There has been a vigorous dispute in the federal courts over the extent to which the Computer Fraud and Abuse Act (“CFAA”) may be used by employers to impose civil liability on employees who access confidential or trade secret information with an improper purpose (i.e. to start a competing company). Judge David Doty has now joined two of his Minnesota colleagues in adopting a narrow interpretation of the Act, holding that there must be allegations of unauthorized access, not just improper use, in order to state a claim under the Act.
Defendants Keith O’Brien, Ian Scott and David Serrano were officers of Plaintiff Walsh Bishop Associates, an architectural firm. As principals and members of the executive committee, all three were given access to the “highest level” of the company’s confidential and proprietary information. Walsh Bishop alleges that the three misused that information to start a competing company and, represented by Debra Weiss and Mary O’Brien of Meagher & Geer, sued the three and their new firm in federal court for violations of the CFAA, the Minnesota Trade Secret Act, and a variety of other statutory and common law claims. (Presumably attorney O’Brien is not related to Defendant O’Brien, or we might have an interesting variation on the “Adam’s Rib” scenario). Defendants, represented by George Wood of Littler Mendelson, moved to dismiss for failure to state a claim.
The CFAA subjects a person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from a protected computer” to imprisonment and a fine. A civil cause of action exists in certain circumstances, but courts have been split on whether the CFAA imposes civil liability on employees who access information with permission but with an improper purpose. Based upon his analysis of the statutory language and legislative purpose of the CFAA, Judge Doty followed the lead of two earlier decisions in Minnesota and adopted “a more narrow view and focus on the scope of access rather than the misuse or misappropriation of information.” “No language or history concerning the CFAA suggests that Congress intended to provide a federal cause of action for state-law breach of contract, fiduciary duty, trade secret or other business-tort claims.” Accordingly, the Court dismissed the CFAA claim (as well as federal claims under the Electronic Communications Privacy Act and the Lanham Act) and declined to exercise supplemental jurisdiction over the state law claims, requiring Walsh Bishop to re-file them in state court.