Recently, in WEC Carolina Energy Solutions LLC, v. Willie Miller, et al., the U.S. Court of Appeals for the Fourth Circuit held that an employee’s misappropriation of his employer’s trade secrets is not a violation of the federal Computer Fraud and Abuse Act (“CFAA”). By adopting a narrow interpretation of the CFAA, the Court contributed to a deepening split among the federal appellate courts regarding the proper construction of the Act.
The CFAA was passed by Congress in 1986 to address computer crime. Today, it remains principally a criminal statute designed to combat computer hacking, although it does allow injured private parties to sue for compensatory damages and injunctive relief.
The WEC case involved a civil action brought by WEC against its former employee and Project Director, Mike Miller. When Miller worked at WEC, he was authorized to access confidential and trade secret documents stored on the company’s computer servers, including WEC’s price terms and technical capabilities. According to WEC’s corporate policies, however, Miller was prohibited from downloading that confidential information to his personal computer or otherwise using the information without authorization.
WEC alleged that, before resigning from WEC, Miller downloaded confidential documents to a personal computer. WEC further claimed that Miller later used that confidential information when making a presentation to a potential WEC customer on behalf of a competitor. After that customer awarded two projects to the competitor, WEC filed suit against Miller, asserting violations of several state statutes as well as the CFAA.
After the trial court dismissed WEC’s CFAA claim, WEC appealed to the Fourth Circuit, which affirmed. The Fourth Circuit first noted that while the CFAA permits a private party to bring a claim for violations of the Act, it is “primarily a criminal statute designed to combat hacking.” The Court further observed that because the CFAA has both civil and criminal application, its interpretation of the statutory language would apply uniformly in both contexts. Therefore, the Court stated that it would apply the “rule of lenity” applicable to criminal statutes and strictly construe the CFAA’s provisions.
The issue before the Fourth Circuit in WEC was the scope of the terms “without authorization” and “exceeds authorized access.” The Court had to determine “whether these terms extend to violations of policies regarding the use of a computer or information on a computer to which a defendant otherwise has access.” The Court opted for a narrow reading of these terms, and limited their application “to situations where an individual accesses a computer or information on a computer without permission.” The Fourth Circuit reasoned that its construction 1) was consistent with the Act’s primary objective, which is to combat hacking – and not to rein in rogue employees – and 2) was appropriate under the rule of lenity as applied to the construction of criminal statutes. Accordingly, the Court held that the CFAA does not “provide a remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded,” and dismissed WEC’s suit.
In adopting a narrow interpretation of the CFAA, the Fourth Circuit followed in the footsteps of the Ninth Circuit Court of Appeals, but broke from the broader interpretation embraced by the Fifth, Seventh, and Eleventh Circuits, which have held that the CFAA covers employee violations of corporate computer use restrictions. The WEC decision deepens the Circuit split, and increases the need for a clear answer from the Supreme Court concerning the breadth of conduct subject to criminal prosecution under the CFAA.