In WEC Carolina Energy Solutions LLC v. Miller, the U.S. Court of Appeals for the Fourth Circuit recently ruled that a former employee could not be held liable under the federal Computer Fraud and Abuse Act (“CFAA”), where he lawfully downloaded confidential information from his employer’s computer network and soon thereafter used that information in connection with his work for a competing business. The CFAA prohibits fraud and related activities in connection with the use of computers, including the unauthorized access of a protected computer to obtain information from that computer. With this ruling, the Fourth Circuit joins the Ninth Circuit in interpreting the term “authorization” in the CFAA narrowly; the Seventh Circuit, by contrast, has found a lack of authorization where a defendant breached a duty of loyalty toward the owner of a computer.
In WEC’s suit against its former employee and his new employer, the company relied on Seventh Circuit precedent to argue that the employee had violated the CFAA because, in violating company policy against downloading confidential and proprietary information to a personal computer, the employee breached his fiduciary duty to WEC and thereby either either lost all authorization to access the confidential information or exceeded his authorization.
The Fourth Circuit ruled against WEC, finding that the statutory terms “without authorization” and “exceeds authorized access” do not extend to violations of company policy regarding the use of information on a computer to which a defendant otherwise has access. In doing so, the Court sided with a recent Ninth Circuit decision interpreting those terms “literally and narrowly, limiting the terms’ application to situations where an individual accesses a computer or information on a computer without permission.” The Court reasoned that the plain language of the statute simply prohibits obtaining information that an individual lacked authorization to obtain and does not criminalize obtaining information in a manner that is not authorized. Thus, the former employee in the case could not be held liable under the CFAA for downloading information that he otherwise had permission to access, even though his treatment of that information violated company policy.