In the following article from Massachusetts Lawyers Weekly (reprinted with permission), Brian Bialas comments on the latest Computer Fraud and Abuse Act case, and the resultant split in the District of Massachusett on how to interpret the CFAA:
Ex-employees sued over computer use
Judge narrowly construes CFAA
By Eric T. Berkman
A technology company could not sue former employees for downloading proprietary information onto personal storage devices before they joined a competitor without showing that the employees had physically accessed the information through fraudulent or unlawful means, a U.S. District Court judge has ruled.
The employer brought the suit under the federal Computer Fraud and Abuse Act, which prohibits unauthorized access to electronic information with the intent to defraud.
The company argued that the court should employ a “broader interpretation” of the CFAA to apply to employees who misappropriate information that they were authorized to access at the time.
Boston lawyer Brian P. Bialas said the ruling creates a split in the district. “So which judge is assigned to the case might not only determine whether a CFAA claim survives, but whether a case remains in federal court.”
Judge Timothy S. Hillman disagreed, finding that the CFAA should be interpreted more narrowly.
“[I]f this court were to adopt a broad interpretation of the term of art ‘access that exceeds the scope of authorization’ then arguably any violation of a contractual obligation regarding computer use [such as idle Internet browsing] becomes a federal tort,” Hillman wrote. “As between a broad definition that pulls trivial contractual violations into the realm of federal … penalties, and a narrow one that forces the victims of misappropriation and/or breach of contract to seek justice under state, rather than federal law, the prudent choice is clearly the narrower definition.”
Nonetheless, Hillman declined to dismiss the CFAA claim, citing the “incomplete nature” of the evidentiary record. Instead, he opted to give the employer time to plead more specific details of any fraud or deception the employees may have used to obtain confidential company information or any technological safeguards they may have intentionally circumvented to access such information.
The 13-page decision is Advanced Micro Devices, Inc. v. Feldstein, et al., Lawyers Weekly No. 02-283-13. The full text of the ruling can be found at masslawyersweekly.com.
Christopher P. Sullivan of Robins, Kaplan, Miller & Ciresi in Boston, who represented the employer, declined to comment. Franklin Brockway Gowdy of Morgan, Lewis & Bockius in San Francisco was counsel for the employees. He could not be reached for comment prior to deadline.
But Boston business litigator John R. Bauer, who handles CFAA cases, said the decision potentially is an important one.
“We have these two contrasting approaches to the act and, at best, an ambiguous [1st U.S. Circuit Court of Appeals] decision that doesn’t provide much guidance and has unique facts,” the Birnbaum & Godkin attorney said. “Now we get a decision in a case that looks a lot like many cases that get brought under the act. My guess is that other judges in the district will follow [Hillman] in giving the act a narrow reading.”
Bauer also noted that the statute has “very clear language” stating that it can be actionable if an individual has the authority to access a server and then acts inconsistently with that authorization.
“But I can see judges who are worried about the CFAA becoming a way to get virtually every trade secret case in Massachusetts into federal court being hesitant to allow this to happen and being persuaded that the best way to do this is to adopt this very narrow view of the act,” he said.
Bauer said the case also is an important reminder that employers must be more vigilant about making sure employees cannot take confidential documents stored on networks and download them onto portable drives, personal computers or personal laptops.
“There are techniques being devised to make sure people can’t [download confidential information] for personal use while still having access to the documents they need for work,” he said.
Brian P. Bialas of Foley Hoag in Boston, co-author of a blog on non-compete and trade secrets issues, said the decision directly conflicts with U.S. District Court Judge Nathaniel M. Gorton’s 2009 ruling in Guest-Tek Interactive Entm’t, Inc. v. Pullen, creating a split in the district.
“So which judge is assigned to the case might not only determine whether a CFAA claim survives, but whether a case remains in federal court,” he said.
Bialas’ colleague and blog co-author, Michael L. Rosen, said the judge “punted” on the issue of how to interpret the CFAA in the context of the case.
“This is just a Rule 12(b)(6) threshold motion-to-dismiss ruling in which [Hillman] expressed skepticism about the ability of the plaintiff to prove its case,” Rosen said. “However, he wasn’t willing to dismiss it in recognition of the uncertainty that exists within the 1st Circuit and outside it.”
As a result, Rosen said, “at least if you’re before Judge Hillman, you’d better be prepared to prove something more than simple misuse after permissible access.”
Defendants Robert Feldstein, Manoo Desai and Nicolas Kociuk worked for plaintiff Advanced Micro Devices, a microprocessor manufacturer, in AMD’s Boxborough office.
At various points between July 2012 and last January, the defendants — who each had received authorization from AMD to access confidential technical and business strategy information during their employ — all left the company to work for Nvidia Corp., a major competitor.
In January, the company sued the defendants in U.S. District Court, alleging misappropriation of trade secrets, Chapter 93A violations, breach of contract and violation of the CFAA.
According to the company, the defendants copied proprietary data from AMD-owned storage devices to their own private USB thumb drives and external hard drives while still working for AMD, and held onto the information after they left.
The defendants acknowledged retaining some data after they left but denied AMD’s assertions that they did so in an attempt to convert proprietary data for their own use or for Nvidia.
On May 15, Hillman granted a preliminary injunction barring the defendants from disclosing any trade secrets or soliciting other AMD employees.
Meanwhile, the defendants moved to dismiss all claims.
Hillman denied the motion to dismiss the state-law misappropriation claims, finding that AMD had demonstrated a sufficient likelihood of success on the merits. However he did dismiss the Chapter 93A claim under the “intra-enterprise” exception to the statute, finding that any alleged violation occurred in the context of the defendants’ employment.
Turning to the CFAA claim, Hillman noted that courts have taken conflicting approaches to the definition of “authorized access” under the statute. Some courts have adopted a more narrow “technological model” of authorization, under which the scope of authorization is defined by technological restrictions that have been put in place.
For example, an employee who has received log-in credentials to access certain information would be doing so with authorization even if he misuses such information.
Hillman then pointed to concerns that a broader approach would have “far reaching and undesirable consequences,” such as potentially transforming non-work-related web surfing as a means of procrastination into a federal crime. Meanwhile, he said, others argue that the CFAA’s “intent to defraud” requirement insulates employees from liability under the statute for such activities.
However, AMD’s allegations also fall under provisions of the CFAA that have no fraud requirement, Hillman said, adding that a broad interpretation could create particularly troubling implications in a criminal context.
“It is obviously absurd to impose criminal liability for checking personal email at the workplace, or some similarly innocuous violation of an employee computer use agreement,” he said. “Nor is it acceptable to rely solely upon prosecutorial discretion to refrain from prosecuting trivial offenses.”
Accordingly, Hillman said, a narrower definition of authorization is the more prudent choice. Nonetheless, he noted that it is “an unsettled area of federal law, and one where courts have yet to establish a clear pleading standard.”
Hillman said he would not dismiss the claims, allowing AMD the opportunity to plead more specific allegations that the defendants used fraudulent means to obtain AMD information or hacked the system to do so. Otherwise, he said, “these claims will be dismissed once the factual record is complete.”