WEC Carolina Energy Solutions, LLC v. Miller et al.

11-1201
March 7, 2011
Federal Court
4th Circuit
United States Court of Appeals for the Fourth Circuit

The Fourth Circuit has become the most recent Federal Court of Appeals to take a stance on the scope of the "without authorization" language of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Following the Ninth Circuit's recent en banc decision in Nosal, the Fourth Circuit concluded that the CFAA does not apply where an employee is authorized to access a company computer system but is not authorized to use the information he accessed in the manner in which it was used (against the employer's interest). The ruling narrows the scope of the CFAA, a statute that is often used to obtain jurisdiction in federal courts by plaintiffs asserting trade secret misappropriation or other state law-based claims.

In WEC Carolina Energy Solutions, LLC v. Miller, No 11-1201, July 26, 2012, the Fourth Circuit upheld the trial court's dismissal of the plaintiff's CFAA claim. Defendant Miller had downloaded his employer's files onto his personal computer before resigning and used them in a presentation made on behalf of a competitor to a potential WEC customer. WEC claimed that because company policies did not permit the downloading of confidential and proprietary information to a personal computer, and because Miller had breached his fiduciary duties, Miller either lost all authorization to access the information or exceeded his authorization, both of which are violations under the CFAA. The Fourth Circuit held that in the absence of a restriction of access to the company's computers, the alleged acts did not violate the CFAA. The Court rejected the view held by the Seventh Circuit that by violating the duty of loyalty to an employer, the employee's agency relationship is terminated and the employee consequently loses any authority to access company computers. The Court also declined to adopt the Ninth Circuit interpretation of the CFAA, which they considered a harsher approach that could lead to unwarranted criminal liability. Ultimately, the Court held that improper use of information validly accessed from a computer does not violate the CFAA.

Floyd, Hamilton, Shedd
WEC Carolina Energy Solutions, LLC
Arc Energy Services, Inc., Emily Kelley, Willie Miller a/k/a Mike
Other federal statute

Case Report

Background and Facts:

The CFAA is primarily a criminal statute enacted to protect government computer hacking. However, it also provides a civil remedy for the wrongful use of a computer, including accessing a computer without authority or exceeding authorized access and thereby obtaining information. Bringing a CFAA claim confers federal subject matter jurisdiction, enabling a suit to proceed in federal court, whereas a trade secret claim arises under state law and normally must be brought in state court, absent diversity.

Defendant Mike Miller was employed as a project manager at WEC Carolina Energy Solutions, Inc. (“WEC”) until his resignation on April 30, 2010. As part of Miller’s employment, he was issued a company cell phone, a company laptop and had access to WEC’s intranet and computer servers, including the confidential information and trade secrets stored on those servers. WEC established various security policies in order to prohibit using confidential information without authorization or downloading such information to a personal computer. Prior to Miller’s resignation, he communicated with WEC’s competitor, Arc Energy (“Arc”). Either by himself or with the help of Miller’s assistant, Defendant Emily Kelley, Miller downloaded numerous confidential documents and trade secrets from WEC’s computer servers to a personal computer, and also e-mailed them to Miller’s personal email address. Twenty days after Miller’s resignation from WEC, Miller used the downloaded information to make a presentation on behalf of Arc to a potential WEC customer. The customer subsequently awarded two projects to Arc.

In October 2010, WEC sued Miller, Kelley, and Arc in the United States District Court for the District of South Carolina Rock Hill Division, alleging nine state-law causes of action and a violation of the CFAA. WEC claimed that Defendants violated §§ 1030(a)(2)(C), (a)(4), (a)(5)(B), and (a)(5)(C) of the CFAA, each of which require that a party either access a computer “without authorization” or “exceed authorized access.” Specifically WEC maintained that Miller and Kelley violated the Act by abusing WEC’s policies prohibiting downloads of confidential information to a personal computer, therefore breaching their fiduciary duties to WEC, and through this breach, they either (1) lost all authorization to access the confidential information or (2) exceeded their authorization. In February 2011, the United States District Court for the District of South Carolina Rock Hill Division held that WEC failed to state a claim for which the CFAA provided relief, dismissing the CFAA claim and declining to exercise jurisdiction over the remaining state-law claims. WEC appealed to the United States Court of Appeals for the Fourth Circuit.

Fourth Circuit Opinion:

In July 2012, the United States Court of Appeals for the Fourth Circuit affirmed the District Court decision. In determining whether the CFAA applied to this case, the Court examined the scope and meaning of “without authorization” and “exceeds authorized access,” (the “Terms”) to determine whether the Terms applied to violations of policies regarding the use of a computer or information on a computer to which a defendant otherwise has access. The Court looked to prior interpretations of the Terms by the Seventh and Ninth Circuit courts.

The Seventh Circuit’s view, argued by WEC, broadly defined the meaning of these Terms, holding that once the duty of loyalty has been breached by an employee accessing a work computer or information on that computer in advance of his own interests and in a manner adverse to his employer’s interests, it turns previously authorized access of computer files into unauthorized access under the CFAA.

The Ninth Circuit’s view, followed by the District Court here, established a narrow interpretation of the Terms, which limited the Terms' application to situations where an individual accesses a computer, or information on it, without permission.

In view of these two schools of thought, the Court looked to the congressional intent of the statute. The Court’s first determination was that an employee accesses a computer “without authorization” when he gains admission to a computer without approval from his employer. Similarly, an employee “exceeds authorized access” when he has approval to access the computer, but uses his access in a way that falls outside the limits of his approved access. The Court clarified that neither of these definitions extended to the improper use of information validly accessed. The Court went even further to discuss two plausible interpretations of the Terms. The first, which was the Ninth Circuit interpretation, maintained that the relevant CFAA provisions referred to improper means of obtaining information. However, the Court refused to adopt this interpretation, reasoning that Congress would not want to penalize every individual that obtained information in an unauthorized manner. The Court gave an example of an employee downloading his work to a personal computer in order to be able to work from home. If an employer had a policy against downloading information to personal computers, such as WEC, it would be unfair to hold this employee liable. Instead, yielding to the rule of lenity, the Court adopted a second interpretation, which criminalized obtaining or altering information that an individual lacked authorization to obtain or alter. In adopting this interpretation, the Court also rejected the Seventh Circuit’s interpretation of CFAA liability. Finding that Miller’s access to the computer and its servers was authorized by WEC and that Miller had authorization to obtain the confidential documents on WEC’s servers, the Court held that although the Defendants may have misappropriated the information, their misuse of the information did not violate the CFAA.

Relevance:

What constitutes “authorization” has been unsettled and discrepancies in interpretation have resulted in a circuit split. Between the Seventh Circuit’s broad construction and the Ninth and Fourth Circuit’s narrow yet differing interpretations, the proper application of the relevant CFAA provisions remain undefined.