Last month, a federal district court in Pennsylvania held that an employee cannot be held liable under the Computer Fraud and Abuse Act (CFAA) for misusing information because she was authorized to access it in the first place. FN1 A description of the CFAA, the Teva Pharmaceuticals case, and practical takeaways follows.
The CFAA imposes civil liability on anyone who knowingly “accesses a protected computer without authorization, or exceeds authorized access” of a protected computer.FN2 To state a CFAA claim, a plaintiff must show that the defendant: (1) accessed a “protected computer;” (2) without authorization or exceeded authorized access; (3) knowingly and with an intent to defraud; (4) obtained something of value; and (5) caused damage or loss to the plaintiff in excess of $5,000 in a one year period.FN 3
Federal courts are split as to how to apply the definition of “exceeds authorized access” when it is an employee who properly accessed and improperly used the information. The Fourth and the Ninth Circuits construe the statute narrowly,FN4 holding that the statute prohibits unauthorized access but does not extend to the misuse of the information accessed. The First, Fifth, Seventh, and Eleventh Circuits interpret the statute broadly, holding that the statute prohibits unauthorized access and misuse of information obtained from a computer.FN5
The Tenth Circuit, which covers Colorado, has not decided the issue; however, in 2016, a federal district court in Colorado held that an employee’s misuse of computer information does not violate the CFAA if the employee had authority to access the informationFN6
Teva Pharmaceuticals v. Barinder Sandhu, et al.
In Teva, the plaintiff company alleged that its former employee passed the company’s trade secrets to her romantic partner, who was the CEO of a competitor. Teva fired the employee and sued her, the recipient of the trade secrets, and his employer, alleging computer fraud under the CFAA, misappropriation of trade secrets under federal and state law, and state law tort claims.
The defendants moved to dismiss the complaint. The court followed the narrow view of the CFAA adopted by the Fourth and Ninth Circuits and held that, although Teva sufficiently pled the trade secrets and tort claims, it failed to plead that Sandhu’s accessing its computer system was without authorization or exceeded her authorization as required under the Court’s interpretation of the CFAA. Subsequently, Teva’s CFAA claim was dismissed.
Companies should use this outcome to consider which employees should have access to confidential information and assess whether protections are adequate to prevent misuse of a company’s information. The best way to preserve claims under the CFAA is to limit authorized access to documents to only those employees that have a need to use those documents.
FN1 – Teva Pharmaceuticals v. Barinder Sandhu, Jeremy Deai, Apotex Inc. and Apotex Corp., CV No. 17-3031 (E.D. Pa, January 30, 2018)
FN2 - 18 U.S.C. § 1030(a)(4)
FN3 - Synthes, Inc. v. Emerge Med., Inc., Civ. A. No. 11-1566, 2012 WL 4205476, at *15 (E.D. Pa. Sept. 19, 2012) (quoting 18 U.S.C. § 1030(a)(4)); see also P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC, 428 F.3d 504, 510 (3d Cir. 2005).
FN4 - See WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012); United States v. Nosal, 676 F.3d 854, 857 (9th Cir. 2012) (en banc); LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009).
FN5 - See United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010); United States v. John, 597 F.3d 263, 271–72 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420–21 (7th Cir. 2006); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 581–83 (1st Cir. 2001).
FN6 – Cloudpath Networks, Inc. v. SecureW2 B.V., 157 F. Supp. 3d 961, 987 (D. Colo. 2016) (the “exceeds authorized access” language in the CFAA does not impose criminal liability on individuals who are authorized to access company data but do so for disloyal purposes; it applies only to individuals who are allowed to access a company computer and use that access to obtain data they are not allowed to see for any purpose”).