The Computer Fraud and Abuse Act: ‘Authorization' in Flux and the Ninth Circuit Dilemma
March 2012

The Computer Fraud and Abuse Act ("CFAA") was passed by Congress in 1984 to address the unauthorized access and use of computers and computer networks. Although the CFAA is primarily a criminal statute, the 1994 amendment to the CFAA allowed individuals and companies to bring a private civil suit against a person who accessed a protected computer “without authorization” or while “exceed[ing] authorized access.” Increasingly, employers have used the CFAA to bring suit against former employees or agents (“Insiders”) who have absconded with company data. Within this context, there is currently a widening split among circuit and district courts over whether Insiders can be held liable under the CFAA for accessing data without or in excess of authorization. This diversity of viewpoints is currently playing out in the Ninth Circuit, where an en banc panel is considering whether to affirm a definition of authorization that will allow employers a remedy against Insiders who exceed their authorized access, or whether to define to term narrowly.

Courts have generally applied one of two theories to determine what constitutes unauthorized access within the context of the CFAA: (1) agency theory, or (2) the plain language of the statute. Under the agency theory, or expansive view, an Insider can be held liable under the CFAA for lacking authorized access when he either acts disloyally to his employer or with an interest adverse to his employer’s. Under the plain language interpretation of the statute, or narrow view, an Insider lacks authorized access only when he was never given permission to access particular information or when his authority was affirmatively rescinded by the employer.

For the past few years, employers within the Ninth Circuit have had to navigate an ever changing legal landscape to determine whether they could bring a claim under the CFAA against an Insider who left the employer to join a competitor and took with them the employer’s valuable company data. Before the Ninth Circuit waded into the debate, the circuit had experienced an intra-circuit split. The district court decisions in Shurgard and Shamrock had provided some of the most cited interpretations of both the agency and plain language theories of authorization. Now, with its decisions in LVRC Holdings, LLC v. Brekka and U.S. v. Nosal, the Ninth Circuit has provided another twist to its history with the CFAA. The discussion below tracks the development of Insider liability, or lack thereof, within Ninth Circuit case law.

A. Birth of the Agency Theory of Authorization and the Ninth Circuit’s Intra-Circuit Split

In Shurgard, the court adopted what is now know as the agency theory of authorization. This case involved a dispute between two business competitors in the self-storage business. The defendant hired the plaintiff’s Regional Development Manager, Eric Leland, who had access to the plaintiff’s confidential business plans, expansion plans, and other trade secrets. While still an employee of the plaintiff, Leland e-mailed several of the plaintiff’s trade secrets and other proprietary information to the defendant. The plaintiff sued the defendant under the CFAA, on the theory that Leland intentionally accessed the plaintiff’s computer without authorization, or in excess of authorization. Finding guidance in the RESTATEMENT (SECOND) OF AGENCY, the court held that “the authorization for [Shurgard’s] . . . employees ended when the employees began acting as agents for the defendant.” The court concluded that the employees “lost their authorization and were ‘without authorization’ when they allegedly obtained and sent the proprietary information to the defendant via e-mail.” Therefore, according to the district court, Leland “lost” his authorization and was thus without authorization under the CFAA when he accepted the job offer and chose to e-mail the proprietary information to the defendant.

Shurgard’s agency theory of authorization was given further credence when it was adopted by the Seventh Circuit in International Airport Centers, LLC. v. Citrin. In Citrin, an employee for a real estate agency decided to end his employment and go into business on his own. Prior to leaving his job, he accessed the computer that was given to him by his employer and deleted all the information and data that he had been gathering in the course of his employment. He also loaded a secure-erasure program to prevent the recovery of the files. Relying on agency law and on the Shurgard decision, the court held that Citrin’s authorization to access the laptop “terminated when, having already engaged in misconduct and decided to quit [his job] in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes.” The court stated that by breaching his duty of loyalty, Citrin terminated his agency relationship and, with it, his authority to access the laptop. ...

To read this publication in its entirety, please click here.