In Lube-Tech Liquid Recycling, Inc. v. Lee’s Oil Serv., LLC, Civ. No. 11-2226 (DSD/LIB) (D. Minn. June 3, 2013) (unpublished), the U.S. District Court for the District of Minnesota held that the federal Computer Fraud and Abuse Act (the “CFAA”) does not apply to employees who use authorized access to misappropriate employer information. The scope of the CFAA is a hotly debated issue, and the federal circuit courts are divided as to how broad or narrow the statute should be read. As discussed previously by this firm in Court Narrowly Construes Federal Computer Fraud and Abuse Act, the Eighth Circuit Court of Appeals has yet to decide the breadth of the CFAA. That may change, however, as more and more federal district courts face the issue and cases are appealed.
The Facts of Lube-Tech
Plaintiff Lube-Tech is an oil recovery business for which defendant Jessica Randt (“Randt”) performed day-to-day operations from 2005 until 2011. In order to perform her duties, Lube-Tech granted Randt access to its customer list and pricing index. In July of 2011, Randt left Lube-Tech to work for defendant, Lee’s Oil Service, LLC (“Lee’s”), a company started by Randt’s father-in-law. Lee’s performs essentially the same services as, and is in direct competition with, Lube-Tech. Before leaving Lube-Tech for Lee’s, Randt allegedly downloaded Lube-Tech’s customer list and pricing index to take with her to Lee’s. Lube-Tech sued Randt, Lee’s, and other employees and executives of Lee’s claiming that Randt violated the CFAA.
The CFAA Did Not Protect Lube-Tech
The CFAA makes it illegal for a person to intentionally access a computer and obtain information when that person is not authorized to do so, or does so in a way that exceeds the person’s authorized access. 18 U.S.C. § 1030(a)(2)(C). Although the CFAA is primarily applicable in the criminal context, it also provides for civil remedies for violations. See 18 U.S.C. § 1030(g). Lube-Tech argued that when Randt downloaded its customer list and pricing index, she violated the CFAA by exceeding her authorized access. The court disagreed, finding that Lube-Tech had granted Randt access to the customer list and pricing index in the ordinary course of her daily job duties. Further, the court reasoned that Lube-Tech could not demonstrate that it had security measures or computer-use policies in place to protect its customer list and pricing index. Thus, the court held that Randt’s misappropriation of Lube-Tech’s information did not constitute a violation of the CFAA.
The Lube-Tech Decision Follows Recent Minnesota Court Decisions
The Lube-Tech decision relies on and follows the prior reasoning of the U.S. District Court for the District of Minnesota in Walsh Bishop Assocs., Inc. v. O’Brien, Civ. No. 11-2673, 2012 U.S. Dist. LEXIS 25219, *3 (D. Minn. Feb. 28, 2012) (unpublished) (holding that the relevant inquiry was “whether defendants accessed information that they were forbidden to access”) (discussed in detailed in Court Narrowly Construes Federal Computer Fraud and Abuse Act). Additionally, the court has since extended the Walsh Bishop holding in Sebrite Agency, Inc. v. Platt, 884 F.Supp.2d 912, 917-18 (D. Minn. 2012) (“The Court continues to believe that the narrower interpretation of the CFAA is more consistent with statutory text, legislative history, and the rule of lenity.”).
Federal Courts Conflicted as to Breadth of Interpreting CFAA
The federal courts have disagreed about whether the CFAA is violated when a person who has authority to access a protected computer misuses the information that he or she obtains. Compare, e.g., United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc) (“[W]e hold that the phrase `exceeds authorized access’ in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly.”) and Orbit One Commc’ns, Inc. v. Numerex Corp., 692 F.Supp.2d 373, 385 (S.D.N.Y. 2010) (“The CFAA expressly prohibits improper `access’ of computer information. It does not prohibit misuse or misappropriation.”) with Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 419-21 (7th Cir. 2006) (explaining that an employee acts “without authorization” when he accesses a computer with the intent to destroy company information because his breach of his duty of loyalty terminates his authority to access the computer) and United States v. John, 597 F.3d 263, 272 (5th Cir. 2010) (“Access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded.”).
The Eighth Circuit Court of Appeals, however, has not yet directly addressed how broadly to interpret the CFAA, although district courts within the Eighth Circuit have used different breadths to interpret it. Compare, e.g., Lube-Tech Liquid Recycling, Inc., Civ. No. 11-2226 at 5-6 citing Walsh Bishop Assocs., Inc. v. O’Brien, Civ. No. 11-2673 at 4 (“The Eighth Circuit has not determined whether the CFAA imposes civil liability on employees who access information with permission but with an improper purpose.”); and Sebrite Agency, Inc., 884 F.Supp.2d at 917-918 (“[T]he federal courts have disagreed about whether the CFAA is violated when a person who has authority to ‘access a protected computer’ misuses the information that he or she obtains . . . The Eighth Circuit still has not directly addressed this question.”) with NCMIC Fin. Corp. v. Artino, 638 F.Supp.2d 1042, 1056 (S.D. Iowa 2009) (“The Court concludes that the broad view can best distinguish between the CFAA’s statutory language ‘exceeds authorized access’ and ‘unauthorized access’”) and Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing, & Consulting, LLC, No. 4:08CV01683 2009 WL 3523986 (E.D. Mo. Oct. 29, 2009) (finding former employees “acted without authorization when they obtained [employer]’s Information for their personal use and in contravention of their fiduciary duty to their employer.”).
Conclusion and Recommendations
The Lube-Tech holding reinforces recent holdings by the Minnesota federal district court that an employee who uses authorized access to misappropriate employer information is not subject to liability under the CFAA. Because the Eighth Circuit might ultimately reject this narrow interpretation, however, there are certain steps that employers can take to increase the likelihood of establishing a claim under the CFAA or other related theories (e.g., breach of contract, breach of the employee’s duty of loyalty, or violation of the Minnesota Uniform Trade Secrets Act):
(1) Employers should clearly state that employees may access the employer’s computer system only to perform the employee’s job duties and only for the benefit of the employer. This should be prominent in the employee handbook and any employment agreement where an employee might have authorization to access confidential information. While the Lube-Tech court did not address such a provision in the defendant’s contract or its application to the CFAA, such provisions would likely protect the employer under a state law breach of contract claim.
(2) In addition to drafting clear computer use and access policies and agreements, employers should remind employees of these policies through regular training, re-distribution of such policies, and by displaying a log-in prompt that warns the employee to use the computer only for company-authorized business.
(3) Employers should grant access to computer systems and the confidential information contained on those systems on an “as-needed basis.” This can be accomplished by saving highly sensitive data in different domains or user groups and password-protecting certain information. Limiting employee access to specific computer programs and information on an as-needed basis provides more protection than if the employer grants employees unfettered access to entire computer networks. Additionally, as discussed in Lube-Tech, such safeguards can demonstrate that an employee’s misappropriation of information was done through unauthorized access.
For advice on employee computer use and access policies, employment contracts, or the Computer Fraud and Abuse Act, contact the Minnesota employment law attorneys of Trepanier MacGillis Battina P.A.
About the Author:
Minnesota employment attorney Kelly M. Dougherty advises clients in matters involving misappropriation of trade secrets, misuse of computer information, theft of customer lists, and breach of fiduciary duties. Kelly may be reached at 612.455.0504 or firstname.lastname@example.org. Trepanier MacGillis Battina P.A. is a Minnesota employment law firm located in Minneapolis, Minnesota.