E-Alert Case Updates

Fourth Circuit Court of Appeals finds Computer Fraud and Abuse Act provides no remedy for Employer, whose Former Employee misappropriated company information.

WEC Carolina Energy Solutions, LLC v. Miller
No. 11-1201 (4th Cir. July 26, 2012)
by Wayne Heavener, Summer Associate
Semmes, Bowen & Semmes (www.semmes.com)

In WEC Carolina Energy Solutions, LLC v. Miller, the United States Court of Appeals for the Fourth Circuit found that an employer could not maintain a cause of action under the Computer Fraud and Abuse Act (CFAA) against an employee for downloading the employer’s proprietary information where the employee was authorized to access company servers. WEC Carolina Energy Solutions, LLC (WEC) brought a civil suit against former employees Willie Miller and Emily Kelley and competitor Arc Energy Services, Inc. (Arc) under the CFAA, after Mr. Miller and Ms. Kelly allegedly used WEC proprietary data to secure a customer for Arc. Writing the opinion of the Court, Judge Henry Floyd found that WEC could not recover under the CFAA for the actions of its former employees because both Mr. Miller and Ms. Kelley were permitted access to confidential WEC data when they were employed by WEC. Finding that WEC had stated a claim upon which the CFAA provided no relief, the Court affirmed the decision of the United States District Court for the District of South Carolina dismissing WEC’s claim.

Mr. Miller and Ms. Kelly worked for WEC until April 2010, when Mr. Miller resigned from his position as project director. WEC is based in South Carolina, and provides specialized welding and related services to the power industry. Twenty (20) days after resigning from WEC, Mr. Miller conducted a presentation for a potential WEC customer on behalf of Arc. Arc is also a South Carolina company, and directly competes with WEC. After Mr. Miller’s presentation, the customer chose to do business with Arc, rather than WEC. Claiming that Mr. Miller’s presentation was based upon proprietary WEC information downloaded by Mr. Miller and Ms. Kelly before Ms. Kelley’s resignation, WEC filed a Complaint sounding in nine (9) causes of action and a violation of the CFAA against Mr. Miller, Ms. Kelly, and Arc.

WEC alleged that Mr. Miller, Ms. Kelly, and Arc had violated three sections of the CFAA, which rendered a party liable for intentionally accessing a protected computer without authorization and (1) obtaining information, (2) intending to commit fraud, and (3) recklessly causing damages or loss. Mr. Miller, Ms. Kelly, and Arc moved for dismissal under Fed. R. Civ. P. 12(b)(6). The District Court granted the motion to dismiss in regards to WEC’s CFAA claim and declined to exercise jurisdiction over the remaining state law claims. WEC appealed to the Fourth Circuit Court of Appeals.

Reviewing the District Court’s decision de novo, the Fourth Circuit Court of Appeals held that WEC could not maintain its claim under the CFAA. The Court noted a circuit split over whether an employer could recover against a former employee for the misappropriation of company data when the employee had access to company servers, from which two schools of thought emerged. Under the Seventh Circuit’s precedent, an employee who accesses a computer to further interests adverse to his or her employer violates a duty of loyalty, thereby abrogating the agency relationship and any authorization he or she may have had to company proprietary data. Conversely, under the Ninth Circuit’s precedent, an employee only violates the CFAA if he or she accesses information explicitly forbidden to the employee at the time of employment. The Fourth Circuit Court of Appeals adopted the Ninth Circuit’s approach because it was more limited than the Seventh Circuit Approach. The Court observed:

[The Seventh Circuit’s cessation-of-agency theory] would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer’s use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer’s computer systems. . . . Although an employer might choose to rescind an employee’s authorization for violating a use policy, we do not think Congress intended an immediate end to the agency relationship and, moreover, the imposition of criminal penalties for such a frolic.

WEC Carolina Energy Solutions, LLC v. Miller, No. 11-1201, slip op. at 12 (4th Cir. July 26, 2012). Noting that the CFAA is primarily a criminal statute, and that its interpretation of the statute would apply equally to civil and criminal causes of action, the Court found that the rule of lenity dictated that it adopt the Ninth Circuit’s narrow interpretation of unauthorized access.

Applying its interpretation to the facts of the case, the Court found that WEC failed to allege that either Mr. Miller or Ms. Kelley accessed its computers without authorization. In fact, WEC had acknowledged that both employees had access to the company’s servers and intranet. Therefore, while Mr. Miller and Ms. Kelley may have misappropriated information, they did not access the company’s computers without authorization as prohibited under the CFAA. Noting that other recourse existed for the alleged transgressions of Mr. Miller, Ms. Kelly, and Arc, the Court affirmed the District Court’s ruling, and dismissed WEC’s CFAA claim.