No CFAA Cause of Action Allowed For Disloyal Employee Use of Employer's E-Mail System

A civil cause of action under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, frequently is pleaded in cases where an employer is suing a former employee for misappropriation of trade secrets or proprietary information, where the misappropriation involved some kind of access to or use of the employer's computer network. The CFAA is the federal "computer hacking" statute; in addition to criminal penalties, it provides a private right of action where a party accesses a "protected computer" without authorization, or in a manner that exceeds authorized access, causing a certain quantum of "damage" or "loss."

In these cases, the employee's access typically does not involve the kind of conduct traditionally considered "hacking," e.g., stealing a password, or utilizing computer vulnerabilities to gain surreptitious access to files the employee was otherwise not allowed to access. But the CFAA contains language penalizing unauthorized access to a computer "with intent to defraud." The courts have allowed some of these cases against disloyal employees on the theory that the employee's disloyal conduct fell within the fraud language.

The earliest example of such a case may be Shurgard Storage Center, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121 (W.D. Wash. 2000). My colleagues Ken Nissly   and Susan van Keulen  commented on this case at the time it was decided. As they pointed out, an advantage of including a CFAA cause of action in this kind of business litigation is the availablity of a federal forum for such claims, which might not be available to the plaintiff otherwise.

In an unpublished ruling issued last month, however, Judge Hillman of the District of New Jersey drew a line in the sand with respect to at least some of these types of claims brought under the CFAA.  In Chas. A. Winner v. Polistina, No. 1:06cv4865, 2007 U.S. Dist. LEXIS 40741 (D. N.J. June 4, 2007), the alleged unauthorized access involved the use of an employer's e-mail system by disloyal employees. According to the court, "with one exception, the only factual allegations in the complaint that concern the use or misuse of a computer are allegations that the individual defendants sent internal and exernal e-mails to further the interests of their prospective employer and in a manner disloyal to their former employer."

The plaintiffs alleged that they expended in excess of the $5,000 statutory amount of loss in hiring a computer expert to conduct an assessment and and investigation of the employees' conduct. Judge Hillman regarded these allegations as conclusory:

Plaintiffs have provided the Court with no evidence whatsoever regarding this alleged investigation and how it was related to any harm of damage to plaintiffs’ computer. Indeed, the only evidence cited by plaintiffs is a reference to paragraph 55 of the complaint, the merely conclusory allegation that Section 1030 was violated. In this vacuum, one is left to assume that any costs incurred by plaintiffs were spent recovering the offending e-mails and searching for other evidence of disloyal conduct. Gathering evidence from a computer to prove your state law employment claims does not turn defendants’ conduct - even disloyal conduct in breach of contract - into the kind of conduct that so concerned Congress that it criminalized it.

Judge Hillman ruled that Congress intended to permit a private right of action under the statute only with respect to conduct reached by the criminal statute. He concluded that the employee misuse of the employer's e-mail system does not constitute such conduct:

We find nothing in the structure or language of the statute to suggest that Congress intended to create a private cause of action against employees whose crime, if you will, merely involved the use of ordinary e-mail in a manner disloyal to their employer and in breach of their employment contract. The use of e-mail in the context of routine business activity - and for purposes both banal and hurtful - is almost universal and was so when Congress amended the statute. If such conduct violates the CCFA there would be no principled limit to the kinds of business disputes that Section 1030, and perforce its private right of action, would reach. We are convinced that if Congress had intended to bring the kind of employment dispute found in this case and so common in state court within the jurisdiction of the federal courts merely because a disloyal employee used e-mail to further his disloyal conduct it would have done so much more directly and with resounding clarity.

Does Judge Hillman's narrow approach to civil CFAA claims also extend to unauthorized access to computer files by disloyal employees? It would appear so. See n. 8: "In reaching this conclusion, we reject the nonetheless comprehensive and thoughtful opinion in Pacific Aerospace & Electronics, Inc. v. Taylor, 295 F. Supp. 2d 1188 (E.D. Wash. 2003)." Pacific Aerospace relied in turn on Shurgard in allowing a CFAA cause of action where an employer made a generalized claim of unauthorized access to employer proprietary information by disloyal employees.

It remains to be seen whether Judge Hillman's view of the CFAA will influence other courts. In Dudick v. Vaccarro, No. 3:06-cv-2175, 2007 U.S. Dist. LEXIS 45953 (M.D. Pa. June 25, 2007), also in the Third Circuit and decided shortly after Chas. A. Winner v. Polistina, the court relied on Shurgard in allowing a CFAA cause of action in an employee misappropriation case.