Employers need clear policies in order to use a federal criminal law as a civil remedy against workers.
The recent decision in Allied Portables v. Youmans from the U.S. District Court for the Middle District of Florida underscores the need for businesses to establish explicit, well-advertised written policies identifying the scope of permissible employee access to company computers. Absent such policies, employers may be precluded from using the civil remedy in the federal computer crime statute, the Computer Fraud and Abuse Act, to sue employees who steal or destroy data from a company computers.
Allied properly recognized that for a CFAA claim to succeed, the plaintiff employer must be able to show the critical element that the defendant employee accessed a company computer by exceeding the authorized access to the computer.
The CFAA claim in Allied centered on the company computers used to operate its portable rest room business. The defendant Robin Youmans was a 49 percent owner of the company and the managing member of the business. As the manager, Youmans “had unfettered access to all of Allied Portables’ confidential, business, and trade secret information.”
Disputes arose between the 51 percent controlling owner and Youmans. Allied terminated Youmans as manager and sued her and other employees for various causes of action including a violation of the CFAA.
The factual allegations underlying the CFAA claim were that Youmans directed an employee to change Allied Portables’ payment address and the electronic access credentials for its accounting programs, and directed the employee to prevent access to Allied Portable systems by the company’s controlling owner. Additionally, Allied alleged that Youmans had a third- party vendor "configure a firewall and take other unauthorized actions, which included changing the access credentials for certain software to impede operations in case Youmans was terminated.
Youmans’ moved to dismiss the CFAA claim on the ground that the complaint failed to alleged that she and the other former employee defendants had exceeded their authorized access to Allied’s computers.
In deciding this issue, the court reviewed the two competing judicial constructs of exceeding authorized access. It reviewed the broad view held by the U.S. Court of Appeals for the Fifth Circuit, in U.S. v. John, and by the Seventh Circuit, in International Airport Centers v. Citrin, that employees’ authorization is revoked, and thus employees exceed authorized access, whenever they obtain “information with a subjective intent that is unlawful or contrary to an employer’s interests, even though the employee actually had authorization to access the information.” The court, however, adopted the narrow view endorsed by the Fourth Circuit in WEC v. Carolina Energy Solutions and in the Ninth Circuit in U.S. v. Nosal that “the employee accessed information for which the employer had not provided permission . ” Although the court sided with the narrow interpretation of exceeding authorized access and dismissed the CFAA count, it did provide a clear road map for employers. The court noted that employers could avoid this trap in the future by instituting proactive policies defining the scope of employee authorized access to the company computers.
The Allied court, under the jurisdiction of the Eleventh Circuit, emphasized how Youmans, as a manager, had “unfettered access” to Allied’s computers — facts that were distinguishable from the Social Security Administration employee in U.S. v. Rodriguez. The employee there was convicted of CFAA violations for accessing Social Security information relating to acquaintances and relatives for personal use.
Unlike Youmans, Rodriguez’ access to his employer’s computers was circumscribed by his employer’s computer policy, which authorized Rodriguez’s access to an individual’s sensitive personal information only for business reasons. As the court emphasized, this was a “well advertised, established policy that explicitly conditioned authorization to access a particular individual’s file based on whether it was done within the scope of business.” The court further recognized that the Social Security Administration “went to great lengths” to provide employees with fair notice of the policy including a warning that if they violated the policy they faced criminal penalties.
The Allied court emphasized the plaintiffs failed to sufficiently allege that Youmans and the other defendants violated a well-established written policy regarding the access to the company’s information. The question for employers is how to restrict the scope of an employee’s access to the company computers so the employee does not have “unfettered access” and so the CFAA can be used as a viable injunctive and damages remedy if an employee steals or destroys data. District courts within the Ninth Circuit, as in Facebook v. Grunin, where the narrow interpretation of the CFAA began, have limited Nosal’s interpretation of “exceeds authorized access” “to violations of restrictions on access to information, and not restrictions on its use.” This interpretation is consistent with Allied.
Given the current state of the law, employers should consider two methods to limit employees’ access. The first is to use technology to limit access to only those portions of the company’s computer network that employees need in order to perform their responsibilities. The second is establishing policies, much like in Rodriguez, restricting access to business purposes with a warning that they could face criminal penalties for exceeding authorized access.
Not only should these policies be explicit, clear and well-publicized to the workforce, but they should be reinforced in employee agreements and banners each time an employee logs on to the company’s computer network.
