The Computer Fraud and Abuse Act (CFAA) is a federal law that imposes civil and criminal penalties for accessing a computer "without authorization" or "exceeding authorized access." Congress’s intent was clearly to penalize hackers, but employers have attempted to apply the law to what one judge termed "rogue employees"—those who take an organization’s proprietary information from company computers and share it with competitors. Here’s one decision in such a case.
What happened. South Carolina employees "Morse" and "Kennedy" worked for WEC Carolina Energy Solutions, which provides specialized welding and related services to the power generation industry. Morse began negotiating for a sales position with WEC’s competitor, Arc Energy Services. At Arc’s direction, he and his assistant, Kennedy, downloaded WEC’s proprietary information, including pricing terms, pending projects, and technical capabilities onto Morse’s personal computer—and from there to Arc.
Twenty days after leaving WEC, Morse pitched Arc’s services to, and won over, a WEC customer. Understandably upset, WEC sued Morse under the CFAA. But a judge in federal district court ruled for Morse, finding that he had been authorized to access the proprietary information and that he had neither lost nor had he exceeded that authorization. WEC appealed to the 4th Circuit, which covers Maryland, North Carolina, South Carolina, Virginia, and West Virginia.
What the court said. Appellate judges agreed that WEC had sued Morse under an inappropriate law—one designed to prosecute hackers committing genuine fraud, not disloyal employees. Acknowledging that they deliberately construed the CFAA quite narrowly, judges aligned themselves with those from the 9th Circuit (AK, AZ, CA, HI, ID, MT, NV, OR, WA), who had ruled the same way in U.S. v. Nosal earlier in 2012.
But that puts both those circuits at odds with rulings by the 1st (ME, MA, NH, RI), 5th (LA, MS, TX), 7th (IL, IN, WI), and 11th (AL, FL, GA) circuits, which have all allowed employers to find cheating employees liable under the CFAA. As a number of employment law experts have noted, if Congress doesn’t act to further define how far “without authorization” goes, the issue will need to be resolved by the U.S. Supreme Court. WEC Carolina Energy Solutions LLC v. Miller et al., U.S. Court of Appeals for the 4th Circuit, No. 11-1201 (7/26/12).
Point to remember: Beef up your confidentiality clauses and computer use policies to ensure that you can use them effectively to punish employees who spread your trade secrets. And check whether a law in your state might help to protect you. For now, it’s unwise to sue under the CFAA.