Employees and “Authorized Access”: A Threat from Within?
Workplace privacy has become an increasingly challenging issue for employees and employers alike. With technological advancements, employers have enhanced visibility into employee behavior including their use of company resources such as the Internet. The same advancements have also afforded employees with unprecedented access to a company’s confidential and proprietary information.
While this access has given rise to greater efficiencies in the way employees utilize their employers’ information, it has also provided greater opportunities for mischief and illicit schemes. Employees can now easily view and download huge amounts of proprietary information gained by virtue of the access provided by their employment, transmit the data quickly, and in unfortunate instances, use it for illegitimate purposes such as to directly compete with their former employers. As a result, employers must become increasingly vigilant about safeguarding the information their employees may access and the vulnerabilities to which such access may give rise.
Most states have common law theories of recovery—such as breach of the duty of loyalty, misappropriation of trade secrets, and unfair competition—to respond to an employee’s misappropriation of confidential information. Increasingly, however, some employers have turned to the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030 et seq., enacted in 1986, to address the paucity of laws then-available to combat the emerging threat of computer crimes. The CFAA imposes criminal sanctions against any individual who, inter alia, intentionally accesses a protected computer “without authorization” see, e.g., 18 U.S.C. §§ 1030(a)(3), (a)(5), or “exceeds authorized access,” see, e.g., 18 U.S.C. §§ 1030(a)(3), (a)(4). Although the CFAA is primarily a criminal statute, it provides a civil remedy to “[a]ny person who suffers damage or loss by reason of a violation” of the statute. 18 U.S.C. § 1030(g). Thus, an employer that has suffered loss as a result of an employee’s unauthorized access of information on its computer or network may have a remedy available to it under CFAA.
When an employee intentionally accesses a computer that he or she is unauthorized to use and obtains protected information, the employee has almost certainly run afoul of the CFAA. But courts have split when confronted with the circumstance of an employee who accesses a computer that he or she is generally authorized to use in order obtain information for an improper purpose, such as to compete with his or her employer. A recent decision from the U.S. District Court in the Western District of Michigan, Experian Marketing Solutions, Inc. v. Lehman, No. 1:15 Civ. 476 (W.D. Mich. Sept. 29, 2015) dismissing certain claims under the CFAA, illustrates these divergent approaches.
During the course of his employment as Experian’s executive vice president, Jeremy Lehman allegedly accessed Experian’s confidential information from its computers to support a competing venture. While Lehman was entitled to access Experian’s information to further his responsibilities as an employee, his use of the Experian’s computers to access the information in order to compete with the company, violated Experian’s internal policies and Lehman’s employment agreements. Despite the fact that Lehman’s actions were “unauthorized” in the sense that they violated the company’s policies, the district court held that Lehman’s accessing of the information was not “without authorization” as that phrase is defined in the CFAA.
In reaching this conclusion, the district court noted a split between courts that have adopted a narrow interpretation of the term “authorization”—in which an employee with some authority to access a computer continues to act with authorization even if the employee’s purpose in accessing the information on the computer was improper—and courts that have adopted a broader interpretation of the term—in which an employee’s improper purpose in accessing information on a computer is relevant to whether he or she acted without “authorization.” Holding that “the CFAA prohibits improper access to computer information rather than misuse or misappropriation of such information,” the district court adopted the narrower interpretation of the term and dismissed the CFAA claims.
Currently, the Fourth and Ninth Circuits adhere to the more restrictive view of “authorization” adopted by the Michigan district court, while the First, Fifth, Seventh and Eleventh circuits adhere to a broader view of that term. Employers seeking to rely on the CFAA, therefore, should be mindful of the circuit in which they are in and be sure to include their state’s supplemental common law remedies when seeking judicial redress of an employee’s misuse of private and confidential corporate information. Unless and until Congress or the Supreme Court steps in to clarify the statute, this issue will remain unsettled and employers must remain vigilant about this issue.