Last week, the U.S. Court of Appeals for the Fourth Circuit (in Richmond, Virginia) ruled that employers cannot use the Computer Fraud and Abuse Act (CFAA) to make claims against former employees who copied computer files before separating from employment. This decision agrees with the Ninth Circuit and disagrees with the Seventh Circuit on the issue of CFAA's application to employees copying data their employer permitted them to see. This issue is particularly important to whistleblowers who want to preserve evidence of misconduct contained in the employer's computer network.
The Fourth Circuit relied on the following statement of facts in reaching its decision:
In April 2010, Mike Miller resigned from his position as Project Director for WEC Carolina Energy Solutions, Inc. (WEC). Twenty days later, he made a presentation to a potential WEC customer on behalf of WEC's competitor, Arc Energy Services, Inc. (Arc). The customer ultimately chose to do business with Arc. WEC contends that before resigning, Miller, acting at Arc's direction, downloaded WEC's proprietary information and used it in making the presentation. Thus, it sued Miller, his assistant Emily Kelley, and Arc for, among other things, violating the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.
Enacted in 1984 and strengthened in 1986, the CFAA is primarily a criminal statute aimed at hackers. However, it also allows hacking victims to sue for damages and injunctions. In 2006, the Seventh Circuit in Chicago held that an employee who erases data on a company laptop before returning it breached a "duty of loyalty" and terminated the agency relationship that was the source of the employee's authorization to access the computer. Int'l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006). The Ninth Circuit interprets "without authorization" and "exceeds authorized access" literally and narrowly. To violate the CFAA, an individual must access a computer or information on a computer without permission. See United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc); LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1134-35 (9th Cir. 2009). Now, the Fourth Circuit has joined the Ninth Circuit.
The Fourth Circuit stated, "we agree with the district court that although Miller and Kelley may have misappropriated information, they did not access a computer without authorization or exceed their authorized access. See 18 U.S.C. §§ 1030(a)(2)(C), (a)(4), (a)(5)(B)-(C)." This is true even assuming that they accessed the information to assist their new employer.
This is great news for whistleblowers who have access to the employer's computer data and want to use that access to document frauds, illegality, or dangers to the public safety or health. It can be helpful to whistleblowers who face "document dilemmas." However, employees in the Seventh Circuit (Illinois, Indiana, and Wisconsin) should be aware that they may be subject to liability for violating the employer's rules about access to information unless they can persuade the Seventh Circuit to change its mind, or win an appeal to the Supreme Court.
The case is WEC Carolina Energy Solutions, LLC v. Miller, No. 11-1201 (4th Cir. July 26, 2012). Congratulations to the employees' attorneys, James William Bradford, Jr., and Brian S. McCoy, both of South Carolina.