Executive Summary: The Fourth Circuit is the
latest court to weigh-in on the growing circuit split concerning
the Computer Fraud and Abuse Act ("CFAA") and its
applicability to employee data theft cases. Like the Fifth,
Ninth, and Eleventh Circuits, the Fourth Circuit rejected a broad
interpretation of the CFAA that would impose liability on employees
who violate a computer usage policy. Instead, it limits CFAA
liability to individuals such as computer hackers who obtain data
without any authorization.1
Current Circuit Split On Scope Of CFAA:
The CFAA imposes civil and criminal liability for any person who
"knowingly and with intent to defraud accesses a protected
computer without authorization, or exceeds authorized access, and
by means of such conduct furthers the intended fraud and obtains
anything of value."
The Seventh Circuit interprets the CFAA to apply to employee
data theft cases because such conduct is a violation of the
employee's duty of loyalty to the employer. Because the
employee breached his duty of loyalty, his agency relationship with
the employer is terminated at that time, causing the employee to
lose any authority to access the employer's computer
The Fifth, Ninth, Eleventh – and now Fourth - Circuits
take a much narrower view of the CFAA and hold that the terms
"without authorization" and "exceeds authorized
access" apply only to outside individuals who access computers
without permission. These opinions appear to be rooted in a
concern for employees who innocently violate an employer's
computer usage policy by engaging in harmless behavior such as
checking Facebook and the potential criminal consequences imposed
by the CFAA.
Fourth Circuit Expressly Rejects Seventh Circuit's
"Cessation of Agency" Theory: Former employee
Mike Miller resigned from his position as Project Director for WEC
Carolina Energy Solutions, Inc. ("WEC"). Just
twenty days later, he made a presentation to a potential WEC
customer on behalf of a competitor, Arc Energy Services, Inc.
("Arc"), and the customer awarded the business to
WEC sued Miller, Miller's assistant Emily Kelley, and Arc
alleging that they violated the CFAA when Miller downloaded
WEC's proprietary information and used that information in
Arc's presentation to WEC's potential customer. WEC
also alleged nine state causes of action including conversion,
tortious interference with contractual relations, civil conspiracy,
and misappropriation of trade secrets. The district court
dismissed WEC's CFAA claim, holding that CFAA provides no
relief for WEC's claims.
The Fourth Circuit affirmed the district court's
decision. In doing so, it strongly rejected the
"cessation of agency" theory advanced by the Seventh
Circuit because of the far-reaching effects unintended by Congress
and the imposition of criminal penalties. It noted that WEC
was not without any recourse because it could pursue the other
legal remedies alleged in the complaint.
Employer's Bottom Line: There appears
to be a growing rejection of the applicability of the CFAA to
employee data theft cases. If you discover that you are a
victim of employee data theft, a misappropriation of trade secrets
claim (and other related claims) may be the best avenue to seek
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On June 12, 2015, the Oregon legislature passed Senate Bill 454, legislation that will require most employers with 10 or more employees in Oregon to provide employees with up to 40 hours per year of paid sick leave.
Applicable large employers (those employers that employed an average of at least 50 full-time or full-time equivalent employees during the preceding calendar year) will be required to prepare Forms 1094-C and 1095-C.