Diminished Protections for Companies under Computer Fraud & Abuse Act (Pacer Req'd)
By Press
We’ve written extensively on the subject of the Computer Fraud & Abuse Act, 18 U.S.C. § 1030, particularly in the context of trade secrets and departing employees. Now comes an interesting and potentially important opinion from Judge Presnell in the Middle District of Florida, Lockheed Martin Corp. v. Speed, No. 6:05-cv-1580 (M.D. Fla. Aug. 1, 2006). The case represents a significant narrowing of the protections available to employers under the statute and directly takes issue with Judge Posner’s decision in Citrin discussed here and here.
The case presented the usual fact pattern. Just prior to moving from Lockheed to its defense and aerospace rival, L-3 Communications Corp., three employees downloaded alleged Lockheed trade secrets from their computers to computer disks and PDA’s which went out the door with them.
The issue facing the court on defendants’ motion to dismiss was whether Lockheed had a claim under the CFAA (and federal jurisdiction for the case based on that statute). The court ultimately said "no," but not without analyzing the statutory language of the CFAA and reaching a different conclusion from other courts which have considered the issue.
The court began its inquiry by noting that Lockheed had to satisfy a two-part injury requirement: first, that it suffered a "root injury" of damage of loss, and second, that it suffered "one of five operatively-substantial effects provided in 18 U.S.C. § 1030(a)(5)(B)(i)-(v)."
Regarding the first requirement, the statute defines "damage" narrowly and, in most usages, limits damage to losses affecting computers, networks, etc. Thus, loss of trade secrets, standing alone, generally will not satisfy the damage requirement. Lockheed, though, was able to meet this requirement by alleging that its costs in responding the alleged violations and conducting a damage assessment led to losses in excess of the statutorily-required $5,000.
Lockheed, however, could not get over the second hurdle. Like many plaintiffs, Lockheed attempted to assert that defendants violated § 1030(a)(4) which prohibits attempts to defraud by access to a protected computer "without authorization" or by "exceed[ing] authorized access."
The hang up for Lockheed came on the word "authorization." At the time the computers were "accessed" the defendants were employees and, thus, "authorized" in the most general sense. This is where Judge Presnell began to depart from the earlier precedent. Two leading cases, Shurgard Storage Centers, Inc. v. Safeguard SelfStorage, Inc., 119 F.Supp.2d 1121 (W.D. Wash. 2000), and Judge Posner's recent decision in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), both held, based on principles found in § 112 of the Restatement (2d) of Agency, that when an employee acquires an interest adverse to his employer and begins to act in favor of that interest in breach of his loyalty to his employer, his authority terminates.
Not so, said Judge Presnell. Instead, relying on the "plain meaning" doctrine of statutory interpretation, he determined that Congress did not intend to incorporate the Restatement principles into its definition of "authorization." Judge Presnell's statutory argument is extensive, closely-reasoned, and represents a fair challenge to the earlier cases.
The decision raises a question that still needs to be answered: if courts accept the stricter standard of the Speed case, can companies craft authorization to employees such that it does not extend to disloyal acts taken for the benefit of competitors? I tend to think so, but no court has yet ruled on that question.
One thing is for sure, though: in light of Speed, companies need to take another look at their computer use policies.
The case presented the usual fact pattern. Just prior to moving from Lockheed to its defense and aerospace rival, L-3 Communications Corp., three employees downloaded alleged Lockheed trade secrets from their computers to computer disks and PDA’s which went out the door with them.
The issue facing the court on defendants’ motion to dismiss was whether Lockheed had a claim under the CFAA (and federal jurisdiction for the case based on that statute). The court ultimately said "no," but not without analyzing the statutory language of the CFAA and reaching a different conclusion from other courts which have considered the issue.
The court began its inquiry by noting that Lockheed had to satisfy a two-part injury requirement: first, that it suffered a "root injury" of damage of loss, and second, that it suffered "one of five operatively-substantial effects provided in 18 U.S.C. § 1030(a)(5)(B)(i)-(v)."
Regarding the first requirement, the statute defines "damage" narrowly and, in most usages, limits damage to losses affecting computers, networks, etc. Thus, loss of trade secrets, standing alone, generally will not satisfy the damage requirement. Lockheed, though, was able to meet this requirement by alleging that its costs in responding the alleged violations and conducting a damage assessment led to losses in excess of the statutorily-required $5,000.
Lockheed, however, could not get over the second hurdle. Like many plaintiffs, Lockheed attempted to assert that defendants violated § 1030(a)(4) which prohibits attempts to defraud by access to a protected computer "without authorization" or by "exceed[ing] authorized access."
The hang up for Lockheed came on the word "authorization." At the time the computers were "accessed" the defendants were employees and, thus, "authorized" in the most general sense. This is where Judge Presnell began to depart from the earlier precedent. Two leading cases, Shurgard Storage Centers, Inc. v. Safeguard SelfStorage, Inc., 119 F.Supp.2d 1121 (W.D. Wash. 2000), and Judge Posner's recent decision in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), both held, based on principles found in § 112 of the Restatement (2d) of Agency, that when an employee acquires an interest adverse to his employer and begins to act in favor of that interest in breach of his loyalty to his employer, his authority terminates.
Not so, said Judge Presnell. Instead, relying on the "plain meaning" doctrine of statutory interpretation, he determined that Congress did not intend to incorporate the Restatement principles into its definition of "authorization." Judge Presnell's statutory argument is extensive, closely-reasoned, and represents a fair challenge to the earlier cases.
The decision raises a question that still needs to be answered: if courts accept the stricter standard of the Speed case, can companies craft authorization to employees such that it does not extend to disloyal acts taken for the benefit of competitors? I tend to think so, but no court has yet ruled on that question.
One thing is for sure, though: in light of Speed, companies need to take another look at their computer use policies.
<< Home