The CFAA:

Transcription

The CFAA:
By Linda K. Stevens and Jesi J. Carlson
The CFAA:
New Remedies for Employee
Computer Abuse
H
eadlines reveal that disgruntled or departing
employees have inflicted damage to
computer infrastructure, erased valuable files,
misappropriated trade secrets or other proprietary
information, and intentionally infected computer
systems with viruses. Such conduct can result in devastating
financial losses and significant disruption to a company’s overall
operations. Recent case law arising under the Computer Fraud
and Abuse Act (CFAA or Act) may provide a powerful way to
combat these acts of cyber violence.
As originally enacted in 1984, the CFAA was a criminal statute with a narrow scope.1 It was intended to protect government computers from attacks by
“outside” computer hackers. Amendments to the CFAA made in 1996 and
2001 provide civil remedies for damage to any “protected computer,” including any “computer used in interstate or foreign commerce or communication” and certain computers located abroad.2
This change, and other additions such as the availability of civil remedies,
significantly expanded the reach of the CFAA and broadened the universe of
potential litigants. Accordingly, employers are increasingly invoking the pro__________
1. The Computer Fraud and Abuse Act (CFAA), Pub L No 98-473, Title II, § 2102(a), Oct 12,
1984, 98 Stat 2190, codified at 18 USC 1030 et seq.
2. The Computer Fraud and Abuse Act (CFAA), Pub L No 104-294, Title II, § 201, Title VI,
604(b)(36), Oct 11, 1996, 110 Stat 3491, 3508, codified at 18 USC 1030 et seq; The Computer Fraud
and Abuse Act (CFAA), Pub L No 107-56, Title V, §506(a), Title VIII, §814, Oct 26, 2001, 115 Stat
366, 382, codified at 18 USC 1030 et seq.
______________________________________________________________________________________
Linda K. Stevens is a partner at Schiff Hardin LLP in Chicago. She concentrates
in intellectual property litigation and counseling. Jesi J. Carlson is an associate
at Schiff Hardin LLP in Washington D.C., where she concentrates in intellectual
property litigation.
144 | illinois Bar Journal | march 2008 | VOL. 96
1
The Computer Fraud and Abuse Act may provide
a path to federal court for employer-victims
of computer abuse by employees and other
“insiders.” Courts are split, however, particularly
on how it applies to departing workers who
do damage on their way out the door.
tections of this statute – and its entrée to
federal court – in suits against employees who worked from within the corporation to destroy or harm their employer’s computer system or the data stored
on that system.3
A split of authority has developed,
however, regarding the CFAA’s applicability to employee computer abuse,
and even among the jurisdictions applying the CFAA to employees, construction and application of the statute vary
greatly. The CFAA’s application to employees is currently the most hotly litigated issue arising under the statute.
Conduct prohibited
under the CFAA
The CFAA creates a private cause of
action when an individual, inter alia,
(i) intentionally accesses a computer
without authorization or exceeds authorized access, and thereby obtains information from any protected computer if
the conduct involved an interstate or foreign communication;4
(ii) knowingly and with intent to defraud, accesses a protected computer
without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object
of the fraud and the thing obtained consist only of the use of the computer and
the value of such use is not more than
$5,000 in any 1-year period;5
(iii) knowingly causes the transmis-
sion of a program, information, code, or
command, and, as a result of such conduct, intentionally causes damage without authorization, to a protected computer;6
(iv) intentionally accesses a protected
computer without authorization, and
as a result of such conduct, recklessly
causes damage;7 or
(v)8 intentionally accesses a protected
computer without authorization, and
as a result of such conduct causes damage.9
Conduct prohibited under the CFAA
includes accessing a computer or system
without authorization, as well as exceeding authorized access. Under the CFAA,
“exceeds authorized access” means “to
access a computer with authorization
and to use such access to obtain or alter
information in the computer that the
accessor is not entitled so to obtain or
alter.”10 Because Congress did not define the phrase “without authorization,”
courts are interpreting that phrase in a
number of ways, creating confusion over
the statute’s reach.
Applying the CFAA to
employee computer abuse
When an employee leaves his place of
employment and later tries to access his
former employer’s computer system, it is
fairly clear that he is accessing that system “without authorization,” much like
an outside hacker. The line blurs when
an employee is planning to leave his job
2
and, while still employed and still authorized to use his employer’s computer system, uses that system for purposes adverse to the employer’s interest.
The employee technically has authorization to access the system, but clearly
lacks authorization to use the computer
to engage in the particular conduct at
issue – for example, to gather and/or disseminate his employer’s confidential information for competitive purposes and
then run “scrubbing” software to cover
his tracks. As discussed below, some
courts have addressed this situation by
treating such unauthorized conduct as
“exceeding authorized access” under the
CFAA, while others have ruled that an
employee’s authorization to access his
employer’s computer system ends when
he acts against his employer’s interest
thereby rendering his conduct “without authorization,” and still others have
concluded that employee malfeasance of
__________
3. See, for example, P.C. of Yonkers, Inc v Cele­
brations! The Party and Seasonal Superstore, LLC,
2007 WL 708978 *4-6 (D NJ 2007); Charles Schwab
& Co, Inc v Carter, 2005 WL 351929 *1-4 (ND Ill
2005); Fiber Systems Intl, Inc v Roehrs, 2006 WL
3378403 *3 (5th Cir 2006).
4. 18 USC §1030(a)(2)(C).
5. Id at (a)(4).
6. Id at (a)(5)(A)(i).
7. Id at (a)(5)(A)(ii).
8. The last three listed offenses require one or
more of the following: the presence of more than
$5,000 in “loss;” actual or potential modification or
impairment of a medical examination, diagnosis or
treatment; physical injury; a threat to public health or
safety; or damage affecting a computer system used by
or for a government entity. 18 USC §1030(a)(5)(B).
9. 18 USC §1030(a)(5)(A)(iii).
10.Id at (e)(6).
this type generally is beyond the reach
of the Act.
In reaching these disparate conclusions, courts are analyzing whether and
when an employee’s authorization ends
and when it is exceeded. A review of
some of the recent case law reveals the
complexities inherent in this inquiry.
In EF Cultural Travel BV v Explo­
rica, Inc,11 for example, the plaintiff operated a publicly available Web site. An
interest, thereby extinguishing his agency
and rendering him “without authority”
to access the employer’s system under
the CFAA. Judge Posner’s decision in In­
ternational Airport Centers, LLC v Ci­
trin15 provides one of the most frequently
cited examples of this view.
In Citrin, the employee decided to
open his own business in violation of
his employment contract and, while still
an employee, loaded a program onto his
company laptop designed
to erase and override all
information he had stored
Because the Act does not define on that computer. This included data he had gath“without authorization,” courts ered in the scope of his
employment as well as inare interpreting it in a number
formation that would have
of ways, creating confusion over exposed his unlawful and
inappropriate competitive
the statute’s applicability to
activities.16
still-employed workers.
The seventh circuit held
that the employee’s authorization to access his employer’s computer system
ex-employee accessed the site, but then terminated the instant he accessed that
went further.12 Using a program that he system for reasons contrary to the best
created with the help of confidential in- interest of his employer. At that moment,
formation he obtained while employed, the court opined, he violated his “duty
the employee was able to obtain proprie- of loyalty,” thus ending the agency retary information from the plaintiff’s Web lationship and bringing the employee
site. Although the Web site was open to within the purview of the CFAA’s prohithe public, the court held that the for- bition against accessing a computer sysmer employee “exceeded his authoriza- tem “without authorization.”17
tion” by using a program conjured from
In its analysis, the Citrin court deconfidential information to obtain better scribed the difference between actions
access than that available to other mem- taken “without authorization” and
bers of the public.13
those “exceeding authorization” as being
Litigation more frequently arises from “paper thin.” It drew the distinction
the scenario posed by an employee who nonetheless, distinguishing the facts at
is authorized to access and use his em- hand from the situation in EF Cultural,
ployer’s computer system as well as the wherein the defendant “exceeded authoparticular information stored on the sys- rized access,” and finding that Mr. Citem, but who does so for reasons con- trin’s access was without authorization
trary to the employer’s interest – for ex- from the start.18 The Citrin approach has
ample, to gather and send the informa- been followed in a number of district
tion to a competitor or to his home email court opinions, both in the seventh ciraddress for use later, after he resigns to cuit and beyond.19
join the competitor. Several courts have
deemed such conduct a violation of the Contra-Citrin opinions
CFAA because the defendant employee
Not all courts have been willing to
“exceeded” his authorization when he apply the CFAA to cases involving emengaged in the conduct in question.14
ployee malfeasance.
In International Association of Ma­
Citrin: acting against
chinists & Aerospace Workers v Wer­
employer interest is
ner-Matsuda,20 the United States Dis“without authorization”
trict Court for the District of Maryland
A similar approach deems the em- held that Congress intended the statute
ployee’s authorization terminated at the to apply only to outside hackers, not to
moment he acts against his employer’s employees.21 Other courts have rejected
3
the idea that an employee “exceeds” his
authorized computer access within the
meaning of the CFAA when he accesses
that computer for purposes contrary to
his employer’s interest.
Brett Senior – the employee was authorized. In Brett Senior & Associates,
PC v Fitzgerald,22 the United States District Court for the Eastern District of
Pennsylvania granted summary judgment to the defendant employee on his
former employer’s CFAA claim, noting
that the defendant was authorized to access the information at issue and declining to assess the defendant’s motive for
doing so.23
Although the court noted that the
case law is “divided on whether an employee...who obtains information for an
allegedly improper purpose, exceeded
his authorized access,” it expressed concern that analyzing an employee’s motives and purpose would interpret the
CFAA as if it forbids “exceeding authorized use” instead of “exceeding authorized access.”24 In Brett Senior, the court
also was concerned that if the unlawful
access requirement (and liability) were
to depend upon the offender’s motivation in accessing information, the analysis would conflate and collapse the
__________
11.274 F3d 577, 579-81 (1st Cir 2001).
12.Id.
13.Id at 580-84.
14.See, for example, Nilfisk-Advance, Inc v Mitch­
ell, 2006 WL 827073 *1-3 (WD Ark 2000) (holding
that claim under CFAA stated by allegations that
defendant “exceeded his authorization” when he
emailed employer’s files to his personal computer with
alleged purpose of misappropriating the information
contained therein); HUB Group, Inc v Clancy, 2006
WL 208684 *1-5 (ED Pa 2006) (access used to gather
and transmit data to personal email account for later
competitive use; claim under CFAA stated); Intl Secu­
rity Mgmt Group, Inc v Sawyer, 2006 WL 1638537
*20-22 (MD Tenn 2006) (same).
15.440 F3d 418, 419-20 (7th Cir 2006).
16.Id.
17.Id at 420.
18.Id.
19.See, for example, Forge Industrial Staffing Inc
v De La Fuente, 2006 WL 2982139 *6 (ND Ill 2006)
(holding that the employee’s authorization to delete
or erase information from his company’s computer
ended when he engaged in misconduct in violation
of his duty of loyalty to the company); ViChip Corp
v Lee, 438 F Supp 2d 1087, 1100 (ND Ca 2006);
Shurgard Storage Centers, Inc v Safeguard Self Stor­
age, Inc, 119 F Supp 2d 1121, 1125-29 (WD Wash
2000).
20.390 F Supp 2d 479, 494 (D Md 2005).
21.Id. Note, however, that the court cited cases
that interpreted the Stored Wire and Electronic Communications and Transactional Records Act (SECA),
not the CFAA, and the court also appears to have
ignored the 1996 amendment broadening the CFAA’s
scope.
22.2007 WL 2043377 *1-9 (ED Pa 2007).
23.Id.
24.Id at *4.
two separate requirements of a Section
1030(a)(4) claim – that the defendant engage in “unauthorized access” with an
“intent to defraud.”25
Significantly, in Brett Senior, the court
declined to opine on the approach taken
by the court in Citrin and stated that it
was not addressing whether an employee’s authority terminates automatically
when he acts against his employer’s interests, thereby rendering his computer
access “without authorization” under
the CFAA.26
Lockheed: Citrin improperly broadens the CFAA’s scope. Other courts,
however, have explicitly considered and
rejected the Citrin approach. In Lock­
heed Martin Corp v Speed,27 for example, two of Lockheed’s employees allegedly accessed Lockheed computers and
copied proprietary information before
resigning, and thereafter delivered that
information to a competitor.28 While
they were employed by Lockheed, the
employees were authorized to access the
company’s computer system and files.
Lockheed brought a civil suit under
the CFAA. The United States District
Court for the Middle District of Florida
granted the defendants’ motion to dismiss, holding that Lockheed had not ade­
quately alleged a violation of the CFAA
because the employees’ access was neither “without authorization” nor exceeded authorization.29 In reaching this
conclusion, the Lockheed court found
that, because the Lockheed employees
were authorized to access the company
information, they could not be liable
under the CFAA.
The Lockheed court refused to apply
the Citrin rationale that an employee’s
authorization ends as soon as his interests diverge from that of his employer
and he acts for his own, as opposed to
his employer’s, interest. The Lockheed
opinion criticized that approach as improperly broadening the CFAA’s scope
to reach a larger group than Congress
intended.30
The court also criticized Citrin’s reliance on the Restatement (Second) of
Agency. According to the Lockheed
court’s analysis, the plain language of the
CFAA reveals clearly that the CFAA was
meant to apply to two distinct groups:
those without authorization (for example, outsiders or hackers) and those who
have authorized access but exceed it.
As the Lockheed court saw it, the
CFAA’s reach does not extend to an em- on the Lockheed decision, asserting that
ployee’s use of his authorized computer they had neither “exceeded access” nor
access – even if that access is used for an “obtained information without authoriimproper purpose. The court observed zation,” because HP had granted them
that the defendants did not engage in im- access to the computers.38
proper conduct until after they had comIn denying the defendants’ dismissal
pleted their access to their employer’s motion, the United States District Court
computer system, when they delivered for the Eastern District of Texas ruled
the trade secrets to a competitor.
the facts in Lockheed to be distinguishThe court in Lockheed expressed able. Unlike the Lockheed defendants,
concern that Citrin’s more expansive who had been authorized to engage in
holding would make an employee liable the computer usage at issue, HP’s forfor “unauthorized” computer usage such as checking personal email, a reach
that Congress did not intend.31 The Lockheed apEven in jurisdictions willing to
proach has been embraced
apply the CFAA to employee
by at least two other fed32
eral district courts.
conduct, trial courts have
Hewlett-Packard and
differed in their application of the
computer-use
policies.
Even under the more restatute to trade secrets cases.
strictive approaches to the
CFAA followed in Lock­
heed and Brett Senior, an
aggrieved employer might
preserve its ability to invoke the CFAA by adopting policies dif- mer employees had not only agreed to
ferentiating between the proper and au- refrain from disclosing information, but
thorized uses of the company computer also had agreed to refrain from “sending
system and those that are improper and or accessing messages on HP’s computer
unauthorized.
systems for personal gain.”39
In Hewlett-Packard Co v BYD:Sign,
Those agreements provided the court
Inc,33 Hewlett-Packard (HP) alleged that with a basis for ruling that the defenformer employees conspired to use their dants’ particular use of HP’s computers
positions to obtain trade secrets and was “without authorization” under the
other proprietary information from HP. CFAA. Employers in jurisdictions folThey then illegally funneled those se- lowing the Lockheed approach therecrets, other proprietary information, and fore might better their chances of succorporate opportunities from HP to an ceeding on a CFAA claim for employee
enterprise founded by several of the in- computer abuse if they adopt policies
dividual defendants.34
explicitly limiting employees’ authorAll of the defendants in question had ity to use company email and computer
signed agreements not to disclose any of systems.
HP’s intellectual property, trade secrets __________
25.Id.
and confidential information to any un26.Id at *4, FN 5.
35
authorized persons. Company policies
27.2006 WL 2683058 *2-8 (MD Fla 2006).
also stated that employees were prohib28.Id at *2-8.
29.Id.
ited from working for competitors and
30.Id.
from using the company’s computer sys31.Id.
tem to send messages or materials for
32.See, for example, Diamond Power Intl, Inc v
Davidson, 2007 WL 2904119 *13-15 (ND Ga 2007)
personal gain.36
These policies saved HP’s claims from and B & B Microscopes v Armogida, 2007 WL
2814595 (WD Pa 2007).
dismissal. The defendants asserted that
33.2007 WL 275476 *11-13 (ED Tex 2007).
HP had failed to state a valid claim
34.Id.
35.Id.
under the CFAA because it failed to al36.Id.
lege that the defendants accessed HP
37.Id at *11.
computers and information “without
38.Id at *13.
37
39.Id.
authorization.” They relied primarily
4
Trade secrets: is mere
“misappropriation” actionable
under the CFAA?
One final caveat to trade secrets owners seeking relief under the CFAA: even
in those jurisdictions willing to apply the
CFAA to employee conduct, trial courts
have differed in their application of the
statute to trade secrets cases. For example, at least one federal district trial judge
in the seventh circuit has recently held
that trade secrets misappropriation alone
is not actionable under the CFAA.
In Garelli Wong & Associates, Inc v
Nichols, the court ruled that trade secrets misappropriation alone does not
constitute “damage” or “loss” as those
terms are defined by the CFAA, because
copying or emailing the information at
issue does not damage it or impact its
availability to the plaintiff.40 The court
distinguished Citrin as having involved
destruction (as opposed to mere copy-
ing) of information.41 Having found no
allegation of “damage” or “loss” that
could be remedied under the CFAA, the
court dismissed plaintiff Garelli Wong &
Associates’ complaint.42
Other federal district courts – including another court in the Northern District of Illinois – have reached a different result, allowing plaintiffs to proceed
with their CFAA claims based upon the
copying of confidential information.43
This more expansive reading, supported by the view that the value of
confidential information is damaged by
its unauthorized dissemination and use,
may find support in the fact that at least
two sections of the CFAA appear to have
been drafted specifically to address the
theft of information and data.44 Nonetheless, as with the CFAA’s application
to employees generally, views about the
statute’s application to the unauthorized
access, copying, dissemination and use
(but not destruction) of confidential information are by no means unanimous.
Conclusion
The CFAA offers victims of computerassisted malfeasance a potentially powerful federal cause of action. Although
courts applying the CFAA have followed
different approaches regarding the application of the statute to employee computer abuse, the CFAA will continue to
offer many victims of computer misuse a
pathway to federal court. ■
__________
40.2008 WL 161790 (ND Ill 2008) at *6-*7.
41.Id at *5-*6.
42.Id at *8.
43.See, for example, HUB Group, Inc v Clancy,
2006 WL 208684 at *3 -*4 (ED Pa 2006) (and cases
cited therein); Caylon v Mizuho Securities USA, Inc,
2007 WL 2618658 (SDNY 2007); C. H. Robinson
Worldwide, Inc v Command Transportation, LLC,
2005 WL 3077998 (ND Ill 2005) and cases cited
therein.
44.18 USC §1030 (a)(2) and (a)(4).
Reprinted from the Illinois Bar Journal,
Vol. 96 #3, March 2008.
Copyright by the Illinois State Bar Association.
www.isba.org
5