Home > Regions > North America > Fourth Circuit Adopts "Narrow Reading" of Authorization under the Computer Fraud and Abuse Act

Fourth Circuit Adopts "Narrow Reading" of Authorization under the Computer Fraud and Abuse Act

Common scenario: Employee plans to resign from employer and join competitor. Prior to resigning, employee uses his company computer to access confidential and proprietary information and then sends the information to his personal e-mail account to use for the benefit of his new employer. Employer sues former employee for misappropriation and other state law claims, and seeks federal jurisdiction by asserting a claim under the Computer Fraud and Abuse Act (“CFAA”).

Dilemma: Does CFAA state a claim when the employee had permission to “access” the computer and company documents, but not “use” it for an improper purpose such as to benefit a new employer?

Just last week, the U.S. Court of Appeals for the Fourth Circuit entered the fray over the scope of liability under CFAA, and sided with the Ninth Circuit in adopting a narrow reading of the statute. In WEC Carolina Energy Solutions v. Willie Miller; Emily Kelley; ARC Energy Services, Inc., a former employee of WEC allegedly downloaded confidential information while still employed by WEC but prior to his resignation to work for a competitor, and then used that information unlawfully to compete against WEC on behalf of his new employer. WEC claimed that the former employee’s unauthorized “use” of its computers to gain access to proprietary information violated CFAA’s “without authorization” or “exceeds authorized access” provisions. The trial court dismissed the complaint for failing to state a claim under CFAA, and the Fourth Circuit affirmed.

In affirming the dismissal, the Court adopted “a narrow reading of the terms ‘without authorization’ and ‘exceeds authorized access’ and held that they apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which is authorized to access.” The Fourth Circuit further rejected any CFAA liability grounded on an agency theory, noting that such a theory for liability has far-reaching effects unintended by Congress.

The Fourth Circuit joins the Ninth Circuit in its narrow reading of the CFAA, in contrast to the more expansive view held by a majority of the other circuit courts of appeals, including the First Circuit, Fifth Circuit, Seventh Circuit, and Eleventh Circuit. With the courts of appeals split on this critical issue of liability under CFAA, it will eventually be up to the U.S. Supreme Court to declare once and for all whether an employee’s improper use and access of confidential and proprietary information is unlawful. Notably, it is likely that the Ninth Circuit’s en banc opinion in United States v. Nosal, will be the first case to reach the Supreme Court on CFAA’s jurisdictional reach, although the government’s deadline to file its petition has been extended until September 7, 2012. Often in cases alleging misappropriation of trade secrets, CFAA provides the only avenue for federal court jurisdiction. Thus, whether employers will be able to rely on this statute as an additional claim (and path into federal court) against rogue employees departing for competitors remain to be seen.

In the meantime, employers should carefully review their computer use policies to determine whether the policies could be used effectively to limit unauthorized access and use. In addition, knowing the state of the law in your state will be critical to know whether a CFAA claim would be a viable litigation strategy or a roadblock to federal court jurisdiction when proceeding with a misappropriation of trade secrets claim against an employee.