Update (May 11, 2016): You hire a kid while he’s still in business school, you give him a summer internship, you give him work during his last year of school, and you give him a full-time job upon graduation. About six months later, he abruptly resigns to join a direct competitor after having allegedly:
- accessed your sensitive files that were not relevant to his job;
- placed dozens of your files in his desktop’s recycle bin;
- attempted to connect an external hard drive to his work computer at your shop;
- accessed his personal email account from his work computer, while also working in your secure database;
- accessed a direct competitor’s recruiting files and emailed the competitor about prospective employment from his work computer;
- attended your confidential meetings after he knew he was going to resign;
- had your company configure a smartphone to include access to your proprietary data four days before his resignation;
- reported that the smartphone was “no longer available” just one day before his resignation;
- created a document using your “highly proprietary and confidential” information the day before his resignation; and
- deleted over 200 files, many of which he did not need to perform his job just before resigning.
Going forward, the kid will NOT be getting a holiday card.
But, assuming the allegations are true, does the conduct listed above result in liability under the Computer Fraud and Abuse Act, a federal statute that was passed to address computer hacking?
Not as far as Sr. Judge David S. Doty (D. Minn.) is concerned. He has said it once (see the original post, below), and now he’s said it again this past week in the context of the denial of plaintiff’s emergency temporary restraining order (TRO) motion.
Original post (March 9, 2012): There has been a vigorous dispute in the federal courts over the extent to which the Computer Fraud and Abuse Act (“CFAA”) may be used by employers to impose civil liability on employees who access confidential or trade secret information with an improper purpose (i.e. to start a competing company). Judge David Doty has now joined two of his Minnesota colleagues (an earlier ML post on such a case is here) in adopting a narrow interpretation of the Act, holding that there must be allegations of unauthorized access, not just improper use, in order to state a claim under the Act.
Defendants Keith O’Brien, Ian Scott and David Serrano were officers of Plaintiff Walsh Bishop Associates, an architectural firm. As principals and members of the executive committee, all three were given access to the “highest level” of the company’s confidential and proprietary information. Walsh Bishop alleges that the three misused that information to start a competing company and, represented by Debra Weiss and Mary O’Brien of Meagher & Geer, sued the three and their new firm in federal court for violations of the CFAA, the Minnesota Trade Secret Act, and a variety of other statutory and common law claims. (Presumably attorney O’Brien is not related to Defendant O’Brien, or we might have an interesting variation on the “Adam’s Rib” scenario). Defendants, represented by George Wood of Littler Mendelson, moved to dismiss for failure to state a claim.
The CFAA subjects a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from a protected computer” to imprisonment and a fine. A civil cause of action exists in certain circumstances, but courts have been split on whether the CFAA imposes civil liability on employees who access information with permission but with an improper purpose. Based upon his analysis of the statutory language and legislative purpose of the CFAA, Judge Doty followed the lead of two earlier decisions in Minnesota and adopted “a more narrow view and focus on the scope of access rather than the misuse or misappropriation of information.” “No language or history concerning the CFAA suggests that Congress intended to provide a federal cause of action for state-law breach of contract, fiduciary duty, trade secret or other business-tort claims.” Accordingly, the Court dismissed the CFAA claim (as well as federal claims under the Electronic Communications Privacy Act and the Lanham Act) and declined to exercise supplemental jurisdiction over the state law claims, requiring Walsh Bishop to re-file them in state court.