Federal Courts Split on Computer Fraud and Abuse Act
In a recent decision, LVRC Holdings LLC v. Brekka (9th Cir.), a federal court upheld the dismissal of an employer's case against its former employee, Christopher Brekka, and his consulting businesses, alleging that he violated the Computer Fraud and Abuse Act (CFAA). The company alleged that Brekka illegally accessed its computer "without authorization" during employment and after his employment terminated. The court found Brekka did not access a computer "without authorization" when he emailed documents to himself, nor could the company prove that he accessed the company's internal website after he left the company.
The facts were largely undisputed - the company operates a residential treatment center for recovering drug addicts, and it hired Brekka to assist with marketing and interacting with its email and website provider. At the time he was hired, Brekka owned and operated consulting businesses that provided referrals for rehabilitation services to potential patients. While Brekka was employed by LVRC, he was provided a user name and a password so he could access company information, including information about LVRC's website and statistics about website usage. Prior to leaving the company, Brekka emailed himself a number of LVRC documents, including patient admissions reports, LVRC's marketing budget, meeting notes, and a master admissions report that included the names of past and current patients. Additionally, after he left the company, the company learned that someone had accessed its website using Brekka's log-in information.
The court considered whether Brekka violated the CFAA, a law that prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking forbidden actions, ranging from obtaining information to damaging computer data. The court concluded that Brekka had authorization to access LVRC's documents and emails, and there was no evidence that Brekka agreed to keep the emailed documents confidential or to return or destroy them after the termination of his employment. The 9th Circuit refused to follow a prior 7th Circuit decision, International Airport Centers, LLC v. Citrin, that held that an employee violated the CFAA when he took actions disloyal to his employer, thereby exceeding his "authorization." Instead, the court held that liability under the CFAA does not turn on whether there is a breach of duty of loyalty under state law and can occur only when a person has not received permission to access a computer or when such permission has been rescinded. The court also held that, while it would have been a CFAA violation if the company could prove Brekka had accessed the system following his termination, there was no such evidence.
This case is significant because it demonstrates the importance of well-drafted policies concerning the use of company email and websites, and safeguarding confidential information and documents. Including specific language that defines the scope of an employee's authorization to use computer information could also help to establish a potential CFAA claim for misuse of that information.