In Advanced Aerofoil Techs., AG v. Todaro, No. 11 Civ 9505 (S.D.N.Y. Jan. 30, 2013), a federal district court held that employee misuse of access granted by an employer cannot sustain a cause of action under the Computer Fraud and Abuse Act (CFAA) for "unauthorized access." The court essentially withdrew terms of service violations from the ambit of the CFAA, as some other federal courts have done. The decision was based on a survey of recent holdings, as well as an appeal to the legislative intent of the CFAA.
(The Complaint and Memo/Order are embedded, below, for reference.)
The case is a typical theft of IP/trade secrets/etc. case, where former employees are sued for misappropriating such information after switching to a competitor (or startup). Advanced Aerofoil Techs (AAT) alleged that the defendants "developed and began to execute a scheme whereby they would form a venture to compete with Plaintiffs, [by] using Plaintiffs' technology and resources [and] ... misappropriating Plaintiffs' proprietary technology." The complaint alleges: violations of the CFAA and New York Trade Secret Act, civil conspiracy, conversion, tortious interference with contract, tortious interference with prospective economic damage, and breach of fiduciary duty. The defendants filed a motion to dismiss on multiple Rule 12 grounds, including failure to state a claim.
The actions related to the CFAA claim, as described by the court, are:
Plaintiffs argue Defendants violated the CFAA when: (1) Todaro, Chalder, and Tarby continued to access AAT's computers to obtain information for Flowcastings after they secretly resigned through Todaro's letter to his co-conspirator, Byrd, on March 8, 2011; (2) Byrd directed moles still at AAT after his departure to pilfer AAT's data; (3) Todaro wrongfully deleted emails from his account and the AAT email server; and (4) Leonhardt used an erasure program to wipe the contents of his AAT laptop.I highlighted the above portion because it is the most important fact: the alleged actions occurred after the defendants had "secretly resigned," but more importantly they "continued to access" AAT resources after such resignation; implicit within the statement is that at some point in time, defendants had been granted access to the systems by AAT (for work use).
The court focuses on "unauthorized access" because there was no evidence that the defendants were given limited access to files; stated another way, the defendants had the highest level of access available, so it is not possible to "exceed" full access.
Addressing the unauthorized access analysis, the court stated that:
Nowhere in the Complaint ... do Plaintiffs claim AAT expressly revoked Defendants' permission to use its computers, files, and systems. Rather, Plaintiffs invite the Court to find Defendants' use of AAT's computers after their secret resignations constituted unauthorized access because, in reality, they were no longer employees, even though AAT did not know about the resignations and had not terminated their access to its systems. Plaintiffs also argue that through Konrad's misappropriation of AAT's confidential information, he accessed AAT files without authorization because AAT clearly would not have allowed him to retrieve its confidential information for the purposes for which he ultimately used it.It is clear, at this juncture, the flaw in the case (and often the application of the CFAA in similar factual scenarios) - AAT is attempting to use the CFAA to bail out their own mistake of not cutting off access. There isn't any other way to convincingly argue otherwise. The question then becomes, was the CFAA intended to criminalize violations of company policy?
The court attempts to answer the question just posed by surveying how courts have handled similar scenarios (quoting Major, Lindsey & Africa, LLC v. Mahn, No. 10 Civ. 4239 (CM), 2010 U.S. Dist. LEXIS 94033, 2010 WL 3959609, at *5 (S.D.N.Y. Sept. 7, 2010)):
The First and Seventh Circuits . . . have concluded that the CFAA applies . . . because an employee's "authorization" to access her employer's protected computer and the information contained therein is effectively terminated once the employee acquires interests adverse to her employer or is "otherwise guilty of a serious breach of loyalty to the principal." Int'l Airport Ctrs. v. Citrin, 440 F.3d 418, 421 (7th Cir.2006) . . . Put simply, these courts take the position that a faithless employee — someone who accesses a computer for the purpose of stealing information with the intention of using it for her own purposes rather than the employer's — accessed the computer without authorization or exceeded authorized access.The flip-side, according to the court: "There are several cases from our district and the Eastern District of New York, however, rejecting this broad interpretation of the CFAA. See United States v. Aleynikov, 737 F. Supp. 2d 173, 192 (S.D.N.Y. 2010) (finding there was no violation of the CFAA when the Defendant, who had authorization to access the system, misappropriated the information)."
The court finds Aleynikov persuasive, and focusing on the language from United States v. Morris, quoted in Aleynikov, that "the ordinary meaning of "authorization" to find "a person who 'accesses a computer without authorization' does so without any permission . . . ." Aleynikov, 737 F. Supp. 2d at 191."
In summary, the court stated:
This Court declines the opportunity to expand the CFAA to include situations where an employee takes confidential information, using authorization given to him and controlled by his employer, for the reasons set forth in Aleynikov and the cases following a narrow interpretation of the statute. See id. ("Put simply, this other line of cases [interpreting the CFAA broadly] identifies no statutory language that supports interpreting the CFAA to reach mere misuse or misappropriation of information, let alone language strong enough to justify that interpretation where the rule of lenity counsels a narrow reading."). In this case, because there is no allegation that AAT revoked Defendants' unlimited access to its system, Plaintiffs cannot state a cognizable claim under the CFAA.(emphasis added). The court also dismissed the argument that the deletion of emails from an account and the use of an erasure program were violations of the CFAA, relying on the same logic from above. Namely, "there are no allegations that Todaro and Leonhardt deleted data or emails from their computers after AAT terminated their authorization to use its systems and equipment." Thus, even if the actions taken by the employee were to erase files, emails, etc., it still does not rise to "unauthorized access" because the employee was given such access to begin with (and it was not revoked).
I reiterate my point above that AAT is attempting to use the CFAA to bail out their failure to secure their own systems. I think the court gets it right. The CFAA was created to address hacking, and more specifically, breaking into systems that you had no access (or right to access), or breaking out of some sort of limited access for nefarious purposes. Neither of the situations just mentioned occurred here.
0 comments:
Post a Comment