Without referencing the conflicting positions between LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir. 2009) and Int’l Airport Centers LLC v. Citrin, 440 F.3d 418, 420 (7th Cir.2006) a Connecticut federal district court refused to dismiss Computer Fraud and Abuse claims brought by an employer against an ex-employee. In Monson v. The Whitby School, Inc., 2010 WL 3023873 (D. Conn. August 2, 2010) Dr. Michelle Monson, former head of the Whitby School, sued her prior employer, the Whitby School, for sex discrimination. The Whitby School counterclaimed against her for violations of the CFAA.
The Whitby School alleged “that during her employment with the school, Dr. Monson gained unauthorized access to the Whitby email server to unlawfully view and delete email messages contained in the email accounts of other Whitby employees,” that “[u]pon learning of her impending termination, . . . Dr. Monson used this unauthorized access to delete more than 1,500 email messages,” and “that after she was terminated, Dr. Monson intentionally deleted data and software programs that resided on her school-issued computers before she returned them to the school.” Id. at *2.
Dr. Monson moved to dismiss the CFAA counterclaim on the ground that her accessing of the Whitby School’s computer was not “unauthorized.” Applying the Supreme Court’s pleading standard in Ashcroft v. Iqbal, 129 S.Ct. 1937, 1949 (2009) that the allegations in the complaint must be “plausible,” the court held that “[w]hile it may not be “plausible” that Dr. Monson was not authorized to delete emails from her own work-provided inbox while she was employed by Whitby, . . . there is nothing implausible about the allegations that she was not permitted to access her subordinate’s email accounts–much less to delete emails therein–or that she was not permitted to delete software programs, data, and even emails in her own email account once her employment was terminated.” Id. at *3.
As to her argument that “her authority in deleting emails is factually incorrect, based upon the authority she purportedly enjoyed as the Head of School,” the court held that it was based on evidence that had to be reserved for a motion for summary judgment, whereas on a motion to dismiss, “the Court must accept as true Whitby’s allegations, including that Dr. Monson’s actions in deleting data were in excess of her delegated authority.” Id. at *4.
In arriving at its decision the court took the common sense approach that unauthorized access to the computers means that the employee’s actions were “beyond the scope of whatever authorization . . [the employee] had been granted” to access the employer’s computer. Id. at * 4. This will be the factual issue on summary judgment or at trial. The Whitby School’s ultimate chances of success on its claims will obviously be enhanced if it had clearly delineated the scope of Dr. Monson’s authorization to access its computers in internal computer policies or in any agreement it might have had with Dr. Monson.