Enter to open, tab to navigate, enter to select
Eleventh Circuit Interprets Terms of Art in Computer Fraud and Abuse Act and Stored Communications Act
Practical Law Legal Update w-005-6215 (Approx. 5 pages)
Eleventh Circuit Interprets Terms of Art in Computer Fraud and Abuse Act and Stored Communications Act
by Practical Law Labor & Employment
| Published on 31 Jan 2017 • USA (National/Federal) |
In Brown Jordan Int'l, Inc. v. Carmicle, the US Court of Appeals for the Eleventh Circuit held in a matter of first impression that an employer's "loss" under the Computer Fraud and Abuse Act (CFAA), is not required to stem from an interruption of service and that an employee's compliance with the Stored Communications Act (SCA) requires proper authorization.
On January 25, 2017, in Brown Jordan Int'l, Inc. v. Carmicle, the US Court of Appeals for the Eleventh Circuit, in a matter of first impression, affirmed a district court decision holding that an employer's "loss" under the Computer Fraud and Abuse Act (CFAA), is not required to stem from an interruption of service. The court also found it unreasonable under the Stored Communications Act (SCA), to read a company policy as authorizing access to coworkers' email accounts when an employee has done so with improper motives and in exploitative fashion. ( (11th Cir. Jan. 25, 2017).).
Background
After several years of working for Brown Jordan, a furniture company, Christopher Carmicle was accused of several financial improprieties, including excessive entertainment expenses and placing his wife on the company payroll. A few years later, management considered terminating Carmicle's employment after becoming aware of further breaches of trust. During this time, as Brown Jordan transitioned to a new email system, it issued a universal password to employees to test their accounts. Carmicle used the generic password to access the email accounts of a number of coworkers and superiors based on his suspicions of dishonest content in the emails, ultimately finding out significant company plans and strategies.
As Brown Jordan struggled and Carmicle's employment remained tenuous, Carmicle attempted to save his own job by writing to the company's Board of Directors alleging fraudulent activity including several courses of action that could harm shareholder value. An investigator hired by Brown Jordan concluded that Carmicle's allegations were meritless and found that Carmicle had learned his information by accessing other people's email accounts. The investigator also learned that Carmicle had used company funds for excessive unauthorized expenses. The board terminated Carmicle's employment. After his termination, he locked a Brown Jordan computer remotely, and claimed that he lost an iPad that he had allegedly used to take hundreds of screenshots of his coworkers' emails.
Brown Jordan sued Carmicle, asserting violations of the CFAA and the SCA and a declaration that Carmicle's employment was terminated for cause (18 U.S.C. § 1030; 18 U.S.C. § 2701). The district court granted summary judgment in favor of Brown Jordan. Carmicle appealed.
Outcome
The Eleventh Circuit affirmed the district court's grant of summary judgment to Brown Jordan and determined that Carmicle was terminated for cause as defined by the employment agreement.
Computer Fraud and Abuse Act (CFAA)
The Eleventh Circuit noted that:
- Under the CFAA, a violation occurs when an individual obtains information from a protected computer by intentionally accessing it without or in excess of authorization (18 U.S.C. § 1030(a)(2)(C)). Among the specific circumstances in which one can bring a civil action under this section is when a plaintiff incurs a loss of $5,000 as a result of the alleged violation (18 U.S.C. § 1030(c)(4)(A)(i)(I)).
- The CFAA defines loss as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offenses, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service" (18 U.S.C. § 1030(e)(11)).
- The interpretation of the definition of "loss" was an issue of first impression for the Eleventh Circuit, but other circuits previously interpreted it to include the cost of responding to the offense, regardless of whether there was a service interruption (see Yoder & Frey Auctioneers, Inc. v. EquipmentFacts, LLC, 774 F.3d 1065, 1073-74 (6th Cir. 2014); A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009)).
- While no circuit court previously required an interruption of service in all cases, some district courts did require "loss" to include a service interruption (see Cont'l Grp., Inc. v. KW Prop. Mgmt., LLC, 622 F. Supp. 2d 1357, 1371 (S.D. Fla. 2009) (noting that failure to enforce the requirement would render the latter portion of the definition superfluous)).
The Eleventh Circuit agreed with the Fourth and Sixth circuits and found that:
- Carmicle's CFAA violation did not need to be related to interruption of service to be compensable.
- The statutory definition of "loss" includes two separate types of loss:
- reasonable costs incurred in responding to the violation, assessing damage, and restoring the affected program to its prior condition; and
- any revenue lost or costs and damages incurred because of a service interruption.
- The statute is written in the disjunctive, so the first type of loss is independent from the service interruption requirement.
- Brown Jordan suffered loss as defined by the CFAA.
- Contrary to Carmicle's argument, Brown Jordan's expenses of hiring a consultant and investigator were necessary to determine the extent of Carmicle's hacking activity, and therefore compensable.
Stored Communications Act (SCA)
The Eleventh Circuit noted that:
- The SCA is violated when an individual "intentionally accesses without authorization a facility through which an electronic communication service is provided; or ... intentionally exceeds an authorization to access that facility; and thereby obtains ... access to a wire or electronic communication while it is in electronic storage in such system" (18 U.S.C. § 2701(a)).
- The court recently addressed, but did not decide, the issue of whether previously-opened emails are exempt from the SCA's definition of "electronic storage" concerning unauthorized access (Vista Mktg., LLC v. Burkett, 812 F.3d 954, 962 (11th Cir. 2016)).
The Eleventh Circuit found that:
- Since Carmicle did not fairly present the unopened-versus-opened-email issue to the district court, the circuit court would not decide the merits of the issue.
- The district court did not err in determining that Carmicle was unauthorized to access the emails of his colleagues and superiors.
- Although Brown Jordan's company policy allowed senior management to monitor the Internet and email use of employees, it would be unreasonable to think that the policy authorized Carmicle's exploitation of a generic password without going through the necessary channels, and examining coworker emails solely on the suspicion of dishonesty in the communication, and without any reason to suspect wrongful or illegal conduct.
Practical Implications
In a matter of first impression, the Eleventh Circuit determined that under the CFAA, an employer is not required to have an interruption of service in order to suffer a loss. The statutory definition of loss includes two different types of loss, only one of which includes the interruption requirement. Employers should be pleased with the court's decision, as it enhances the scope of what is actionable under the statute. The Eleventh Circuit has aligned itself with the Fourth and Sixth Circuits on this issue and other circuits may follow.
The court's finding that an employee's compliance with the SCA requires proper authorization serves as a reminder for employers to:
- Prepare for the possibility that employees can attempt to take advantage of company computer access for personal gain.
- Make sure that any granted authorization is monitored.