The federal Computer Fraud and Abuse Act ("CFAA") creates a civil remedy against those who access information on a computer without authorization, or in a manner that exceeds authorized access. The Ninth Circuit last week gave a narrow reading to CFAA, limiting its use as a tool to punish disloyal employees.
In LVRC Holdings, LLC v. Brekka, defendant was a former employee of plaintiff who, during his employment, emailed company documents to his personal account. After defendant left his employment with plaintiff, plaintiff discovered that defendant had retained the documents and used them in connection with a competing business. Plaintiff claimed a violation of CFAA along with various state law tort claims.
The Ninth Circuit affirmed the District Court's summary judgment for defendant, and dismissed the CFAA claim. The court held that, because defendant was authorized to access the documents on plaintiff's computer system during his employment, and nothing in company policy prohibited emailing documents to employees' personal accounts, plaintiff could not claim that his access was "without authorization" under CFAA.
While an employer's ability to rely on CFAA is constrained by the result in Brekka, a rogue employee may still be subject to a trade secret claim under state law.