In 1983, some members of Congress saw the movie WarGames—in which a teenager unintentionally starts the countdown to World War III by breaking into a military supercomputer—and freaked out. Soon thereafter, Congress passed the original version of the Computer Fraud and Abuse Act (CFAA).
Through various revisions, the law has been expanded in scope and has become a powerful tool in cases of trade secret misappropriation, both criminal and civil. A CFAA claim can be a nice complement to a trade secret misappropriation claim because the CFAA is not subject to some of the more restrictive requirements of federal and state trade secret laws.
The Supreme Court has now decided to review the act, and its decision may impact whether you can use the CFAA to protect your trade secrets.
What Is the Supreme Court Considering?
The CFAA covers a broad range of unlawful computer activity and provides, in relevant part, that whoever intentionally accesses a computer “without authorization or exceeds authorized access” commits a federal crime and may face civil liability. Opponents have long argued that this language is so unreasonably broad that it criminalizes everyday, insignificant online acts such as password sharing and violations of websites’ terms of service.
In Van Buren v. United States, the Supreme Court will consider the case of a Georgia police officer who accessed a police database that he was authorized to access, but for the unauthorized purpose of providing information to an acquaintance. The First, Fifth, Seventh, and Eleventh Circuits have held that a person operates “without authorization” or “exceeds authorized access” when they access information they otherwise are authorized to access, but for an unauthorized purpose.
On the flip side, the Second, Fourth, and Ninth Circuits have held that a person violates the CFAA only by accessing information they have no authorization to access, regardless of the reason. The Supreme Court will decide whether the CFAA covers “use restrictions” in addition to “access restrictions.”
Future Effect on Trade Secret Cases
If the Supreme Court goes with the narrower access-restriction-only interpretation, the applicability of the CFAA in a trade secret case will turn on the nature and extent of the person’s authorization to access the trade secrets. There are steps an employer can take to improve its chances of being able to assert a CFAA claim.
Consider the example of an employee who accepts a job offer with a competitor and, prior to leaving the company, downloads trade secret information to take with him. The company will probably have claims against the employee (and possibly the competitor) for misappropriation of trade secrets under federal and state statutes, and breach of employment or nondisclosure agreements.
But whether the company has a claim under the CFAA depends on whether the employee copied the trade secrets from computer sources he had access to as part of his normal job responsibilities. If the answer is yes, then the employee’s actions were neither “without authorization” nor “exceed[ing] authorized access.”
However, if the employee also gained access to computer resources that he did not have permission to access as part of his normal duties, then it may indeed be the case that he is guilty of exceeding his authorized access.
Employers can proactively take certain steps which may make all the difference in determining whether a CFAA claim can be asserted.
Limit employees’ computer access to need-to-know. In other words, employees should not be able to access computer resources and information that are not necessary for them to perform their duties. For example, an employee may be provided access to customer and price lists (economic trade secrets), but not have access to servers where source code and technical information (technical trade secrets) are stored.
Set clearly defined policies. Employment agreements, confidentiality agreements (with both employees and third parties), and company policies should make clear that employees (and business partners, where applicable) do not have permission to access resources that are not necessary in the performance of their job responsibilities. Any steps employers can take proactively to convert potential use restrictions into access restrictions can go a long way in preserving the viability of a CFAA claim.
Don’t underestimate the value of agreements and policies. If the Supreme Court decides use restrictions are overreach, a company’s employment agreements, nondisclosures agreements, and computer use policies may still save the day.
Under one line of thought (and past case law supports this), when an employee breaches one of these agreements or policies, or even just violates her duty of loyalty to the company, that can instantly and automatically extinguish her agency relationship with the company and, with it, whatever authority she had to access the company’s computers and information.
Accordingly, it may be possible to bring a CFAA claim where an employee exceeds his authority by, for example, violating a policy that prohibits downloading confidential company files to portable media (essentially, a use restriction), which then automatically forfeits his access rights resulting in an access restriction violation.
Depending on what the Supreme Court decides, trade secret owners may lose a very useful claim in cases of misappropriation. But, by implementing these and other measures, owners can improve their standing even before the Supreme Court decides the Van Buren case.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Andrew Kopsidas is a principal at Fish & Richardson in the firm’s Washington, D.C. He leads and tries intellectual property cases and offers strategic counseling to clients.
Eda Stark is an associate at Fish & Richardson in the firm’s Boston office.