|
“When I use a word,’ Humpty Dumpty said in rather a scornful tone, ‘it means just what I choose it to mean—neither more nor less.”
“The question is,” said Alice, “whether you can make words mean so many different things.”
“The question is,” said Humpty Dumpty, “which is to be master—that’s all.”
—Lewis Carroll, Through the Looking Glass
What does authorized access mean? If an employee with authorized access to a computer system goes into that system, downloads company secrets, and hands that information over to the company’s competitor, did that alleged misappropriation of company information constitute unauthorized access?
This is no small question. If the access is unauthorized, the employee potentially violated the Computer Fraud and Abuse Act (CFAA) (the CFAA contains both criminal and civil causes of action). But courts get uncomfortable here. They are uncomfortable when contractual disputes morph into criminal violations. If, for example, a site’s Terms of Service says that I must use my real name, and I use a pseudonym, is my access unauthorized? We have seen over-zealous prosecutors attempt to transform a non-compliance with a TOS into a criminal act. Courts don’t like it.
But not all the court’s agree; there is a split between the Circuit Courts that believe such actions by an employee constitute a criminal violation of the CFAA—and those courts that believe that the matter is best handled as a breach of contract between employer and employee.
Today’s court decision comes from the District Court in New Jersey (which is in the 3rd Circuit): GIVAUDAN FRAGRANCES CORPORATION v. Krivda, Dist. Court, D. New Jersey Sept. 26, 2013. The facts of this case are as might be expected:
In early May, 2008, Krivda resigned his employment with Plaintiff, Givaudan Fragrances (“Givaudan”) where he was a perfumer. Prior to his last day on the job, Krivda allegedly downloaded and copied a number of formulas for fragrances. The parties acknowledge the formulas as trade secrets. Soon thereafter, Krivda commenced employment as a perfumer with Mane USA (Mane), a Givaudan competitor. Givaudan alleges that Krivda gave the formulas to Mane—an act of misappropriation.
Plaintiff Givaudan sued. Before the court is Defendant Krivda’s Motion to Dismiss the CFAA cause of action. Defendant argued that since his alleged access of Plaintiff’s computers while employed was authorized, it could not constitute unauthorized access pursuant to the CFAA.
The New Jersey District Court looked to the 9th Circuit (the West Coast) as one of the lead Circuits that has considered this issue.
Generally, the Computer Fraud and Abuse Act § 1030(a)(4), prohibits the unauthorized access to information rather than unauthorized use of such information. The Ninth Circuit has explained that “a person who ‘intentionally accesses a computer without authorization’ . . . accesses a computer without any permission at all, while a person who ‘exceeds authorized access’ . . . has permission to access the computer, but accesses information on the computer that the person is not entitled to access.” The inquiry depends not on the employee’s motivation for accessing the information, but rather whether the access to that information was authorized. While disloyal employee conduct might have a remedy in state law, the reach of the CFAA does not extend to instances where the employee was authorized to access the information he later utilized to the possible detriment of his former employer.
(Citations and other stuff omitted).
In the case at hand, the defendant employee had, at the time, authorization to access plaintiff’s computers and to the specific information at issue. The access was therefore authorized under the CFAA, regardless of what defendant does with that access. Furthermore, the phrase in the CFAA about someone exceeding their authorization doesn’t help plaintiff here; this refers to the situation where someone has authority to access one system, and then accesses another system. That is not the situation before the court. Plaintiff argues, “Well, defendant didn’t have our authority to review and print the information.” To which the court responds, such quibbling “does not fall within the definition of exceeds authorized access.”
Defendant may have other trouble with Plaintiff, but Plaintiff’s cause of action for a violation of the Computer Fraud and Abuse Act is disposed of.
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byVerisign
To me, the primary rule has to be this: whether the access was authorized or not has to be determined at the time of access, it cannot be affected by things that happen after that point. That comes from the principle that you have to be able to know whether you’re allowed to do something at the time you do it.
If I invite someone into my house and they steal the silverware, I can’t press trespassing charges by claiming that I didn’t authorize their access. No, I didn’t authorize them to steal, but I did authorize them to be in my house when I invited them in. They may have abused that later, but that doesn’t change the fact that I invited them in. OTOH the fact that I invited them in doesn’t mean I gave them blanket authorization to do anything they wanted. They can’t use the fact that I invited them in as somehow giving them blanket authorization to steal things.
The court here’s entirely right: if they misused the information they got because they were authorized to access it, then the complaint should be about that misuse of the information and not about the plaintiff trying to change their mind about granting the access.