The federal district court for Hawaii recently held that assessing a “cloud” computing platform qualifies as assessing a “protected computer” under the Computer Fraud and Abuse Act (CFAA). The holding should not come as a shock. For some, the real shock stems from even arguing that “cloud” computing falls beyond CFAA’s purview. As one blog post derided:
Seriously, ‘cloud’ is a marketing term describing a network of connected computers, often running the same program at the same time or working on the same problem at the same time. Basically, the Internet. If the CFAA didn’t reach the ‘cloud,’ it wouldn’t reach much at all.
The district court agreed — completely — but, in the end, still dismissed the CFAA claim. It followed the employee-friendly approach to interpreting CFAA and held that there was no evidence proving the defendants accessed the “cloud” without authorization. A decision that directly contradicts a decision from a Louisiana federal district court less than two months before (see here).
In Property Rights Law Group, P.C. v. Lynch, a law firm sued its former contract attorney and others for, among other things, stealing the firm’s trade secrets and violating CFAA by accessing the firm’s cloud computing platform to obtain information without authorization. The defendants argued that summary judgment should be granted on the CFAA claim because the firm’s “cloud” computing platform did not fall within CFAA’s definition of a “protected computer” and, thus, there could be no violation for accessing the “cloud.”
The court disagreed. It seemingly assumed that a “cloud” computing platform qualifies as a “computer” and went directly to whether it also qualifies as a “protected computer.” CFAA protects computers “used in or affecting interstate or foreign commerce or communication,” and relying on previous case law, the district court found that the “cloud” computing platform was connected to the internet, which is sufficient for a computer to be “used in interstate or foreign commerce.” It thus concluded that accessing the “cloud” qualifies as accessing a “protected computer” under CFAA.
But that didn’t end the analysis. The next question was whether the access was without authorization, and the district court ultimately dismissed the claim, finding that the “cloud” access was indeed authorized.
We’ve discussed previously (here) that federal courts disagree on what activities qualify as a CFAA violation — specifically, what accessing a protected computer without authorization means. While CFAA requires proof of computer access without authorization, some courts take an employer-friendly approach to interpreting this phrase , and others take an employee-friendly one. The Hawaiian court sits within Ninth Circuit that follows the latter approach, having held that an employee does not lose her authorization to use a computer even when using it to obtain information against the employer’s interest. The district court followed this precedent. It noted that the firm allowed the attorney to access the “cloud” during her relationship with the firm and that the firm offered no evidence that she (or any other defendant) accessed the “cloud” after the relationship ended. According to the district court, even if the attorney “intended to harm” the firm while accessing its “cloud” platform “to download materials while she worked” for the firm, “that alone would not establish that she acted ‘without authorization.'” The firm thus had no CFAA claim against its former attorney or any other defendant.
Courts are continuing to work through CFAA’s contours. But two things are clear from this decision. “Cloud” computing platforms should qualify as “protected computers” under CFAA. And geography plays a crucial factor in whether an employer has a CFAA claim against a former employee. At this point, an employer could bring a CFAA claim in Louisiana, but not in Hawaii, based on identical conduct.