Alabama District Court: CFAA Does Not Apply to Employees

Bell Aerospace Services, Inc. v. US. Aero Services, Inc., 690 F.Supp.2d 1267 (M.D. Ala. 2010) recently followed the 9th Circuit’s decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009). The case alleges a classic employee theft of competitively sensitive data from the company computers for use at a competing business. Bell Aerospace Services fired one of its officers who two months later founded a competing company, U.S. Aero Services, and then recruited seven Bell Aerospace Services employees to join him at the new company.

While the seven employees were still employed by Bell Aerospace Services, they were alleged to have stolen intellectual property from the company computers. Bell Aerospace Services sued U.S. Aero, two of its officers, and the seven former employees for, among other things, violations of the Computer Fraud and Abuse Act (“CFAA”) for accessing the company computers without authorization or in excess of their authorizations.

The court granted summary judgment to the defendants on the CFAA claims on the basis of Brekka. Thus, the court found that “[t]he seven former Bell Aerospace [employees] accused of accessing the company computers without authorization were each employed at the company while accessing its computers and each had permission to do so; therefore, each had “authorization” to access the computers and the materials found on its server” and had not exceeded their authorized access. 690 F.Supp.2d at 1272 – 73. The court expressly rejected the holding in International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420 (7th Cir.2006) that an employee’s authorization to the company computer is established by the law of agency. Citrin holds that once an employee, the agent, decides to access the company computer for a purpose that breaches his duty of loyalty to his principal, the employer, the employee thereby voids the agency relationship and his authorization to access the company computers.

In adopting Brekka the court approved Brekka’s reasoning that even if the phrase “without authorization” is ambiguous, it should be read narrowly because the CFAA is a criminal statute:

It is imperative when dealing with a criminal statute that “defendants are on notice as to which acts are criminal.” Brekka, 581 F.3d at 1135.  Thus, “ambiguity concerning the ambit of criminal statutes should be resolved in favor of lenity,” Rewis v. United States, 401 U.S. 808, 812, 91 S.Ct. 1056, 28 L.Ed.2d 493 (1971), which “requires courts to limit the reach of criminal statutes to the clear import of their text and construe any ambiguity against the government,” Brekka, 581 F.3d at 1135. While the plain language of the CFAA dictates reading “without authorization” to mean “without permission or access,” a finding of ambiguity would necessarily lead to the same result.

What is remarkable about the Bell Aerospace Services decision is that the court ignored controlling precedent in its own Circuit at odds with Brekka — U.S. v. Salum, 257 Fed. Appx, 225, 230-31 (11th Cir. 2007) — which upheld the criminal conviction of an employee under the CFAA for stealing information from the employer’s computer. Specifically, Salum held that there was sufficient evidence for the jury to convict a police officer with the Montgomery, Alabama Police Department of violating the CFAA for providing information from the FBI’s criminal record database to a private investigator. Although Salum, as an employee, “had authority to access the [National Crime Information Center] database,” the court held that “there was sufficient evidence to establish that that he knew [that he was providing the information to a private investigator who was not supposed to receive it] and that by providing information from the NCIC data base, Salum exceeded his authority by accessing it for an improper purpose.” Id. at 230.

The evidence in Salum on exceeding authorized access was strikingly similar to the evidence in Bell Aerospace Services. In Salum the Montgomery Police Department had rules expressly limiting the dissemination of the database information to law enforcement employees, and all Montgomery Police Department employees, including Salum, were provided with specific training and certification on these rules. 257 Fed. Appx. at 227. In Bell Aerospace Services each of the seven employees had signed confidentiality agreements promising not to remove any company records used in the performance of their work. 690 F.Supp.2d at 1271, but the court ignored this evidence in deciding that these seven employees had not exceeded their authorized access to the Bell Aerospace Services’ computers.