Much has been written about the federal Computer Fraud and Abuse Act (“CFAA”) and the divergent views among courts regarding the CFAA’s reach. In Power Equipment Maintenance, Inc. v. Airco Power Services, Inc., 2013 WL 3422779 (S.D. Ga. June 28, 2013), Judge Moore narrowly construed the reach of the CFAA.
Power Equipment involved “classic allegations” by a former employer of information misappropriation, customer solicitation, and employee recruitment. Among the allegations in the Complaint, the plaintiff alleged that one of the defendants emailed another defendant a copy of the plaintiff’s five year strategy plan to give to the competitor whom the defendants were planning to join. The plaintiff also alleged that one of the defendants sent an email from his work account to his personal email account which contained key information regarding one of the plaintiff’s customers. The plaintiff also alleged that one of the defendants continued to take confidential information after he resigned despite his computer access having been strictly limited. Based on these allegations, the plaintiff asserted a claim under the CFAA.
The defendants moved to dismiss the CFAA claim, arguing that the defendants’ actions did not constitute violations of the CFAA because they were authorized to access the information. The plaintiff argued that the court should dismiss the CFAA claim — which was the only federal claim — and should decline to exercise supplemental jurisdiction over the remaining state law claims.
The court reviewed and discussed the divergent views on the reach of the CFAA. The court observed that one test focuses on the employer’s perspective and looks at whether the employer had at the time of the activity at issue both authorized the employee to access the computer and had authorized the employee to access specific information on that computer. The court also observed a second agency-based test under which courts conclude that an employee’s access authority automatically terminates when the employee’s actions are no longer being taken in the interest of his or her employer. The court found this latter methodology “severely flawed” because it creates “a nebulous area where the same action can fall on either side of the CFAA based on the highly subjective intentions of the employee.”
Rejecting the application of the latter theory and applying the first, the court found that the plaintiff had not alleged that the defendants lacked access to or had exceeded their authority to access any of the information at issue. The court thus found that the allegations did not state a claim under the CFAA.
The court rejected the plaintiff’s arguments that the CFAA claim was viable based on U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010). In Rodriguez, a defendant was prosecuted for exceeding his authorized access with respect to a government computer. The defendant’s employer, the Social Security Administration, had a policy which stated that employees may only access personal information in the course of assisting individuals with questions concerning their social security. Judge Moore found that these facts made the case before him distinguishable from Rodriguez. According to Judge Moore, the defendants’ access to the materials at issue was not restricted in any meaningful way, whereas the defendant in Rodriguez was expressly authorized to access personal information only under specific circumstances and for particular tasks. As Judge Moore notes in his ruling, although Rodriguez appears to indicate that the Eleventh Circuit has adopted a broad view of the reach of the CFAA, there is still disagreement post-Rodriguez among the district courts within the Eleventh Circuit as to just how broad that reach is.
