Last week two federal district courts, one in Connecticut and the other in Manhattan, followed LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir. 2009) in dismissing Computer Fraud and Abuse Act (“CFAA”) claims brought against employees who stole company data. In neither case did the plaintiff company employer rely on company computer policies or agreements limiting or defining the scope of an employee’s access to the company computers.
In University Sports Publications Co. v. Playmakers Media Co., 2010 WL 2802322 (S.D.N.Y. July 14, 2010) University Sports Publications (“USP”) alleged that both a current employee and a former employee stole confidential and proprietary data from its database containing “customer leads and historical sales data,” and that the data was stolen for the benefit of a competitor, Playmakers Media. The court relied upon Brekka to find that the current employee could not have violated the CFAA because he “was entitled to access all information on the database,” and there was no “evidence that . . . [the employee’s] authority to copy, download or otherwise gather information from the database was limited.” Id. at *5. As to the former employee, the court found that there was a genuine issue of fact as to whether that employee personally accessed the database after he left USP’s employ as opposed to receiving the stolen data from USP’s current employee.
The second case is Westbrook Technologies, Inc. v. Wesler, 2010 WL 2826280 (D. Conn. July 15, 2010). Brent Wesler was employed by Westbrook Technologies, Inc. (“WTI”) “as its Vice President of Promotional Services. In that capacity he had “full and unique access to WTI’s software source codes and software proprietary to WTI and also had access to other confidential and proprietary customer lists, customer information and marketing plans and other information and material.” Id. at *2.
After Wesler left WTI to join a competitor, “WTI discovered that, while still employed at WTI, Wesler forwarded electronic communications to IBS [his new employer] containing sets of programming code developed and owned by WTI.” Id. The court relied upon Brekka for the proposition “that the CFAA’s prohibition of improper “access” does not encompass an employee’s misuse or misappropriation of information that the employee lawfully accessed.” Id. at *3.
The lesson for companies from both cases is to institute proper computer policies to limit the scope of their employee’s access to the company computers.