Disloyal Employees and the CFAA: The Debate Continues

A civil cause of action under the Computer Fraud and Abuse Act (CFAA) frequently is pleaded in cases where an employer is suing a former employee for misappropriation of trade secrets or copying of proprietary information, and the employee’s actions involved some kind of access to or use of the employer's computer network. While disloyal employee behavior could present valid claims under state trade secret law or contract law, does it present a federal case?   

Currently, federal courts are split on this issue.  In interpreting the terms “unauthorized access” under the CFAA, in certain instances, some courts have allowed cases against disloyal employees on the theory that the employee's disloyal conduct ran counter to company policy and was “unauthorized,” while other courts have held that an employee could not be liable under the CFAA where initial access to the company computers was permitted. As we have previously blogged and written about in depth, the recognition of such claims is controversial, because the usual scenario involves an employee accessing information to which the employee had authorized access at the time, at least in the common meaning of "authorized access."

As the debate continues, two courts in April have sidestepped the “authorized access” thicket and instead dismissed CFAA claims against former employees on other grounds. 

In American Family Mutual Insurance Co. v. Rickman, No. 08-583, 2008 U.S. Dist. LEXIS 32480 (N.D. Ohio Apr. 18, 2008), the court considered the issue of whether the CFAA can be used against employees who access information from a company computer and later use that information against the employer.  However, the court declined to enter the “authorized access” debate:   

The gravamen here, too, is what Defendant did with allegedly proprietary information. However, the Court need not resolve this split of authority because its analysis of "loss" under the CFAA provides a clear basis for dismissal. The Court turns to the statutory definition of "damage" and "loss" as well as case law interpreting these statutory definitions.

Thus, the court held that an alleged disloyal employee who copied proprietary company files was not liable under the CFAA because losses under the statute are compensable only when they result from damage to a computer system or an interruption of computer service.  Based upon a failure to properly plead “loss” under the statute, the Ohio district court dismissed the employer’s action and CFAA claims, noting that the employer “still has traditional state statute and common law remedies available to it for recovery against a dishonest employee.” 

Similarly, in Cohen v. Gulfstream Training Academy, No. 07-60331, 2008 U.S. Dist. LEXIS 29027 (S.D. Fla. Apr. 9, 2008), the court dismissed the employer’s CFAA counterclaim and held that an employee who copied files from his former employer's computer system is not liable under the CFAA, absent a showing of “loss” or “damage” related to an interruption of service.   Ultimately, the court ruled that the alleged copying of the employer’s files and wooing of the employer’s clients does not constitute "loss" under the CFAA absent claims related to an interruption of computer service.