Court Narrowly Construes Federal Computer Fraud and Abuse Act

A recent case decided by Judge David Doty highlights important pitfalls for companies to avoid in authorizing employee access to confidential and proprietary information. In a case pending before the U.S. District Court for the District of Minnesota, Judge Doty dismissed federal claims under the Computer Fraud and Abuse Act (“CFAA”), the Electronic Communications Privacy Act (“ECPA”), and the Lanham Act (“Lanham Act”) against corporate officers and employees of an architectural firm who allegedly misused and misappropriated confidential and proprietary information to form a competing company. Judge Doty held that even if the employees misappropriated information, the employees’ access to the information was authorized and there was no liability under the CFAA or ECPA. Judge Doty also noted that the purpose of the CFAA and ECPA is not to provide a federal cause of action in employment disputes traditionally governed by state law, such as state-law breach of contract, fiduciary duty, trade secret or other business-tort claims.

Factual Background
In Walsh Bishop Associates, Inc. v. O’Brien, 2012 U.S. Dist. LEXIS 25219 (D. Minn. 2012), defendants Keith O’Brien, Ian Scott, and David Serrano (collectively “Defendants”) were each employed at Walsh Bishop Associates, Inc. (“Walsh Bishop” or “Company”), an architectural firm in Minneapolis. Defendants were all officers of the Company and held themselves out as vice presidents and principals of the Company. The Company gave each of the Defendants access to the highest level of confidential and proprietary information of the Company.

In June 2011, while Defendants were employed at the Company, they incorporated WBA Partners, Inc. (“WBA Partners”). Defendants used the WBA Partners name on the fee schedule of a $7 million proposal from Walsh Bishop, which they submitted to a Walsh Bishop client. In August 2011, Defendants sent a Company customer list and architectural drawings to personal e-mail accounts. Defendants also met with competitors and discussed leaving the Company and bringing clients with them. Walsh Bishop later terminated Defendants.

The Company sued Defendants under federal and state law claims and sought injunctive relief. Defendants moved to dismiss the federal claims under the CFAA, ECPA, and Lanham Act for failure to state a claim. Judge Doty granted Defendants’ motion to dismiss these federal claims for the reasons outlined below, but allowed Walsh Bishop to pursue its remaining state law claims in state court.

The District Court’s decision in Walsh Bishop provides important lessons for employers seeking to protect their confidential and proprietary information under federal law.

CFAA – Computer Fraud and Abuse Act
The CFAA subjects a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer” to imprisonment and a fine. 18 U.S.C. §§ 1030(a)(2)(C), (c) (emphasis added). Congress defined “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6).

The question of whether CFAA imposes civil liability on employees who access information with permission but with an improper purpose has not been decided by the Eighth Circuit. Some other circuits have broadly interpret the CFAA. For example, the Ninth Circuit found that employees who use information contrary to an employer’s policies or against an employer’s interests actually exceeds authorized access. See, e.g., United States v. Nosal, 642 F.3d 781, 788 (9th Cir. 2011), reh’g en banc granted, 661 F.3d 1180, 2011 WL 5109831 (9th Cir. 2011). In the U.S. District Court for the District of Minnesota, however, two of Judge Doty’s colleagues have narrowly construed the language of the CFAA by focusing on the scope of access rather than misuse or misappropriation of information. See, e.g., Xcedex, Inc. v. VMware, Inc., Civ. No. 10-3589, 2011 U.S. Dist. LEXIS 70302, at *15 (D. Minn. 2011), adopted by 2011 U.S. Dist. LEXIS 70451 (D. Minn. June 30, 2011) (J. Schiltz); Condux Int’l, Inc. v. Haugum, Civ. No. 08-4824, 2008 U.S. Dist. LEXIS 100949, at *11 (D. Minn. 2008) (J. Montgomery).

Walsh Bishop argued that Defendants exceeded their authorized access by accessing information in order to use it in a manner contrary to the Company’s interests and use policies. Judge Doty joined Judge Schiltz and Judge Montgomery by narrowly construing the language of the CFAA, and rejected Walsh Bishop’s argument. Based on the plain meaning of the statute, Judge Doty held that a violation of the CFAA is determined by the scope of access given to an individual rather than the individual’s misuse or misappropriation of information. Judge Doty noted that no language or history concerning the CFAA suggests that the purpose of the CFAA is to provide a federal cause of action in employment disputes traditionally governed by state law, such as state-law breach of contract, fiduciary duty, trade secret or other business-tort claims.

The Company also argued that its computer-use policy restricted the types of uses of the information that Defendants had access to, and their acts were therefore unlawful. The computer-use policy, however, was not attached to the pleadings of the case and the Company sought to introduce it to contradict the Complaint. Therefore, the District Court did not consider the computer-use policy, and noted that the claim would fail even if the policy were considered because of the court’s determination that the CFAA applies to authorized access rather than uses of information.

ECPA – Wiretapping Act
The ECPA applies to facilities in “which an electronic communication service is provided” and makes it unlawful to “intentionally access without authorization” or “intentionally exceed[ ] an authorization to access” and thereby “obtain[ ], alter[ ], or prevent[ ] authorized access to a wire or electronic communication while it is in electronic storage in such system . . . .” 18 U.S.C. § 2701(a).

As a preliminary matter, the District Court held that the claim failed because Walsh Bishop did not fall under the definition of the ECPA as a provider of “electronic communication service.” The court also reiterated that, similar to its analysis under the CFAA, defendants did not act without authorization or in excess of authorization for purposes of the ECPA. The District Court noted that the purpose of the ECPA is not to provide a federal cause of action in employment disputes traditionally governed by state law; rather it is to update existing federal wiretapping law following the advent of cell phones and e-mail.

Lanham Act – Trademark Infringement
The Lanham Act offers trademark infringement protection where a plaintiff pleads facts that show a reasonable inference that it possesses a valid, protectable mark and that use of a similar mark by a defendant is likely to create confusion as to the origin of the service. See 15 U.S.C. § 1125(a)(1). The Company argued that Defendants’ use of the mark “WBA” is an acronym for Walsh Bishops Associates and that Defendants infringed the Company’s trademark rights by using the acronym. Defendants argued that the mark “WBA” is an acronym used by many other entities and that it is a generic mark and not entitled to trademark protection.

The District Court held that “WBA” is not a generic mark because it is not the common name for an article or service. It further held that “WBA” and the underlying terms for which it stands, here “Walsh Bishop Associates,” are descriptive marks and only entitled to trademark protection if they have acquired secondary meaning. See Everest Capital Ltd. v. Everest Funds Mgmt., L.L.C., 393 F.3d 755, 761 (8th Cir. 2005). The Company did not plead sufficient facts to infer secondary meaning, and as a result the District Court dismissed the trademark infringement claim.

Lessons For Employers
The court’s decision in Walsh Bishop reveals pitfalls that companies should avoid when authorizing employee access to confidential and proprietary information and drafting employment policies.

First, employers should be conservative in how much access they give employees to confidential and proprietary information. Under the facts of Walsh Bishop, the Defendants were given access to the highest level of confidential and proprietary information of the Company. By granting such unlimited access to these employees, the employer essentially foreclosed potential future claims for violation of the CFAA, which carries the risk of imprisonment or civil fines.

Second, if a high level of access to sensitive information is necessary, employers should adopt strong policies that clearly describe the scope of the employee’s access rights and the permitted uses of the employer’s confidential information.

Third, employers should utilize non-compete, non-disclosure, and non-solicitation agreements to provide additional protection under contract law in the event that other claims fail, such as occurred in this case.

Fourth, companies should be vigilant of their trademark rights and enforcement. Here, Walsh Bishop did not register its mark with the U.S. Patent and Trademark Office. The Company also did not present evidence of acquired secondary meaning. Establishing secondary meaning – showing that the mark had become so associated in the public mind with goods or services that the mark serves to identify the source and to distinguish them from those of others – prior to any litigation can greatly increase the strength of a trademark infringement claim. Had the Company registered its mark to obtain not only stronger protection but also a legal presumption of ownership of the mark, and had the Company made efforts to establish secondary meaning ahead of time, its trademark infringement claim might not have been dismissed.

Conclusion
The District Court’s dismissal of Walsh Bishop’s federal law claims may seem harsh where employees allegedly misused confidential information, but it reveals the difficulties and nuances that employers face in navigating trade secrets, unfair competition, and similar business-tort claims. If your company is seeking legal representation in a dispute involving confidential or proprietary information, contact any of the Trepanier MacGillis Battina P.A. employment attorneys.
_____________________
About the Author:
Trepanier MacGillis Battina P.A. is a Minnesota trade secret law firm located in Minneapolis, Minnesota. Their trade secret law attorneys can be reached at 612.455.0500.