California Court Holds that an Employee Can Be Sued Under the CFAA for Deleting Company Files

Without referring to its Circuit’s controlling decision of LVRC Holdings LLC v. Brekka, 581 F.3d 1127, (9th Cir. 2009) , a federal district court in San Jose, California permitted a Computer Fraud and Abuse (“CFAA”) claim to proceed against an ex-employee for deleting files from her former employer’s computer. Kal-Tencor Corp. v. Murphy, 2010 WL 1912029 *6-*7 (N.D. Cal. May 11, 2010). This case is significant because it allows a CFAA claim for unauthorized access to be predicated on an employee agreement requiring an employee to return company records at the time of termination from the company. This decision is contrary to another district court decision in the same federal judicial district — U.S. v. Nosal, 2010 WL 934257 *7 (N.D. Ca. Jan. 6, 2010) — leaving open the question of whether in the 9th Circuit employer policies can be used to define employee authorization to the company computers.

Brekka held that an employee’s authorization to access the company computer cannot be based on the law of agency.  Instead, the court held that the Computer Fraud and Abuse Act does not apply to employee theft from the company computers because an employee has permission from his employer to use the company computers and therefore cannot access the company computers “without authorization,” a critical element of most CFAA violations. Id. at 1133.  The earlier case, Nosal, 2010 WL at *7, recognized that “Brekka provides some indication, in dicta, that an employer might be able to define the scope of an employee’s access in terms of how the employee uses the information obtained from the computer system.” Id. at *7. Nosal, however, held that despite this dicta, the underlying rationale in Brekka that forbids a consideration of the employee’s motive for accessing the computer does not allow lack of authorization to be based on “corporate policies governing use of information.” Id.

Kal-Tencor does not acknowledge Nosal but interprets Brekka to allow authorization to be established by company policies. The plaintiff Kal-Tencor (“KT”) is a high tech company that offers solutions for the semiconductor and related microelectronics industries. Ruixia Chen, a KT employee, left KT to join a newly created competitor company, Inspecstar, LLC which was also named as a defendant. A computer forensic investigator who examined Chen’s company computer found that prior to leaving KT, Chen had used a software cleaning/wiping program called Evidence Eliminator to delete all of her emails, documents and internet history files.

The forensic examination also revealed that on her last day of work Chen “had accessed a number of files . . . including product and customer service analyses that KT considers confidential” and that “after the files were accessed and after . . . Evidence Eliminator had been deleted from the computer, an external 500 gigabyte storage device had been connected to the computer.” Id. at *4. “The [computer forensic] examiner concluded that “files were probably copied over to a removable storage device.” Id. A subsequent review of Chen’s personal home hard drive revealed that it “contained files belonging to KT, some labeled ‘confidential.’” Id. Chen claimed that she had only deleted personal files and had “only copied photographs and other personal information” to the hard drive. Id.

In arguing that Chen’s access to the computer was not authorized, KT relied on its employee agreement with Chen “requiring surrender of all proprietary information upon termination of employment [to] mean that KT employees are not authorized to delete confidential KT information residing on their computers.” Id. at *7. Based on the evidence presented by KT and Chen, the court denied KT’s motion for summary judgment on the CFAA claim finding that there “remains a genuine issue of material fact” for a jury. Id.