Employees Not Liable Under CFAA for Violating Computer Use Policy

Here’s a common scenario in trade secret disputes:

A current employee accepts a new job, but before leaving, he logs on to his computer and sends internal documents to his personal email account. Weeks later, the company discovers that the employee has used its pricing information to steal a client, costing the company millions of dollars in lost revenue.

Many employers have adopted computer use policies to address this problem. But after a recent court decision, the employee handbook may need revising.

Here’s what the Fourth Circuit said in WEC Carolina Energy Solutions, LLC v. Miller about computer use policies – and how employees can avoid liability under federal law.

Background

Before 2010, Miller worked as a project director for Carolina Energy Solutions, a South Carolina company that specialized in boiler, valve, and pump installation maintenance. He quit the company, but before he left, he or his personal assistant allegedly used a laptop to send company documents to his personal email account.

Carolina Energy Solutions promptly filed suit in federal court. They argued Miller and his accomplice violated federal law, the Computer Fraud and Abuse Act (CFAA). Miller moved to dismiss the CFAA claim, which the district court granted. Carolina Energy Solutions appealed.

Analysis

The Computer Fraud and Abuse Act (CFAA) renders liable any person who ”intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.” It was thought “exceeds authorized use” would cover employees who use a company computer to download internal documents in violation of the computer use policy.

Not so fast, said the Fourth Circuit (which includes Virginia). The meaning of “without authorization” and “exceeds authorized access” covers hackers, not workers on the clock.

The Court held the following definitions apply:

“[W]ithout authorization,” means an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer.

Therefore, when an employee is using employer-issued computer, he is acting with authorization.

“[E]xceeds authorized access,” means an employee has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access.

The CFAA covers access to documents, and not the use of those documents. An employee has not exceeded authorized access if he otherwise has permission to access those files (pricing documents, invoices, etc.). The employer may have state law claims, but the CFAA does not apply in this case.

Bottom Line:  In Virginia, an employee is not liable under the CFAA if they were permitted to access company files during the normal course of work. The company may have state law claims, including trade secret misappropriation, depending on the nature of the information that was taken. If you are involved in a trade secret dispute, you should contact an attorney to discuss your rights.