Decided: July 26, 2012
This case addressed whether an employee’s authorized access of a computer or information on a computer could form the basis of a violation of the Computer Fraud and Abuse Act of 1986 (CFAA). The Fourth Circuit held that, though the defendants may have misappropriated information, WEC’s inability to allege any unauthorized access of a computer or information on a computer failed to give rise to a violation of the CFAA. Because WEC failed to state a claim for which the CFAA can grant relief, the district court’s dismissal of the claim was affirmed.
The CFAA permits parties who suffer damages to bring a civil action for compensatory damages, injunctive relief, or equitable relief pursuant to 18 U.S.C. § 1030(g). Miller worked as the Project Director for WEC until he suddenly resigned in April 2010. Shortly thereafter, Miller made a presentation to a potential WEC customer on behalf of WEC’s competitor, Arc. WEC contends that Miller and his assistant, Kelley, acting at Arc’s direction, improperly downloaded proprietary information, such as pricing terms, pending projects, and the technical capabilities of WEC, in violation of the CFAA. WEC sued Miller, Kelley, and Arc, alleging nine state-law causes of action and a violation of the CFAA. WEC argued that Miller and Kelley breached their fiduciary duties to WEC and therefore either (1) lost all authorization to access the confidential information at issue or (2) exceeded their authorization. Miller, Kelley, and Arc moved for dismissal pursuant to Fed. R. Civ. P. 12(b)(6) The district court granted the motion on the grounds that WEC did not establish a violation of company policies relevant to access and therefore failed to establish liability under the CFAA.
The Fourth Circuit assessed the scope of “without authorization” and “exceeds authorized access,” noting two different approaches. In Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420–21 (7th Cir. 2006), the Seventh Circuit held that “when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it.” District courts within the Fourth Circuit have followed the Ninth Circuit’s approach, which interprets the terms literally and narrowly, limiting the application to situations where an individual accesses a computer or information without permission. United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc); LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1134–35 (9th Cir. 2009). The Fourth Circuit rejected the approaches of the Seventh and Ninth Circuits and instead concluded that “an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer,” but exceeds authorized access “when he has approval to access a computer, but uses his access to obtain or alter information that falls outside of the bounds of his approved access.” Notably, this interpretation did not extend to the improper use of validly accessed information. WEC failed to establish that Miller and Kelley accessed a computer or information on a computer without authorization, though they may have misappropriated information for an improper use. Accordingly, there was no CFAA violation and Arc cannot be held liable. The district court’s judgment of dismissal was affirmed.