We have been watching closely the development of a Circuit split over whether Computer Fraud and Abuse Act (CFAA) – 18 U.S.C. § 1030 — claims can be brought against persons who have been given authority to access a computer, but then exceed the scope of this authority. The 7th Circuit holds that an employee has accessed his employer’s computer “without authorization” and can be sued under CFAA, if he uses legitimately-acquired access rights to advance an interest that is adverse to his employer. A recent ruling by a District Court in the Eastern District of Missouri, in Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, confirms that courts in the 8th Circuit are lining up behind this minority viewpoint.
The Lasco Foods case involves a common litigation scenario in which an executive has left a company to start a competing business. The defendants, Shaw and Hall, were long-time Lasco sales executives. Both were allegedly provided Lasco-owned laptops for use in company business. According to the complaint, in 2008, Shaw and Hall decided to start a competing business. Both before and after Lasco became aware of this new business, but which they were still Lasco employees, the defendants allegedly “accessed, printed, copied and/or downloaded” a substantial amount of data from their laptops, as well as Lasco’s network. Among this data allegedly was customer contact information stored in Shaw’s Outlook “Contacts” file. Shaw allegedly deleted the Contacts file from his laptop before returning it to Lasco — thus depriving the company of customer information that it had paid to develop. See Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, E.D.Missouri, No. 4:08-cv-01683, Third Amended Complaint (May 15, 2009).
Several state law remedies address what we will call the “absconding executive” situation, including interference with business relations, conversion, and trespass to chattels causes of action. However, companies have often attempted to sue absconding executives under CFAA, as well.
CFAA Section (a)(5) contains three provisions that permit suits against persons who knowingly access a “protected computer” and intentionally or recklessly cause damage. (A protected computer includes any computer which is used in interstate or foreign communication. 18 U.S.C. § 1030(e)(2). In today’s internet age, it includes just about every computer in the country.) However, each of these three provisions require that the defendant have accessed the computer “without authorization.” Therein lies the rub. As discussed in our September 24 and October 1 posts, the federal courts are divided on when an employee’s access to a computer is “without authorization.” The majority position, which was recently adopted by the 9th Circuit, is that “without authorization” only refers to persons who do not have permission to access the company’s computer in the first place. LVRC Holdings, Inc. v. Brekka, 9th Circuit, Case No. 07-17116 (Sept. 15, 2009). Under this interpretation, Shaw and Hall could not be sued under CFAA, because they had originally received permission from Lasco to access its computers.
We have been watching closely the development of a Circuit split over whether Computer Fraud and Abuse Act (CFAA) – 18 U.S.C. § 1030 — claims can be brought against persons who have been given authority to access a computer, but then exceed the scope of this authority. The 7th Circuit holds that an employee has accessed his employer’s computer “without authorization” and can be sued under CFAA, if he uses legitimately-acquired access rights to advance an interest that is adverse to his employer. A recent ruling by a District Court in the Eastern District of Missouri, in Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, confirms that courts in the 8th Circuit are lining up behind this minority viewpoint.
The Lasco Foods case involves a common litigation scenario in which an executive has left a company to start a competing business. The defendants, Shaw and Hall, were long-time Lasco sales executives. Both were allegedly provided Lasco-owned laptops for use in company business. According to the complaint, in 2008, Shaw and Hall decided to start a competing business. Both before and after Lasco became aware of this new business, but which they were still Lasco employees, the defendants allegedly “accessed, printed, copied and/or downloaded” a substantial amount of data from their laptops, as well as Lasco’s network. Among this data allegedly was customer contact information stored in Shaw’s Outlook “Contacts” file. Shaw allegedly deleted the Contacts file from his laptop before returning it to Lasco — thus depriving the company of customer information that it had paid to develop. See Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, E.D.Missouri, No. 4:08-cv-01683, Third Amended Complaint (May 15, 2009).
Several state law remedies address what we will call the “absconding executive” situation, including interference with business relations, conversion, and trespass to chattels causes of action. However, companies have often attempted to sue absconding executives under CFAA, as well.
CFAA Section (a)(5) contains three provisions that permit suits against persons who knowingly access a “protected computer” and intentionally or recklessly cause damage. (A protected computer includes any computer which is used in interstate or foreign communication. 18 U.S.C. § 1030(e)(2). In today’s internet age, it includes just about every computer in the country.) However, each of these three provisions require that the defendant have accessed the computer “without authorization.” Therein lies the rub. As discussed in our September 24 and October 1 posts, the federal courts are divided on when an employee’s access to a computer is “without authorization.” The majority position, which was recently adopted by the 9th Circuit, is that “without authorization” only refers to persons who do not have permission to access the company’s computer in the first place. LVRC Holdings, Inc. v. Brekka, 9th Circuit, Case No. 07-17116 (Sept. 15, 2009). Under this interpretation, Shaw and Hall could not be sued under CFAA, because they had originally received permission from Lasco to access its computers.
