Jump to Navigation | Jump to Content
American Bar Association

Litigation News

Federal Circuits Split on Computer Fraud and Abuse Act

By Brian A. Zemil, Litigation News Associate Editor – April 14, 2010

A recent district court decision highlights the federal circuits’ split over whether an individual who has been granted access to his employer’s computers, but who uses that access for an improper purpose, is liable under the Computer Fraud and Abuse Act (CFAA).


At the heart of the controversy is CFAA’s prohibition on access “without authorization.” Some courts, including the Ninth Circuit, have held that a CFAA cause of action is reserved for clear-cut situations akin to hacking, where an individual clearly never had “authorization” to access the computer or information.


Other courts, such as the First and Seventh Circuits, permit recovery if the individual misuses it in a manner inconsistent with the employer’s interests or in a manner that violates a contractual obligation.


The District Court Opinion
Recognizing that the Sixth Circuit has not yet ruled on this issue, the U.S. District Court for the Middle District of Tennessee followed the Ninth Circuit and dismissed a plaintiff’s federal trade secret claim. ReMedPar, Inc. v. AllParts Med., LLC, No. 3:09-cv-00807 (M.D. Tenn. Jan. 4, 2010).


The plaintiff, ReMedPar, Inc., provided one of its independent contractors (a former employee) with extensive access to its proprietary computer system. The company subsequently discovered that another company, AllParts, had developed a computer system very similar to the ReMedPar system.  It also discovered circumstances suggesting that the contractor provided AllParts with the confidential information necessary to develop that system.


ReMedPar then filed suit against AllParts and the independent contractor. Among other things, ReMedPar sought damages under CFAA, which permits recovery from persons who knowingly access a “protected computer” used in interstate or foreign communication and intentionally or recklessly cause damage.


The defendants moved to dismiss the CFAA claim, arguing that the contractor could not have accessed the protected system “without authorization” or in excess of the authorization provided and that the dismissal of the sole federal claim in the case deprived the federal court of jurisdiction.


The district court ruled that ReMedPar could not prove unauthorized access or loss and dismissed the case without prejudice. Extensively discussing LVRC Holdings LLC v. Brekka [PDF], and Black & Decker (US), Inc. v. Smith, 568 F. Supp. 2d 929 (W.D. Tenn. 2008), the district court reasoned that the phrase “without authorization” only refers to persons who do not have permission to access the company’s computers in the first place.


Those courts have narrowly interpreted the phrase “without authorization,” finding that because CFAA is principally criminal in nature and includes a separate provision for uses that exceed authorization, it should be applied consistent with the rule of lenity.


That reasoning contrasts with the interpretation of the First and Seventh Circuits, which permit a CFAA claim where a defendant misuses information he or she is authorized to access. International Airport Centers LLC v. Citrin; EF Cultural Travel BV v. Explorica, Inc.


The court in ReMedPar additionally rejected the plaintiff’s attempt to recover damages allegedly associated with the value of its trade secrets. The opinion noted that ReMedPar had not alleged that AllParts caused any physical damage to the purportedly misappropriated data, system, or programs. Lost revenue may be recovered under CFAA only when it results from “an interruption in service,” the court stated.


“While the Sixth Circuit was perhaps over-technical in its analysis, it probably reached the right result under those facts,” says Teresa Rider Bult, Nashville, cochair of the ABA Section of Litigation’s Programs Subcommittee of the Employment & Labor Relations Law Committee, and a frequent contributor to Litigation News.


“Clearly, CFAA was intended to prevent hackers from breaking into a computer. Any other ruling with this [independent contractor] and these facts would be expanding CFAA into an entirely new cause of action,” she says.


The decision in ReMedPar “should motivate companies to revisit employment policies and consider drafting specific language setting forth the scope of authorized computer access for employees,” suggests Brian Koji, Tampa, vicechair of the Section’s Employment & Labor Relations Law Committee.


“The wide split in the circuits’ construction of the statute probably means there is going to continue to be confusion until we receive some Supreme Court guidance,” says Bult.


Koji agrees, stating, the “subject matter remains fertile enough to continue to further explore the split because technology is constantly changing in a way that may effect the interpretation of the statute.”


Until there is some clear consensus, “we know that in certain circuits the CFAA will not provide a cause of action against an employee given access to the company’s computer,” says Koji.


As of the posting date of this article, ReMedPar had not filed an appeal of the district court’s decision.


Keywords: Computer Fraud and Abuse Act, federal circuit


 

Be the first to comment.


 

We welcome your comments. Please use the form below to post.






 
Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).


Back to Top