Fourth Circuit Refuses to Apply CFAA to Employee Data Breach

By Robyn Hagan Cain on July 27, 2012 | Last updated on March 21, 2019

Mike Miller resigned from his position as Project Director for WEC Carolina Energy Solutions, Inc. (WEC). Twenty days later, he made a presentation to a potential WEC customer on behalf of WEC's competitor, Arc Energy Services, Inc. (Arc). The customer ultimately chose to do business with Arc.

WEC contends that before resigning, Miller, acting at Arc's direction, downloaded WEC's proprietary information and used it in making the presentation. WEC sued Miller, his assistant Emily Kelley, and Arc for, among other things, violating the Computer Fraud and Abuse Act (CFAA). The district court dismissed WEC's CFAA claim, holding that the CFAA provides no relief for an employee data breach.

This week, the Fourth Circuit Court of Appeals affirmed that decision.

The CFAA is primarily a criminal statute designed to combat hacking. Nevertheless, it permits a private party "who suffers damage or loss by reason of a violation of [the statute]" to bring a civil action "to obtain compensatory damages and injunctive relief or other equitable relief." Although proof of at least one of five additional factors is necessary to maintain a civil action, a violation of any of the statute's provisions exposes the offender to both civil and criminal liability.

A person can be liable under the CFAA if he:

  1. Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer.
  2. Knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.
  3. Intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage, or causes damage and loss.

Here, WEC alleged that Miller and Kelley violated the Act because they were not permitted to download confidential and proprietary information to a personal computer under WEC's policies, and they breached their fiduciary duties by doing so. Based on that breach, they either lost all authorization to access the confidential information or exceeded their authorization.

WEC sought to hold Arc liable because it claimed that Miller and Kelley undertook this conduct as Arc's agents.

The defendants moved for a 12(b)(6) dismissal, and the district court held that WEC failed to state a claim for which the CFAA provided relief. The Fourth Circuit Court of Appeals affirmed the district court, noting that Miller and Kelley didn't hack WEC's system. (Remember, the CFAA was created to combat hacking, not an employee data breach.)

Judge Henry Floyd, writing for the three-judge panel, said, "We are unwilling to contravene Congress's intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy. Providing such recourse not only is unnecessary, given that other legal remedies exist for these grievances, but also is violative of the Supreme Court's counsel to construe criminal statutes strictly."

Related Resources:

Copied to clipboard