On January 2, 2013, the United States Supreme Court dismissed the petition for writ of certiorari seeking review of the Fourth Circuit’s opinion in WEC Carolina Energy Solutions, LLC v. Miller, 687 F.3d 199 (4th Cir. 2012). With the dismissal of WEC Carolina’s petition, the latest hope for the United States Supreme Court to weigh in on the Circuit split over the scope of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, was dashed.
The CFAA, primarily a criminal statute, was originally enacted in 1984 to prevent computer hacking. The CFAA permits a private party “who suffers damage or loss by reason of a violation of [the statute]” to bring a civil action “to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C. § 1030(g). A person may be held civilly liable under the CFAA when that person, among other things, (1) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer; (2) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value; or (3) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage, or causes damage and loss. Employers whose employees are suspected of having misappropriated trade secrets often bring causes of action under the CFAA as well, especially in circumstances where the employers want to be in federal court but diversity jurisdiction is lacking.
In the years since the CFAA was enacted, a split has emerged in the Circuit Courts of Appeal concerning the proper scope of the “without authorization” and “exceeds authorized access” language of the statute. The broader approach, applied by the First, Fifth, Seventh and Eleventh Circuits, holds that when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it. See United States v. John, 597 F.3d 263 (5th Cir. 2010); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 578-79 (1st Cir. 2001).
The more narrow approach, articulated by the Ninth Circuit and adopted by the Fourth Circuit in WEC Carolina, interprets “without authorization” and “exceeds authorized access” literally and narrowly, limiting the terms’ application to situations where an individual accesses a computer or information on a computer without permission. See WEC Miller, supra; United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc); LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1134-35 (9th Cir. 2009).
As a result of the dismissal of WEC Carolina’s petition for writ of certiorari, an employer whose employee misuses the employer’s computer information will continue to have a cause of action under the CFAA against that employee in certain parts of the country, but the same employer may not have a cause of action against a different employee who does the same thing in another part of the country.