New York Court: CFAA Does Not Apply to Company Executives

A New York court held that the Computer Fraud and Abuse Act’s (“CFAA”) prohibition against unauthorized access does not apply to corporate executives who stole confidential and proprietary information from the company computers because, as company executives, they had been “granted unfettered access to . . . [the company’s] computer system and information residing on it.”  Orbit One Communications, Inc. v. Numerex Corp., 692 F.Supp2d 373, 386 (S.D.N.Y. 2010).  While recognizing that the “Courts have interpreted the CFAA’s prohibitions of ‘access without authorization’ and ‘exceed[ing] authorized access’ in two different ways,” and that the “Second Circuit has not addressed the issue squarely,” id. at 385, the court opted for the narrow interpretation for three reasons.

First, the court relied on the language of the statute which “does not prohibit misuse or misappropriation.”  Id. at 385.  Thus, the court held that “reading the phrases ‘access without authorization’ and ‘exceeds authorized access’ to encompass an employee’s misuse or misappropriation of information to which the employee freely was given access and which the employee lawfully obtained would depart from the plain meaning of the statute.”  Id.  In rejecting Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006), the court does not explain why the statute should not be interpreted in the context of the law of agency, i.e. once the employee determines to access the computers for a purpose that violates his fiduciary duty to his employer, the agency relationship and therefore the authorization to access the company computers terminates.

Neither this case nor any of the cases rejecting Citrin mention Carpentar v. United States, 484 U.S. 19, 27 (1987) in which the Supreme Court employed the Restatement (Second) of Agency, relied upon by Citrin, to interpret the scope of the mail and wire fraud statutes to affirm the convictions of a Wall Street Journal reporter who prior to publication had provided his upcoming financial columns to his confederates who bought or sold stock “based on the probable impact of the column on the market.”  Id. at 23.   Relying on the Restatement, the Court held that “an employee has a fiduciary obligation to protect confidential information obtained during the course of his employment” and that intentionally exploiting that information for his own personal benefit was a scheme to defraud his employer of confidential information outlawed by the mail and wire fraud statutes.  Id. Just as the Restatement proscribes the duty of an employee in the context of the mail and wire fraud statutes to safeguard his employer’s confidential information, there is no valid reason why it does not also proscribe the scope of an employee’s authority to access his employer’s computer in the context of the CFAA.

Second, the court found that “the statute as a whole indicates Congress’s intent to prohibit access of a computer without authorization, not an employee’s misuse of information that he or she was entitled to access or obtain.”  Id.  Thus, the court specifically read the CFAA’s definition of “damage” and “loss” to conclude that the statute was aimed at hacking and not the misuse or misappropriation of computer data.  Id. at 385-86.  The CFAA’s definitions of “damage” and “loss,” however, do not purport to limit the CFAA to hacking or misuse or misappropriation of information.  The  CFAA’s $5,000 loss requirement simply reflects “Congress’ general intent to limit federal jurisdiction to cases of substantial computer crimes.”  In re Doubleclick, Inc. Privacy Litigation, 154 F.Supp.2d 497, 522 (S.D.N.Y. 2001).  The definition of “damage” relates to certain provisions of the CFAA which require proof of damage to the computer that does not differentiate between damage caused by a hacker or a company insider.  Title 18, U.S.C. § 1030(e)(8).

Third, the court relied on the rule of lenity to interpret a criminal statute narrowly to provide fair warning as to conduct that is clearly covered by the statute.  Thus, the court concluded that “[i]t would be imprudent to interpret the CFAA, in a manner inconsistent with its plain meaning, to transform the common law civil tort of misappropriation of confidential information into a criminal offense.”  Id. 386.  In short, Orbit One Communications is simply expressing what many district courts do not like about the CFAA – the statute is federalizing the theft of trade secrets, an area of law that has traditionally been the provence of state law remedies.