The U.S. Eastern District of Louisiana recently sided with employers in the on-going judicial debate over interpreting the Computer Fraud and Abuse Act (“CFAA”). See Associated Pump & Supply Co., LLC v. Dupre, et al., No. 14-0009 (E.D. La.). Associated Pump sued its former employee Kevin Dupre for violating CFAA during his alleged scheme to steal Associated Pump’s trade secrets. The complaint sets forth a now familiar scenario: shortly before resigning, Dupre used his work computer to violate a confidentiality agreement and known company policies by improperly accessing and obtaining Associated Pump’s confidential information to use while employed by Associated Pump’s competitor. These allegations, the Court held, state a viable CFAA claim.
But courts are split on whether this scenario falls within CFAA’s reach. To assert a civil claim under 18 U.S.C. 1030(a)(4), a plaintiff must prove four elements: (1) the defendant accessed a protected computer; (2) the access was without authorization or exceeded permissible authorization; (3) the defendant did so knowingly and with the intent to defraud; and (4) the conduct furthers the intended fraud and obtains anything of value. Courts disagree on the second element. That is—Does an employee “exceed” her authority to access electronically stored information when she does so to obtain that information for a competitor’s benefit and use?
The Fourth and Ninth Circuits have adopted a narrow reading: an employee does not violate CFAA if the employer gave her access to the information. Conversely, the Fifth, Seventh, and Eleventh Circuits have adopted a more expansive reading: an employee “exceeds” her authority if she violates her fiduciary duty by obtaining information to benefit a competitor. Specifically, in U.S. v. John, 597 F.3d 263, 272-73 (5th Cir. 2010), the Fifth Circuit upheld a criminal conviction, recognizing that liability under CFAA arises when the access is “in violation of an employer’s policies and is part of an illegal scheme.”
In Associated Pump, Dupre urged the Court to follow the narrow reading, arguing that John was not controlling and was limited to the criminal context. The Court disagreed. It found the Fifth Circuit’s rationale instructive: “[T]he John Court includes a well-reasoned, general discussion of the meaning of ‘exceeds authorized access’ with references to CFAA cases in civil contexts.” The Court recognized that the Fifth Circuit approvingly discussed the expanded reading and suggested disagreement with the narrow one. The Court thus concluded that, “taking Plaintiff’s allegations as true—that there was an Agreement and Dupre accessed and misused information in contravention of the Agreement—Plaintiff states a claim for civil liability under the CFAA.”
The holding in Associated Pump suggests that a consensus on how to interpret “exceeds authorized authority” remains distant. CFAA liability will thus depend on where a plaintiff brings suit, at least until the U.S. Supreme Court or Congress resolves the issue. But in the meantime, we will continue to monitor and report on recent CFAA developments