CASE REPORT: WEC Carolina Energy Solutions, LLC v. Miller et al.
Background and Facts:
The CFAA is primarily a criminal statute enacted to protect government computer hacking. However, it also provides a civil remedy for the wrongful use of a computer, including accessing a computer without authority or exceeding authorized access and thereby obtaining information. Bringing a CFAA claim confers federal subject matter jurisdiction, enabling a suit to proceed in federal court, whereas a trade secret claim arises under state law and normally must be brought in state court, absent diversity.
Defendant Mike Miller was employed as a project manager at WEC Carolina Energy Solutions, Inc. (“WEC”) until his resignation on April 30, 2010. As part of Miller’s employment, he was issued a company cell phone, a company laptop and had access to WEC’s intranet and computer servers, including the confidential information and trade secrets stored on those servers. WEC established various security policies in order to prohibit using confidential information without authorization or downloading such information to a personal computer. Prior to Miller’s resignation, he communicated with WEC’s competitor, Arc Energy (“Arc”). Either by himself or with the help of Miller’s assistant, Defendant Emily Kelley, Miller downloaded numerous confidential documents and trade secrets from WEC’s computer servers to a personal computer, and also e-mailed them to Miller’s personal email address. Twenty days after Miller’s resignation from WEC, Miller used the downloaded information to make a presentation on behalf of Arc to a potential WEC customer. The customer subsequently awarded two projects to Arc.
In October 2010, WEC sued Miller, Kelley, and Arc in the United States District Court for the District of South Carolina Rock Hill Division, alleging nine state-law causes of action and a violation of the CFAA. WEC claimed that Defendants violated §§ 1030(a)(2)(C), (a)(4), (a)(5)(B), and (a)(5)(C) of the CFAA, each of which require that a party either access a computer “without authorization” or “exceed authorized access.” Specifically WEC maintained that Miller and Kelley violated the Act by abusing WEC’s policies prohibiting downloads of confidential information to a personal computer, therefore breaching their fiduciary duties to WEC, and through this breach, they either (1) lost all authorization to access the confidential information or (2) exceeded their authorization. In February 2011, the United States District Court for the District of South Carolina Rock Hill Division held that WEC failed to state a claim for which the CFAA provided relief, dismissing the CFAA claim and declining to exercise jurisdiction over the remaining state-law claims. WEC appealed to the United States Court of Appeals for the Fourth Circuit.
Fourth Circuit Opinion:
In July 2012, the United States Court of Appeals for the Fourth Circuit affirmed the District Court decision. In determining whether the CFAA applied to this case, the Court examined the scope and meaning of “without authorization” and “exceeds authorized access,” (the “Terms”) to determine whether the Terms applied to violations of policies regarding the use of a computer or information on a computer to which a defendant otherwise has access. The Court looked to prior interpretations of the Terms by the Seventh and Ninth Circuit courts.
The Seventh Circuit’s view, argued by WEC, broadly defined the meaning of these Terms, holding that once the duty of loyalty has been breached by an employee accessing a work computer or information on that computer in advance of his own interests and in a manner adverse to his employer’s interests, it turns previously authorized access of computer files into unauthorized access under the CFAA.
The Ninth Circuit’s view, followed by the District Court here, established a narrow interpretation of the Terms, which limited the Terms' application to situations where an individual accesses a computer, or information on it, without permission.
In view of these two schools of thought, the Court looked to the congressional intent of the statute. The Court’s first determination was that an employee accesses a computer “without authorization” when he gains admission to a computer without approval from his employer. Similarly, an employee “exceeds authorized access” when he has approval to access the computer, but uses his access in a way that falls outside the limits of his approved access. The Court clarified that neither of these definitions extended to the improper use of information validly accessed. The Court went even further to discuss two plausible interpretations of the Terms. The first, which was the Ninth Circuit interpretation, maintained that the relevant CFAA provisions referred to improper means of obtaining information. However, the Court refused to adopt this interpretation, reasoning that Congress would not want to penalize every individual that obtained information in an unauthorized manner. The Court gave an example of an employee downloading his work to a personal computer in order to be able to work from home. If an employer had a policy against downloading information to personal computers, such as WEC, it would be unfair to hold this employee liable. Instead, yielding to the rule of lenity, the Court adopted a second interpretation, which criminalized obtaining or altering information that an individual lacked authorization to obtain or alter. In adopting this interpretation, the Court also rejected the Seventh Circuit’s interpretation of CFAA liability. Finding that Miller’s access to the computer and its servers was authorized by WEC and that Miller had authorization to obtain the confidential documents on WEC’s servers, the Court held that although the Defendants may have misappropriated the information, their misuse of the information did not violate the CFAA.
What constitutes “authorization” has been unsettled and discrepancies in interpretation have resulted in a circuit split. Between the Seventh Circuit’s broad construction and the Ninth and Fourth Circuit’s narrow yet differing interpretations, the proper application of the relevant CFAA provisions remain undefined.