Michigan Federal Court Limits Use of Computer Fraud and Abuse Act to Prosecute Disloyal Employee
The Computer Fraud and Abuse Act (CFAA) prohibits (among other things) an employee from accessing an employer’s computers “without authorization” or in a manner that “exceeds authorized access.” Employers frequently invoke the CFAA when a disloyal employee downloads or emails to himself confidential information. In that scenario, employers file CFAA claims, often with claims for misappropriation of trade secrets, because the CFAA provides a basis for federal question jurisdiction, triggers the possibility of enhanced sanctions (including criminal penalties), and arguably provides a means of protecting confidential information that does not rise to the level of a “trade secret.”
A common question that such use of the CFAA presents is whether an employee provided with unlimited access to the employer’s computer system, but who uses that access to misappropriate the employer’s data, has accessed the employer’s computer “without authorization” or in a manner that “exceed[ed] authorized access.” Several federal courts of appeals have answered that question affirmatively, reasoning that an employee acts “without authorization” or in a manner that “exceeds authorized access” whenever he uses the employer’s computer to misappropriate the employer’s confidential information or facilitate another breach of the duty of loyalty.
In Ajuba International, L.L.C. v. Saharia, No. 11-12936 (May 14, 2012), however, the U.S. District Court for the Eastern District of Michigan rejected that interpretation, holding that “a violation for accessing ‘without authorization’ . . . occurs only where initial access is not permitted and a violation for ‘exceeding authorized access’ occurs only where initial access is permitted but the access of certain information is not permitted.” Accordingly, because the employer in Ajuba International had granted the employee “unrestricted access” to its computers, the court dismissed the CFAA claim. In short, the court determined that, if a disloyal employee had authorized, unlimited access to the employer’s computer system when he misappropriated data, no CFAA claim may proceed. In support of its conclusion, the court cited legislative intent to punish trespassers and hackers, not disloyal employees. The court also reasoned that, because the CFAA provides for criminal penalties, it should be construed narrowly.
Although Ajuba International would severely limit employers’ resort to the CFAA and is part of a trend to interpret the CFAA narrowly, there are several reasons why employers should still consider CFAA claims when an employee uses a computer to misappropriate confidential information:
- Ajuba International is not the final word. On the contrary, in most jurisdictions, including the Sixth Circuit, binding authority either interprets the CFAA to cover the disloyal employee situation, or at least does not preclude that interpretation.
- Even under Ajuba International, employers who provide their employees with only limited access to confidential information may still state a claim under the CFAA if an employee uses a computer to misappropriate restricted data. Part of what doomed the employer’s CFAA claim in Ajuba International was that it had granted the employee unrestricted access to its computers; had the employer provided only limited access, and the employee then misappropriated restricted data, the CFAA claim probably would have survived.
- Even under Ajuba International, employers who act quickly to terminate an employee’s access privileges (e.g., as soon as the employee submits a notice of resignation) may prosecute a CFAA claim for later misappropriation. As the Ajuba International court acknowledged, “authorization is controlled by the employer, who may or may not terminate or restrict an employee’s access privileges.” Because misappropriation often does not occur until an employee accepts an offer of employment with a competitor, employers should consider revising their computer policies to provide that, at the moment an employee accepts an offer of employment with another company, authorization to access the employer’s computers is automatically eliminated or at least severely restricted.