The 6th Circuit affirms the Computer Fraud and Abuse conviction of an IT Employee

Last week the Sixth Circuit Court of Appeals upheld the criminal conviction for the Computer Fraud and Abuse Act (“CFAA”) of an employee who stole confidential data from his employer’s computers. U.S. v. Batti, 2011 WL 111745 (6th Cir. Jan. 14, 2011). The issues on appeal were limited to whether the government had offered sufficient proof that the value of the data stolen exceeded $5,000 to qualify as a 5 year felony, 18 U.S.C. § 1030 (a)(2)(C)(c)(B)(iii), and whether the district court had abused its discretion in ordering restitution in the amount of $47,565.

These limited issues precluded the Sixth Circuit from addressing the 9th Circuit’s decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009). Brekka stands for the proposition that because an employee has permission to use the company computers, he or she cannot violate the CFAA because an employee’s access to the computers is never “without authorization,” a critical element of the CFAA. However, the facts in Batti and the language in the decision provide clues as to how the 6th Circuit might ultimately rule on this issue.

The defendant had been employed as an information technology employee at Campbell-Ewald, a Michigan advertising firm. The government’s proof of his intrusions into the company computers occurred both during his time as an employee and after his employment had been terminated. While he was still employed, the trial evidence showed that

The defendant accessed Campbell-Ewald’s computer server and copied confidential computer files belonging to Campbell-Ewald’s CEO without authorization. Although these files were normally stored on the CEO’s desktop computer, they had been moved by the company to the company’s server while the CEO’s computer was being replaced. Within these files were “confidential pieces of information … including executive compensation, financial statements of the firm, goals and objectives for senior executives of the company reporting to the chairman, and some strategic plans.

Id. at *1.

The court’s statement that the defendant “accessed” his employer’s computer server and files “without authorization,” would tend to suggest that the court would not agree with the underlying assumption of Brekka that just because an employee has permission to use the company computers, he can never access the company computers “without authorization.” The defendant, an IT employee, likely had permission to access Campbell-Ewald’s computers as part of his duties.

The court’s statement about the defendant accessing the computer without authorization is only dicta, and the defendant’s conviction was based on the additional proof that after he had been discharged “[t]he FBI determined that Batti had accessed Campbell-Ewald’s confidential files no fewer than twenty-one times . . . , twice through a Campbell-Ewald server and nineteen times through the email account of another Campbell-Ewald employee.” Id. Thus, this proof would comport with Brekka’s holding that once employment had been terminated, the employee would no longer have permission to access the company computers, thereby making his access “without authorization.” Brekka, 581 F.3d at 1136.

Moreover, from the facts recited in the opinion, it is unclear whether the defendant obtained information from the company computers during or after his employment. An additional element of the CFAA violation upon which he was convicted is the obtaining of information from the company computers that he had accessed without authorization. See, 18 U.S. C. § 1030(a)(2)(C) (one who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information” commits a crime). There is also no way to know precisely whether the 6th Circuit will join other Circuit Courts in rejecting Brekka, but the direction taken in this case would seem to suggest it will.