6th Circuit Dismisses CFAA Claim Against Competing Employees

By Jeffrey Rhodes December 2, 2020
LIKE SAVE
close up of man typing on laptop

The 6th U.S. Circuit Court of Appeals dismissed Computer Fraud and Abuse Act (CFAA) claims against former employees of a truck and trailer company who allegedly took and misused electronic computer data from their employer because they did not obtain the data by unauthorized access.

Royal Truck & Trailer Sales and Service Inc. employed two individuals as a part of the company's sales team. The employees received a copy of Royal's employee handbook, which prohibited a range of conduct concerning the use of company equipment, including unauthorized use, retention or disclosure of any of Royal's resources or property, and sending or posting trade secrets or proprietary information outside the organization. Royal also had a cellphone GPS tracking policy that prohibited the employees from disabling or interfering with the GPS (or any other) functions on a company-issued cellphone and from removing any software, functions or apps.

The employees abruptly resigned from Royal to take up employment with T-N-T Trailer Sales, one of Royal's Detroit-area competitors. Fearing that confidential company information might have been compromised, Royal launched an investigation. It discovered that, shortly before his resignation, one of the employees forwarded from his Royal e-mail account to his personal account quotes for two Royal customers as well as two Royal paystubs. The employee also contacted one of Royal's customers through Royal's e-mail server to ask the customer to send "all the new vendor info" to his personal e-mail account.

With that, the employee then deleted and reinstalled the operating system on his company-issued laptop, rendering all of its data unrecoverable. Eventually, Royal officials went to the employee's home and took possession of the laptop as well as his company-issued cellphone.

The other employee did much the same. She sent to her departing co-worker's personal e-mail account a Royal "salesperson summary report" from her Royal e-mail account. She likewise forwarded an e-mail from her Royal account to her personal account that contained customer pricing information. She also reset her company-issued cellphone to factory settings, rendering all data on the phone unrecoverable. She then returned her company-issued laptop and cellphone to Royal's corporate headquarters and resigned, announcing her resignation on social media by posting the music video for the song "Take This Job and Shove It."

Royal hired a forensics expert to restore the deleted data on the devices and filed suit against the two employees in federal court, alleging that their conduct violated the CFAA and Michigan law. The district court dismissed the suit, however, finding that the employees did not exceed their authorized access as those terms are used in the CFAA.

On appeal, the 6th Circuit reasoned that to establish a CFAA violation, Royal must establish that:

  • The employees intentionally accessed a computer.
  • The access was unauthorized or exceeded the employees' authorized access.
  • Through that access, the employees thereby obtained information from a protected computer.
  • The conduct caused loss aggregating at least $5,000 in value.

The term "access," the court reasoned, is synonymous with initial entry into something. Such initial entry must result in obtaining data, and the CFAA's damages and loss provisions are aimed at preventing the typical consequences of hacking, rather than the misuse of corporate information.

The 6th Circuit thus agreed with the 2nd, 4th and 9th Circuits, which have also held that an employee who is authorized to access a computer does not violate the CFAA by violating an employer's restrictions on the use of information once it is accessed. However, the 1st, 5th, 7th, 8th and 11th Circuits have more broadly interpreted "exceeds authorized access" to include misuse of data.

The court said this reasoning would essentially give employers the power to criminalize employee misuse of data through their policies and take the power to legislate crimes away from Congress. The court noted that the U.S. Supreme Court may decide the issue soon.

Thus, the 6th Circuit found that while the employees' conduct might violate company policy, state law and perhaps even another federal law, it did not violate the CFAA. Royal gave them access to the data, and they did not hack in or otherwise obtain the data in an unauthorized way. The court thus upheld the dismissal of Royal's claims.

Royal Truck & Trailer Sales and Service Inc. v. Kraft, 6th Cir., No. 19-1235 (Sept. 9, 2020).

Professional Pointer: Employers should maintain policies to restrict misuse of data but should also exercise care regarding employee access to data to prevent misuse.

Jeffrey Rhodes is an attorney with McInroy, Rigby & Rhodes LLP in Arlington, Va.

LIKE SAVE

SHRM HR JOBS

Hire the best HR talent or advance your own career.

Salary Increase Projections 2021

The economic effects of COVID-19 have forced employers to re-evaluate salary increase plans for 2021.

The economic effects of COVID-19 have forced employers to re-evaluate salary increase plans for 2021.

VIEW REPORTS

SPONSOR OFFERS

HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.