Maryland Court: Employees Who Steal Data from the Company Computer do not Violate the Computer Fraud and Abuse Act

A federal district court in Maryland held that an employee who allegedly stole proprietary data from his prior employer did not violate the Computer Fraud and Abuse Act (“CFAA”) because he was authorized to access the data and use the data on the job before he terminated his employment with his prior employer. Océ North America, Inc. v. MCS Services, Inc., 2010 WL 3703277 *3-*5 (D. Md. Sept. 16, 2010).

Océ North America (Océ) “designs, manufactures, sells, and services high volume production printing systems . . .for commercial printing functions.” Id. at *1. The complaint alleged that a former Océ employee went to work for a direct competitor, the defendant MCS Services, Inc.(“MCS”). Océ claimed that before leaving its employ the former employee copied from its computers its proprietary “diagnostic software, a parts manual, and a maintenance manual” and that MCS distributed this stolen material to “its engineers who are using these copies in their daily work.” Id.

The court dismissed the CFAA claim based on Océ’s failure to allege facts showing that its former employee accessed its computers “without authorization,” an essential element of the CFAA. The court held that Océ’s former employee could not have accessed its computers without authorization when he stole the proprietary material because “it was part of his job to use . . . [Océ’s] computers and the software on the computers.” Id. at *4. In support of its decision the court did not address the division in the Circuit courts on this issue created by the 9th Circuit in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir.2009) or explain why it believed its position was more correct than the other courts which have found that employees are can violate the CFAA.

The court did not address Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) which held that an employee’s authorization to access the company computer is predicated on his agency relationship with his employer such that when the employee violates his duty of loyalty by stealing his employer’s data, his authorization to access the company computers terminates.

The court also found that the copying of the software “may have been a violation of . . . [the former Océ employee’s] employment agreement” (Id. at *4) but did not address the caselaw in the First and Fifth Circuits which allow the employer to place limits on the scope of the employee’s authorization to access the company computers. U.S. v. John, 597 F.3d 263, 271 (5th Cir. 2010) and EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582-84 (1st Cir. 2001). Instead, the court simply cited three district court opinions that support its position.

One thought on “Maryland Court: Employees Who Steal Data from the Company Computer do not Violate the Computer Fraud and Abuse Act

  1. Plaintiff makes sophisticated commercial grade printers. It also produces complex software that is used to diagnose problems with the printers and to set the functionality of the machines.

    A field engineer who used to work for plaintiff allegedly copied some of the software onto his laptop when he worked for plaintiff. Later he went to work for one of the defendant companies, a competitor to plaintiff that also services plaintiff’s machines. Other employees of the defendant allegedly used copies of the software to do their work for defendant.

    Plaintiff sued for, among other things, violation of the Computer Fraud and Abuse Act (CFAA), which prohibits unauthorized access to protected computers. Defendants moved to dismiss. The court granted the motion.

    The court held that plaintiff failed to allege that the field engineer’s access to the computer containing the software was unauthorized, because he accessed it and copied it to his laptop while he still worked for plaintiff. And that access was authorized.

    As for the other defendants, the court held that the defendant company’s access to the software on the various laptops was not unauthorized. The critical point in this portion of the CFAA analysis was on whether access to the actual computer (not access to the software) was unauthorized. The defendant employees allowed access to the laptops onto which the diagnostic software was allegedly installed. So the CFAA claim failed on this basis.

Comments are closed.