A recent (Aug. 1) holding from the U.S. District Court for the Middle District of Florida says that an employee who copies computer files prior to departing for a rival firm has not "exceed[ed] authorized access" as that key phrase is defined under the Computer Fraud and Abuse Act (CFAA).  The court granted the defendant Speed’s motion to dismiss the complaint, but gave Lockheed leave to amend. Lockheed Martin Corp. v. Speed, M.D. Fla., Case No. 6:05-cv-1580, 8/1/06. Opinion here.

"Exceed Authorization" Background

Under CFAA, a party accessing a computer (as it is broadly defined) without "authorization" gives rise to criminal and civil liability. Section 1030(a)(4) makes it a violation to knowingly, and with intent to defraud, access a protected computer "without authorization" or "exceed[] authorized access" to commit fraud and obtain something of value.

Many civil cases have been filed under CFAA, generally in the employment or trade secret misappropriation contexts, where an employee has copied valuable company information before joining a new employer, usually a competitor. Judge Richard Posner of the Seventh Circuit in International Airport Centers LLC v. Citrin, 440 F.3d 420 (7th Cir. 2006), held that CFAA imposed liability on the premise that the employee’s authorization vanished once he breached a duty of loyalty to the employer. Presumably, this may be long before the employee is terminated, so the employee "exceeds authorization" whenever he or she takes substantial steps towards breaching the duty of loyalty to the original employer - e.g. contracting a competitor, etc.

Generally, "exceed authorization" under CFAA has been construed somewhat broadly (as Judge Posner’s case suggests) to cover access to information even when the employee, in computer security terms, has authorization to access the information.

Facts of the Case

Departing employees (and before their employer learned about their imminent departure) used their access privileges to burn a stack of CDs with valuable company files for use in their new jobs. The employer, Lockheed Martin, alleged that the employee file-copying activities violated multiple subsections of the CFAA. Lockheed invoked the civil remedies provision of the CFAA.

Change of Sea?

The August 1st Speed case may suggest a change of sea, or at least a circuit split. By holding that because the access occurred while the employee still enjoyed access privileges to the company’s computer system, it cannot be said that the access "exceeds" the employee’s authority. This holding is in direct contradiction to Judge Posner’s Citrin holding. Judge Presnell said that he "respectfully disagrees" with the Seventh Circuit because its decision "effectively turns the plain reading of the statutory definition of ‘exceeds authorized access’ on its head." He suggested that Judge Posner had "stretch[ed]" the meaning of "without authorization" to cover those who have access but act badly. "Congress did not so stipulate," Presnell wrote.

In addition, the court was worried that adopting Citrin could result in far-reaching CFAA liability for employees. For example, the Citrin theory may permit an employer to pursue a CFAA claim against employees who check personal e-mail accounts on company time, a minor offense to invoke a criminal statute, or as a bargaining chip in a complex employment dispute.