When employees leave their employment and take with them their former employer’s confidential information, the ensuing litigation often contains a claim against the former employee for violations of the Computer Fraud and Abuse Act (the “CFAA”). This was so in the recent decision by the Court of Chancery in the case AlixPartners, LLP, et al. v. Benichou, C.A. No. 2018-0600-KSJM (May 10, 2019). In a matter of first impression for the state courts of Delaware, the Court of Chancery was asked to interpret and apply the CFAA’s provision creating liability for any person who “intentionally accesses a computer without authorization, or exceeds authorized access, and thereby obtains . . . information form any protected computer.”
In this case, the complaint alleges that the former employee downloaded company confidential information to a personal hard drive on two occasions–once before his resignation and a second time after he was given a notice of his dismissal and was no longer performing work for the employer. At issue were the terms “without authorization” and “exceeds authorized access” of the CFAA, and how they might apply to this factual scenario.
In ruling, the Court of Chancery discussed in detail the split in authority on the application of those terms into a “broad” approach and a “narrow” approach. Under the more broad interpretation, courts have found that conduct might violate the CFAA where a person has accessed “a computer or information in violation of one’s use obligations,” which will often involve an examination of the person’s intent or use of such information. The Court, however, applied principles of statutory construction and adopted the more narrow approach to the application of this provision of the CFAA. Under that interpretation, the Court held that the terms “without authorization” and “exceeds authorized access” apply “only when an individual accesses a computer or information on that computer without permission. The statute does not impose liability for misusing information to which the individual had authorized access.”
Given this ruling, the Court dismissed the CFAA claims against the former employee related to first instance of downloading of files (when he was authorized to access the files), but allowed the claims related to the second instance–after he was allegedly no longer authorized to access the company’s computer system–to proceed.
Ultimately, while the Court ruled that claims under the CFAA may not be available to address situations where persons who are technically authorized to access computers or information have nonetheless misused that information, that misuse of data may still very well violate certain contractual duties of use and non-disclosure or other state law causes of action (for instance, under an applicable Uniform Trade Secrets Act).