"When I use a word,' Humpty Dumpty said in rather a scornful tone, 'it means just what I choose it to mean — neither more nor less."What does authorized access mean? If an employee with authorized access to a computer system goes into that system, downloads company secrets, and hands that information over to the company's competitor, did that alleged misappropriation of company information constitute unauthorized access?
"The question is," said Alice, "whether you can make words mean so many different things."
"The question is," said Humpty Dumpty, "which is to be master— that's all."
- Lewis Carroll, Through the Looking Glass
This is no small question. If the access is unauthorized, the employee potentially violated the Computer Fraud and Abuse Act (CFAA). But courts get uncomfortable here. They are uncomfortable when contractual disputes morph into criminal violations. If, for example, a site's Terms of Service says that I must use my real name, and I use a pseudonym, is my access unauthorized? We have seen over-zealous prosecutors attempt to transform a TOS into something that can get you thrown on The Rock. Courts don't like it.
But not all the court's agree; there is a split between the Circuit Courts that believe such actions by an employee constitute a criminal violation of the CFAA - and those courts that believe that the matter is best handled as a breach of contract between employer and employee.
Today's court decision comes from the District Court in New Jersey (which is in the 3rd Circuit): GIVAUDAN FRAGRANCES CORPORATION v. Krivda, Dist. Court, D. New Jersey Sept. 26, 2013. The facts of this case are as might be expected:
In early May, 2008, Krivda resigned his employment with Plaintiff, Givaudan Fragrances ("Givaudan") where he was a perfumer. Prior to his last day on the job, Krivda allegedly downloaded and copied a number of formulas for fragrances. The parties acknowledge the formulas as trade secrets. Soon thereafter, Krivda commenced employment as a perfumer with Mane USA (Mane), a Givaudan competitor. Givaudan alleges that Krivda gave the formulas to Mane — an act of misappropriation.Plaintiff Givaudan sued. Before the court is Defendant Krivda's Motion to Dismiss the CFAA cause of action. Defendant argued that since his alleged access of Plaintiff's computers while employed was authorized, it could not constitute unauthorized access pursuant to the CFAA.
The New Jersey District Court looks to the 9th Circuit (the West Coast) as one of the lead Circuits that has considered this issue.
Generally, the Computer Fraud and Abuse Act § 1030(a)(4), prohibits the unauthorized access to information rather than unauthorized use of such information. The Ninth Circuit has explained that "a person who `intentionally accesses a computer without authorization' . . . accesses a computer without any permission at all, while a person who `exceeds authorized access' . . . has permission to access the computer, but accesses information on the computer that the person is not entitled to access." The inquiry depends not on the employee's motivation for accessing the information, but rather whether the access to that information was authorized. While disloyal employee conduct might have a remedy in state law, the reach of the CFAA does not extend to instances where the employee was authorized to access the information he later utilized to the possible detriment of his former employer.(Citations and other stuff omitted).
In the case at hand, the defendant employee had, at the time, authorization to access plaintiff's computers and to the specific information at issue. The phrase in the CFAA about someone exceeding their authorization doesn't help plaintiff either; this refers to the situation where someone has authority to access one system, and then accesses another system beyond the one they are authorized to access. That aint here. Plaintiff argues, "Well, defendant didn't have our authority to review and print the information." To which the court responds, "oh come on!"
Defendant's Motion to Dismiss Plaintiff's CFAA claim was granted. Defendant may have other trouble with Plaintiff, but violating the federal Computer Fraud and Abuse Act aint one of them.