorized access statutes could potentially make millions of Americans criminally liable for the way they send e-mails and surf the Web.”14

   In 2008, federal prosecutors confirmed Kerr’s fear when they brought criminal charges against Lori Drew in the wake of the tragic suicide of Megan Meier.15 The government alleged Ms. Drew accessed MySpace servers “without authorization and in excess of authorized access” when she violated the MySpace terms of the service agreement.16 Although the court ultimately dismissed the case,17 some commentators suggested the prosecutor’s “novel and extreme” interpretation of the CFAA set an alarming precedent.18 Indeed, a district court adopted the broad view of authorization— previously only applied in civil cases and the subject of vigorous

   
   

   
   

6. Kerr is a faculty member of the George Washington University Law School. GW Law Faculty Directory, http://www.law.gwu.edu/Faculty/profile.aspx?id=3568 (last visited Oct. 12, 2010).

7. Kerr, Cybercrime’s Scope, supra note 5, at 1599.

8. For a detailed profile of Megan Meier and the story of her death, see Lauren Collins, Friend Game: Behind the Online Hoax That Led to a Teen’s Suicide, THE NEW YORKER, Jan. 21, 2008, at 34, available at http://www.newyorker.com/reporting/2008/01/21/080121fa_fact_collins. Essentially, Lori Drew and her daughter created a fictitious MySpace profile in violation of the site’s terms of service. Posing as “Josh,” they befriended and then later harassed Megan. She ultimately hung herself in her bedroom.

9. Indictment at 9, United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009) (CR08-00582), 2008

   WL 2078622.

10. See generally Drew, 259 F.R.D. 449 (granting defendant’s post-verdict motion for judgment of acquittal on the misdemeanor CFAA violation because it contravenes the “void-for-vagueness” doctrine); Kim Zetter, Cyber Bullying Case Officially Dismissed for Vagueness, WIRED, Aug. 31, 2009, http://www.wired.com/threatlevel/2009/08/lori-drew-ruling. The U.S. Attorney’s Office filed a notice of appeal in September 2009, although it subsequently dropped the appeal. Orin Kerr, Government Files Notice of Appeal in Lori Drew Case, THE VOLOKH CONSPIRACY (Sept. 25, 2009, 7:52 PM), http://volokh.com/2009/09/25/government-files-notice-of-appeal-in-lori-drew-case (referencing Professor Kerr’s own work on the case: he represents the defendant); Orin Kerr, Justice Department to Drop Lori Drew Appeal, THE VOLOKH CONSPIRACY (Nov. 19, 2009, 7:51 PM),

    http://volokh.com/2009/11/19/justice-department-to-drop-lori-drew-appeal.

11. Kim Zetter, Experts Say MySpace Suicide Indictment Sets ‘Scary’ Legal Precedent, WIRED, May 15, 2008, http://www.wired.com/threatlevel/2008/05/myspace-indictm. Others have praised the prosecution, however. Kim Zetter, Congresswoman Praises Lori Drew Prosecutors, WIRED, July 1, 2009, http://www.wired.com/threatlevel/2009/07/congresswoman-praises-lori-drew-prosecutors (quoting Rep. Sanchez’s statement that she “applaud[s] the work of the U.S. attorneys who have worked hard to bring Ms. Drew to justice” and highlighting her sponsorship of a “cyberbullying” prevention bill).

    
    

    
    

    382

    GEORGIA STATE UNIVERSITY LAW REVIEW [Vol. 27:2

    
    

    debate19—and allowed the first criminal prosecution against a former employee charged...