On September 26, 2013, the court in Givaudan Fragrances Corp. v. Krivda issued an order dismissing Givaudan's claim that one of its former employees, James Krivda, violated the Computer Fraud and Abuse Act (18 U.S.C. § 1030). This dismissal, granted by Judge Peter Sheridan of the District Court of New Jersey, provides yet another example of a court distinguishing between “unauthorized use of information” and the “unauthorized access to information” when interpreting the CFAA.
According to the court order (and this 2009 opinion, which provides a much more detailed factual summary), Krivda was a perfumer at Givaudan Fragrances, “a manufacturer of fragrances for consumer products and the fine fragrance industry.” In April of 2008, Krivda resigned from Givaudan to take a position with a Givaudan competitor, MANE International. Givaudan alleged that, prior to his departure, Krivda printed over 500 confidential fragrance formulas from Givaudan’s management database. Displeased with Krivda’s explanation as to why he printed the formulas just days prior to his departure from the company, Givaudan filed a complaint against Krivda.
Specifically, Givaudan’s complaint alleged, amoung other claims, that Krivda violated § 1030(a)(4) of the CFAA, which holds liable a person who
knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year periodKrivda moved for partial summary judgment to dismiss the CFAA claim. Krivda argued that, as a perfumer for Givaudan, he was provided access to the formula management database and therefore did not "access a protected computer without authorization" or "exceed authorized access." Givaudan argued that, while Krivda had access to the database, he was not authorized to "review and print" formulas maintained on their database.
In granted Krivda’s motion, the court stated that “the Computer Fraud and Abuse Act § 1030(a)(4), prohibits the unauthorized access to information rather than unauthorized use of such information." “The inquiry” the court stated, “depends not on the employee's motivation for accessing the information, but rather whether the access to that information was authorized.” The court concluded that Krivda’s authorization to access the database ended its CFAA inquiry.
Here, Krivda was authorized to access that information, namely, Givaudan's computerized formula management database system, a fact Givaudan does not dispute. . . . [T]he term "exceeds authorized access," refers to one who had access to part of a system and then accessed other parts of the computer system to which he had no permissible access. Here Krivda had permissible access to the formula management database system. Givaudan's proposition that Krivda could not "review and print" does not fall within the definition of exceeds authorized access. In applying the summary judgment standard and utilizing Givaudan's version of the facts, it is clear that Krivda had access to the computerized formula management system, and Krivda entered areas to which he had access. Summary judgment is granted . . . .The “use” vs “access” distinction has been a common discussion among courts faced with interpreting the CFAA, particularly in the employee context. A few months back, I wrote a post discussing a Southern District of New York case, JBCHoldings v. Pakter, in which the court determined that the plain meaning of “without authorization” and “exceeds authorized access” “plainly speaks to permitted access, not permitted use.” However, I also discussed how some circuits have adopted a broader interpretation of the CFAA, in which the misuse of information by an employee would satisfy the statute's terminology. In the criminal context, I touched on this issue a bit when discussing Untied States v. Vargas, where a NYPD officer was charged under the CFAA for, among other claims, conducting improper searches on the precincts’ NCIC system to gain information on fellow NYPD officers.
0 comments:
Post a Comment