On September 15th the Ninth Circuit rejected an employer’s argument that a former employee violated the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, when he emailed company client lists and financial data to himself for personal use. LVRC Holdings LLC v. Brekka, ___ F.3d ___, 2009 WL 2928952 (9th Cir. 2009). Superficially this decision is at odds with another decision in the Seventh Circuit. The employer in LVRC Holding based its theory on the 7th Circuit’s application of agency law as a basis for finding liability under the CFAA. Briefly the Seventh Circuit, in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), reasoned that when an employee breaches his duty of loyalty to the employer, the agency relationship terminates and the employee is no longer “authorized” to access the employer’s computer within the meaning of the CFAA. In Citrin, there was an employment contract, the employee sought to destroy data (opposed to simply copying it), and the employee did not just simply delete the data he used anti-forensic software in attempt to completely obliterate data that contained evidence of his misconduct.
The Ninth Circuit’s decision is certainly inconsistent with the Seventh Circuit’s analysis, to the extent the Seventh Circuit based liability under the CFAA on an agency theory where the servant (the employee) unilaterally aquireed an interest inconsistent with his principle (his employer) the serverant (the employee) lost his right (authorization) to access his employer’s (the principle’s) protected computer. The operative language cited in Citrin (following the Restatement (Second) of Agency §§ 112, 387 (1958): “Unless otherwise agreed, the authority of the agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal.”
Because the employee in LVRC Holdings was authorized to use the company computer and to access the information, he did not violate the CFAA regardless of his motivation. The opinion most likely would have been different under a slightly different factual scenario. First, if the employer had a policy prohibiting employees from emailing company data to their personal email accounts or requiring employees to return or destroy confidential information upon the conclusion of their employment then the employee would have exceeded his level of authorization regardless of whether his interests were aligned or not aligned with his former employer. In LVRC Holding the employee was authorized to use the company computer and to access the information, he did not violate the statute, under the 9th Circuit’s decision the former employee’s motivation is irrelevant.
I believe the conclusion reached by the 9th circuit and 7th circuit can be rationally reconciled based on the factual differences between the two cases. The Court in Citrin properly reasoned that congress intended that the CFAA should apply to disgruntled employees in certain situations but the 9th circuit’s decision provides a better basis for defining culpability under the CFAA. Courts do not want to engage in mind-games to assess the employee’s intention (or motivation) in order reach a conclusion regarding whether an employee’s conduct violated or did not violate the CFAA
The CFAA was intended to reach:
Attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer’s data system on the way out (or threaten to do so in order to extort payments), on the other. If the statute is to reach the disgruntled programmer, which Congress intended by providing that whoever “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” violates the Act, 18 U.S.C. § 1030(a)(5)(A)(ii)attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer’s data system on the way out (or threaten to do so in order to extort payments), on the other. If the statute is to reach the disgruntled programmer, which Congress intended by providing that whoever “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” violates the Act, 18 U.S.C. § 1030(a)(5)(A)(ii).
However, the CFAA cannot become a catchall basis for finding criminal and/or civil liability in the absence of other relevant legal authority.
