Advanced Aerofoil Techs., AG v. Todaro, 2013 U.S. Dist. LEXIS 25711 (S.D.N.Y. 1/30/13)

District Court in 2nd Circuit rejects broad interpretation of Computer Fraud and Abuse Act.

Although primarily a criminal anti-hacking statute, the Computer Fraud and Abuse Act, 18 U.S. C. § 1030, et seq. (“CFAA”) also provides for certain civil causes of action. In this case, the plaintiff, AAT, argued that various employees violated the CFAA when they downloaded and accessed proprietary and trade secret information from AAT’s computers in order to form a competing company. AAT alleged that its employees also deleted and deliberately destroyed emails and vital electronic data.

A key prerequisite to stating a civil claim under the CFAA is access “without authorization” to the plaintiff’s computers. In other words, were the defendants accessing and/or transmitting information from AAT’s computers without authorization within the meaning of the CFAA? Here, there was no question that the defendants had unfettered access to AAT’s computer systems as employees. The issue was whether intentional misuse or misappropriation of an employer’s confidential information constituted unauthorized access. The statute does not define the term “without authorization,” which has led to a split amongst the Circuits. Several Circuits, including the 1st and 7th, have held that an employee’s authorization under the CFAA is effectively terminated once the employee acquires interests adverse to the employer or otherwise breaches a duty of loyalty to the employer.

In AAT, the court rejected the expansive view of the CFAA and chose to adopt a narrow reading of “without authorization” under the CFAA. Rather, citing other cases within the 2nd and 9th Circuits, the court held that there is no statutory language that supports interpreting the CFAA to reach misuse or misappropriation of information. Since AAT had not revoked the employee's unlimited access to its computer systems at the time the information was obtained, AAT could not state a claim under the CFAA. In other words, the purpose or reason the employee accesses the data (and subsequent use or misuse of the data) is not relevant under the CFAA. Instead, the issue is whether the access to the data was authorized by the employer.

This decision is certainly not the last word on civil actions under the CFAA, and it remains to be seen how this issue will continue to play out in the federal court system.