CFAA Does Not Provide Cause of Action Against Former Employee's Unauthorized Use of Confidential Information | Practical Law

CFAA Does Not Provide Cause of Action Against Former Employee's Unauthorized Use of Confidential Information | Practical Law

In WEC Carolina Energy Solutions v. Miller, the US Court of Appeals for the Fourth Circuit held that an employer failed to state a claim against a former employee under the Computer Fraud and Abuse Act (CFAA) where the employee allegedly used confidential information to help the employer's competitor. The employer authorized the employee to access the information, but argued that the employee's unauthorized use of the information violated the CFAA. The Fourth Circuit held that the CFAA only prohibits unauthorized access to information stored on a computer.   

CFAA Does Not Provide Cause of Action Against Former Employee's Unauthorized Use of Confidential Information

by PLC Labor & Employment
Published on 30 Jul 2012USA (National/Federal)
In WEC Carolina Energy Solutions v. Miller, the US Court of Appeals for the Fourth Circuit held that an employer failed to state a claim against a former employee under the Computer Fraud and Abuse Act (CFAA) where the employee allegedly used confidential information to help the employer's competitor. The employer authorized the employee to access the information, but argued that the employee's unauthorized use of the information violated the CFAA. The Fourth Circuit held that the CFAA only prohibits unauthorized access to information stored on a computer.

Key Litigated Issue

On July 26, 2012, the US Court of Appeals for the Fourth Circuit issued a decision in WEC Carolina Energy Solutions LLC v. Miller. The key litigated issue was whether an employer's former employee was liable under the Computer Fraud and Abuse Act (CFAA) for allegedly taking the employer's confidential information and providing it to a competitor.

Background

Carolina Energy had authorized Miller, an employee, to access the company's confidential material, but prohibited him from downloading that material to a personal computer. Miller resigned from his position and went to work for a competitor, Arc Energy Services. As an employee of Arc, Miller gave a presentation to a potential customer that Carolina Energy was also seeking out, and the customer chose to do business with Arc. Carolina Energy then sued Miller and his administrative assistant under the CFAA, claiming that they violated the CFAA by allegedly:
  • Downloading many of Carolina Energy's confidential documents to a personal computer.
  • E-mailing the confidential documents to a personal e-mail account.
Carolina Energy claimed that, by these actions, Miller and his assistant breached their fiduciary duty to the company, and therefore accessed the confidential material without authorization or beyond the scope of their authorization, in violation of the CFAA.
Miller and his administrative assistant moved to dismiss the CFAA claim under Rule 12(b)(6) of the Federal Rules of Civil Procedure. The District of South Carolina granted this motion, and Carolina Energy appealed.

Outcome

The Fourth Circuit affirmed the district court's dismissal of the CFAA claim.
The CFAA was enacted to penalize computer hacking, and prohibits individuals from accessing confidential information stored on a computer:
  • Without authorization.
  • In a way that exceeds authorized access.
The Fourth Circuit acknowledged that there is a split in the circuits on the interpretation of the CFAA:
  • The Seventh Circuit has held that if an employee misappropriates confidential information stored on the employer's computer system, he breaches his duty of loyalty to his employer, which ends the agency relationship between them. As a result, the employee loses authorization to access the information, and can be held liable under the CFAA. (International Airport Centers, L.L.C. v. Citrin.)
  • The Ninth Circuit, meanwhile, has applied a narrow reading of the CFAA. It has held that there is no remedy under the CFAA for trade secret misappropriation or the violation of an employer's use policy, if the employee was authorized to access the information. (United States v. Nosal.)
The Fourth Circuit:
  • Adopted the approach of the Ninth Circuit and construed the CFAA narrowly, holding that it only penalizes the unauthorized access of information stored on a computer, rather than the unauthorized use of that information.
  • Found that:
    • the CFAA is also a criminal statute, which must be strictly construed;
    • Congress did not intend the agency relationship between an employer and employee to immediately end, or lead to the imposition of criminal penalties, every time an employee violated his employer's computer use policy; and
    • there are other remedies available to employers whose employees steal confidential material.
  • Held that Carolina Energy authorized Miller and his assistant to access the confidential information on the company's computer system, so even if they misappropriated confidential information, they could not be liable under the CFAA.

Practical Implications

Employers must safeguard their confidential information, understanding that in several jurisdictions the CFAA offers no remedies for employee misappropriation. Employers in the Fourth Circuit (which includes employers in Maryland, North Carolina, South Carolina, Virginia and West Virginia), like employers in the Ninth Circuit (which includes Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon and Washington), cannot invoke the CFAA to sue employees who misappropriate their confidential information.

Court Documents