9th Circuit Applies CFAA to Disloyal Employee

keyboard_alertEmployee theft of documents is a serious issue today. More and more often, employers discover that, before exiting, a former employee took with him (often by forwarding himself via email), many of the company’s confidential documents. The employer has limited ways to respond. If the employee refuses to comply with the employer’s demand to return the documents, it may be necessary to file suit.

One of the claims that an employer may bring is under the federal Computer Fraud and Abuse Act (CFAA). The CFAA is also a criminal statute, originally designed to target computer hackers—not disloyal employees. And some jurisdictions have rejected claims seeking to apply the CFAA to the employment context. The leading case finding that the CFAA can be applied to the disloyal employee is International Airport Centers, LLC v. Citrin, which was decided by the Seventh Circuit in 2006. The key to the Citrin decision and others like it is a determination that, although the employee may have been “authorized” to access the employer’s files initially, that authorization is automatically revoked once the employee becomes disloyal. Any access after this point is, by definition, “in excess” of the authorization previously provided.

Three years later, in 2009, the Ninth Circuit rejected the Seventh Circuit’s Citrin analysis, finding, instead, that an employee’s authorization to access his employer’s computer network is not revoked automatically when the employee becomes disloyal to his employer. [1] The Brekka decision held that accessing and emailing the employer’s files for a purpose contrary to the employer’s interests, alone, did not violate the CFAA.

In April, the Ninth Circuit decided United States v. Nosal (PDF), which substantially limits the Brekka decision. In Nosal, the court held that, where an employer has placed limits on the employee’s “permission to use” the computer and the employee exceeds those limits, the CFAA has been violated. The court distinguished this from Brekka, in which the employee’s access was unlimited, whereas, in Nosal, there was an employee agreement warning employees that violation of the company’s computer-usage policy could lead to disciplinary action or criminal prosecution.

In Nosal, the defendant-employee worked for an executive-search firm. When he left, he executed a one-year non-compete agreement. Shortly thereafter, he decided to start a competing business and enlisted some of his former coworkers to use their accounts to access confidential information for him from the company’s computer network. The employees were authorized to access the data—but only on behalf of their employer and only for legitimate business purposes. Thus, when the employees transmitted the data to Nosal, they were acting beyond the scope of their authorization.

Although this decision is an important victory for employers, it does have its limits. For a violation of the CFAA to occur, according to the court’s opinion in Nosal, the employer must have placed restrictions on the employee’s use. A well-drafted permissible-use policy is likely a necessary element of a successful CFAA claim in the Ninth Circuit, as evidence of steps taken by the employer to protect its data and files.

[1] LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009).

See also, our previous posts: