Wednesday, April 10, 2013

S.D.N.Y. case highlights circuit split on CFAA’s application to “faithless employees”

In JBCHoldings v. Pakter, the United States District Court for the Southern District of New York addressed “whether an employee[’s] misuse of an employer’s information violates the [Computer Fraud and Abuse Act] where that information was obtained from a computer to which the employee was permitted access.” As JBCHoldings highlights, whether the CFAA applies to the “faithless employee” has caused quite a conflict among federal courts.

Janou Pakter and Jerry Tavin owned the executive search firm Janou Pakter Inc., which was later purchased by JBCHoldings NY. After the purchase, JBCHoldings and Pakter entered into an agreement in which Pakter would “continue to participate in the business” and help attract new clientele. However, JBCHoldings alleged that while Pakter was under contract, Pakter and other co-defendants were operating a competing company, Janou Talent Advisory International. Using their association with JBCHoldings, Pakter and her co-defendants allegedly “misappropriated [JBCHoldings'] proprietary information, including client lists, and used these to advance their competing business.” As the court states, JBCHoldings believed that “Janou (or a co-defendant) obtained this information either by (1) copying it to her personal laptop and sharing it with her co-defendants; (2) lifting it from JBC's computers using a flash drive; and/or (3) obtaining it remotely via spyware.” JBCHoldings filed a complaint alleging numerous causes of action, including violations of the CFAA.

The court, like many before it, recognized the complicated issue of interpreting of the CFAA’s use of the terms “without authorization” and “exceeding authorized access.” While “without authorization” is not defined in the statute, “exceeds authorized access” is defined under the statute, 18 U.S.C. § 1030(e)(6), as “access[ing] a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The statute outlines a number of offenses related to accessing computers and protected computers, but the fundamental question is whether employees, like Janou, are culpable under the statute when they were granted access to company information, but later use that information in an unauthorized way.

The “Broad Construction”
As the court opines, four circuits (the First, Fifth, Seventh, and Eleventh Circuits) have adopted a broad construction of the CFAA. The court states that, while subtly different, “each circuit has held that the statutory terms ‘without authorization’ and/or ‘exceeds authorized access’ are broad enough to reach the situation in which an employee misuses employer information that he or she is otherwise permitted to access.”

The “Narrow Construction”
On the other hand, the court found that two circuits (the Fourth and Ninth Circuits) have adopted a narrow construction of the CFAA. In adopting a narrow construction, these circuits “have held that the statute does not reach the mere misuse of employer information or violations of company use policies.” The Ninth Circuit’s en banc opinion, United States v. Nosal, has been a flagship example of a court’s narrow construction of the CFAA in the faithless employee context (a case that Cybercrime Review has discussed in detail here). After determining that the Second Circuit has not squarely answered this question, the court adopted a narrow approach, finding it “considerably more persuasive.”

JBCHoldings’ Rationale and Application
In applying the plain meaning of the term “without authorization” the court found that “an employee ‘accesses a computer without authorization’ when he does so without permission to do so. This definition plainly speaks to permitted access, not permitted use.” The court also found the CFAA’s statutory definition of “exceeds authorized access” was inherently similar to the plain meaning of “without authorization” stating, “[b]y its plain terms, this definition also speaks to access, not use.” It was this interpretation that formed the basis of the court’s rationale:

[N]owhere in the Amended Complaint is there any allegation that Janou . . . lacked the authority to access this information. Thus, although Janou’s alleged actions violated plaintiffs’ electronic media policy, such misuse does not state a claim under the CFAA, because an employee does not “exceed[] authorized access” or act “without authorization” when she misuses information to which she otherwise has access.
(internal citations omitted). This case is by no means extraordinary in its application of the CFAA. However, the case does have the potential of placing this (clearly troublesome) question in front of the Second Circuit, where it would be an issue of first impression according to the court in JBCHoldings. If nothing else, this opinion provides a good overview of how courts have dealt with the “faithless employee” question thus far and highlights the depth of the circuit split.


Post a Comment