Plaintiff American Furukawa Inc. brought Computer Fraud and Abuse Act and related claims against an employee who took a job with a competitor and subsequently spent several weeks downloading corporate files. The former employee downloaded a number of files in the first week of the relevant time period, then took a leave of absence for four weeks while continuing to download files. The employee returned to work for one more week before resigning and had already started working for his new employer while on leave.
The CFAA is primarily a criminal statute that was originally enacted in 1984 to prevent computer hacking. The statute permits a private party who suffers damage or loss by reason of a violation of the statute to bring a civil action to obtain compensatory damages and injunctive relief or other equitable relief.
A person may be held civilly liable under the CFAA when that person, among other things: (1) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer; (2) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value; or (3) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage, or causes damage and loss.
There exists a split of authority regarding the issue of accessing computer systems “without authorization” when, after a plaintiff provided a defendant with access to plaintiff’s computer systems, a defendant allegedly uses that access to misappropriate trade secret and confidential corporate information. Some courts have held that an employee exceeds authorized use by transferring trade secrets to a competitor knowing that it was in contravention of a duty of loyalty.
Other courts have held that no violation of the CFAA exists when a defendant is initially granted authorization to access the system. Those courts reason that the plain language of the CFAA expressly prohibits improper “access” of computer information, not misuse or misappropriation.
Here, the U.S. District Court for the Eastern District of Michigan held that the departing employee exceeded authorized access to his company’s computer systems by downloading the files to a personal external hard drive. See Am. Furukawa, Inc. v. Hossain, E.D. Mich., No. 2:14-cv-13633-GAD-MJH (May 6, 2015). In doing so, the court stated that the downloads violated the company’s removable media policy and thus exceeded authorized access to the documents.
The court found that the defendant accessed files without authorization during the period that he was on leave, because he was not permitted to do work at all during that period of time. The first week of downloads, though, were not done “without authorization” under the CFAA.
In short, the court said that the “exceeds authorized access” provision of the CFAA is facially broad enough to cover employer purpose and use restrictions such as the plaintiff’s removable media policy. This decision serves to expand the split of authority over the scope of the phrases “without authorization” and “exceeds authorized access” under the CFAA.
This decision should be of particular interest to any company considering the development and implementation of corporate confidentiality and media use policies, including corporate counsel.
Information conveyed in this article is provided for informational purposes only and does not constitute, nor should it be relied upon, as legal advice. No person should act or rely on any information in this article without seeking the advice of an attorney.
