Is Your Electronic Information Protected from Employees Under the CFAA? Maybe So, Maybe Not…

In WEC Carolina Energy Solutions LLC v. Miller, 2012 WL 3039213 (4th Cir) decided July 26, 2012, the Fourth Circuit sided with the Ninth Circuit in deciding that the Computer Fraud and Abuse Act (“CFAA”) does not apply to employees and former employees who were authorized to access the employer’s electronic information.  The decision stands in contrast to the position taken by the Seventh Circuit in Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420–21 (7th Cir.2006).  The Fourth Circuit rejects the interpretation of the CFAA taken by the Seventh Circuit, which interprets the CFAA much more broadly.  The Seventh Circuit concludes that an employee’s misappropriation of electronic information from his employer is a breach of the employee’s duty of loyalty that immediately terminates his agency relationship and with it his authority to access the laptop, because the only basis of his authority had been that relationship.

WEC Carolina Energy Solutions Inc. argued that its former employee violated the CFAA’s ban on access “without authorization” by taking files from his work computer to a rival company.  The employer had argued in the District Court that by misappropriating the information, Miller voided his agreement with the company, and, therefore, he was no longer permitted to access his computer under the CFAA.  The District court rejected that interpretation of the CFAA and the Fourth Circuit affirmed.  In so ruling the Court “ adopt[s] a narrow reading of the terms “without authorization” and “exceeds authorized access” and hold[s] that they apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.”

The Fourth Circuit, like the Ninth and Seventh Circuits, found the crux of the issue presented to be “the scope of ‘without authorization’ and ‘exceeds authorized access,’” but the Fourth Circuit finds the Ninth Circuit argument in United States v. Nosal, 676 F.3d 854, 863 (9th Cir.2012) (en banc), the better interpretation of “authorization” as being “that an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer.  Thus, he accesses a computer ‘without authorization’ when he gains admission to a computer without approval.  Similarly, we conclude that an employee ‘exceeds authorized access’ when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access.  Notably, neither of these definitions extends to the improper use of information validly accessed.  (citations omitted.)”  Unlike the Ninth Circuit, however, which was willing to find that a CFAA violation could be established where an employee exceeded his authority under a company access policy, the Fourth Circuit ruling is even more restrictive than the Ninth Circuit’s view.  The Fourth Circuit “adopt[s] a narrow reading of the terms ‘without authorization’ and ‘exceeds authorized access’ and hold that they apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.”

Given that the CFAA has both criminal and civil liability the Fourth Circuit chose to strictly construe the language.  Even “under the Nosal panel’s approach, because [the employee] obtained information ‘in a manner’ that was not authorized (i.e., by downloading it to a personal computer), he nevertheless would be liable under the CFAA. See § 1030(a)(2)(C).  Believing that Congress did not clearly intend to criminalize such behavior, we decline to interpret ‘so’ as ‘in that manner.’”  The bottom line—the Fourth Circuit approach, “reject[s] an interpretation of the CFAA that imposes liability on employees who violate a use policy, choosing instead to limit such liability to individuals who access computers without authorization or who obtain or alter information beyond the bounds of their authorized access.”

While the lines of the split in Circuits has become more defined with WEC Carolina Energy Solutions LLC, predicting what the Supreme Court will do with that split is another story.  My money is on Judge Posner’s interpretation in International Airport Centers, partly because he is a brilliant jurist and I practice in the Seventh Circuit, but mostly because that is the interpretation that expands an employer’s arsenal of protections against cheating employees.  However, until the fat lady [U.S. Supreme Court] sings employers should continue to draft and implement a computer access and use policy for its employees that assumes that a well drafted policy violated by an employee can be enforced under the CFAA, so long as the employer can demonstrate $5,000 in damages to the employer resulted from the employee’s actions.

Cheryl Orr and Heather Sager Contribute Articles to The Recorder’s Special Issue on Privacy

Partners Cheryl Orr and Heather Sager contributed articles in today’s special section on Privacy in The Recorder.  Cheryl’s article, Employer’s BYOD dilemna, looks at the issues and approaches employers are taking as employees use dual devices, i.e. one device for both work and personal use.  Heather’s article, Why can’t we be ‘friends’?, looks at what companies need to know when drafting their social media policies.  Copies of both articles are available via this link.

New Jersey District Court Allows Plaintiff to Proceed to Trial on Claim of Unlawful Discharge, Dismisses Claims of Handicap and Discrimination

The New Jersey District Court in St. Cyr v. Brandywine Senior Living LLC, recently granted summary judgment to the employer dismissing the plaintiff’s causes of action for handicap and race discrimination, but allowed the plaintiff to go to trial on her claim that she was unlawfully discharged in violation of the FMLA in retaliation for asking for a medical leave of absence because she was fired only two days before the leave of absence was to begin.  In granting summary judgment on the claim of handicap discrimination, the court determined that the plaintiff, who suffered from arthritis, was not “handicapped” under the NJLAD because the condition, which  was alleviated with medication, did not interfere with her ability to perform her job, and because she never asked for an accommodation for the condition.  The court rejected her claim of race discrimination based on her admission that the only evidence implicating racial animus was the fact that she was fired for watching the BET Network on television during working hours.  The court noted that the plaintiff, who had previously been placed on probation for poor performance and was on final warning, was replaced by an African American employee and had failed to show the legitimate reason given for her discharge was pretextual.  Despite that finding, however, and despite the fact that the employer had granted the plaintiff’s request for a medical leave of absence, the court denied summary judgment on the claim of retaliatory discharge under the FMLA based only on the determination that the timing of the discharge – only two days before her FMLA leave was to begin – was “unusually suggestive” of retaliatory motivation.  The court did not explain how the timing could be suspect if that was when the plaintiff was found watching television instead of doing her job, and if there was no evidence that the proffered reason was pretextual.

New Jersey District Court Denies Employer’s Motion to Dismiss Plaintiff’s Cause of Action After Employee’s Supervisor Gains Unauthorized Access to Employee’s Facebook Account

In Ehling v. Monmouth-Ocean Hospital Service Corp., the District Court in New Jersey recently denied the employer’s motion to dismiss the plaintiff’s cause of action for invasion of privacy in connection with a supervisor having gained unauthorized access to her private Facebook account.  The plaintiff nurse, who was also the union president at the hospital, had posted comments on her Facebook wall about the news story out of Washington, D.C. in 2009 concerning the killing of a security guard at the Holocaust Museum by a white supremacist in which she expressed her opinion or rant that the paramedics in D.C. should have let the shooter die rather than help him after he was shot during the incident:  “He survived [and] I blame the DC paramedics.  I want to say 2 things to the DC  medics.  1.  WHAT WERE YOU THINKING?  and 2.  This was your opportunity to really make a difference!  WTF!!!!  And to the other guards…. go to target practice.”  The supervisor apparently wanted access to plaintiff’s Facebook comments because of her leadership role with the union, and convinced a co-worker to give him access to her private account so he could copy her postings. When he saw the comments about the D.C. incident he sent a copy to the State Board of Nursing suggesting that it represented an improper disregard for patient safety.

On the employer’s motion to dismiss the invasion of privacy claim on the grounds that there can be no expectation of privacy with respect to Facebook postings, the court decided that the question whether the plaintiff had a reasonable expectation of privacy was for a jury to decide based on the circumstances, including the number of “friends” who had access to her Facebook wall where the plaintiff claimed that she had restricted access to her friends but did not provide access to any supervisors or members of management.  The court did not address the separate question whether a rant expressing an opinion about a news report could be considered an expression of one’s “private affairs” subject to protection under invasion of privacy law, and did not address the fact that Facebook specifically includes in its Privacy Policy a disclaimer to the effect that there is no guarantee of privacy and that users make postings at their own risk inasmuch as anyone with access can copy or share comments with anyone they choose.

Federal Judge Rules for Nurses in Multi-Million Dollar Class Action for Unpaid Overtime

A federal judge in Pennsylvania has signed off on a multi-million dollar settlement of a class action lawsuit for unpaid overtime brought by registered nurses against a number of hospitals affiliated with the Lehigh Valley Hospital and Health Network.  The nurses claimed in their lawsuit, which was filed in January 2010, that the Hospitals violated the FLSA and Pennsylvania wage law by paying them on a per-shift basis, failing to compensate them for reporting early or remaining on duty after their shifts ended, and also failing to pay for work performed during lunch periods or while attending training.  The $4.5 million settlement provides more than $2.5 million to the more than 2,000 nurses who joined in the lawsuit.  This is a significant development for hospitals and other health care providers who pay nurses on a per-shift basis.  While Pennsylvania and New Jersey have enacted statutes which prohibit mandatory overtime for nurses, the laws allow nurses to volunteer for extra hours and to work overtime in emergencies or unforeseen circumstances.  Nurses are entitled to overtime pay in such circumstances whenever they work more than 40 hours in a week.

U.S. Supreme Court to Hear Arguments in Case that Could Have Significant Impact on Strategies Available to Defend FLSA Collective Actions

The United States Supreme Court recently granted certiorari of a decision by the Third Circuit Court of Appeals, Symczyk v. Genesis HealthCare Corp., 656 F.3d 189 (3d Cir. 2011), a case that could have a significant impact on employers’ litigation strategy in putative FLSA collective actions.  The Third Circuit in Symczyk held that a collective action brought under the FLSA is not rendered moot when the defendant makes a Rule 68 offer of compromise in full satisfaction of the individual claim to a putative representative before the class representative moves for “conditional certification” and before any other plaintiff opts into the action.

Under the FLSA, an employee may file a “collective action” against an employer on behalf of himself and other similarly situated employees.  Unlike traditional class actions, however, the FLSA requires that the “similarly situated” employees affirmatively decide to join or opt into the collective action.  In Symczyk, the plaintiff filed a putative FLSA collective action, alleging that her employer, Genesis, automatically deducted her pay for meal breaks regardless of whether she performed any compensable work during the break.  After answering the Complaint, Genesis served the plaintiff with an offer of judgment for the full amount of her claims, including costs and attorneys’ fees, pursuant to Federal Rule of Civil Procedure 68.  Genesis then moved to dismiss the Complaint, arguing that the offer to pay her claims in full mooted the claims, depriving the plaintiff of any ongoing personal stake or legally cognizable interest in the litigation, and divesting the court of any jurisdiction over the case.

The district court granted Genesis’ motion, holding that an offer in full satisfaction of a plaintiff’s claims moots those claims.  At this point, no other employees had opted into the suit because the plaintiff had not yet sought conditional certification of the collective action.  Thus, the case was dismissed.  The Third Circuit reversed, holding that “conventional mootness principles do not fit neatly within the representative action paradigm.” Id. at 195.  The court compared FLSA collective actions to class actions, in which it is settled law that a defendant cannot moot a putative class action by making an offer of judgment to the named plaintiff before the class is certified and held that there was no rationale for treating the two types of actions differently.  Id. at 197-201.

Accordingly, the Third Circuit reversed, holding that “[w]hen Rule 68 morphs into a tool for the strategic curtailment of representative actions, it facilitates an outcome antithetical to the purposes behind [the FLSA].”  Id. at 200.  The Third Circuit remanded to the district court in order to allow the plaintiff to file a motion for conditional certification, which would then be deemed to “relate back” to the filing of the original complaint and thus preserve the district court’s subject matter jurisdiction. Id. at 201  The Third Circuit noted that if the mootness inquiry were based solely on whether another employee had opted in at the same moment a plaintiff receives a Rule 68 offer of judgment, employers would encounter little or no difficulty in “preventing FLSA plaintiffs from attaining the “representative” status necessary to render an action justiciable.”  Id. at 199.

The Third Circuit’s decision in Symczyk cited with approval the Fifth Circuit’s decision in Sandoz v. Cingular Wireless LLC, 553 F.3d 913, 922 (5th Cir. 2008) (holding that, although a Rule 68 Offer of Judgment could theoretically moot a FLSA collective action, the “relation back principle applies to ensure that defendants cannot unilaterally “pick off” collective action representatives and thwart availability of collective actions under the FLSA.”)

However, both the Ninth and Eleventh Circuits have held, to the contrary, that an offer of judgment for the full amount of the named plaintiff’s claims prior to the certification of a class does moot a collective action. See Smith v. T-Mobile USA, Inc., 570 F.3d 1119, 1122-23 (9th Cir. 2009); Cameron-Grant v. Maxim Healthcare Serv., Inc., 347 F.3d 1240 (11th Cir. 2003).

The Supreme Court granted Genesis’ petition for certiorari on June 25, 2012 and stated the question presented as “Whether a case becomes moot, and thus beyond the judicial power of Article III, when the lone plaintiff receives an offer from the defendants to satisfy all of the plaintiff’s claims.”  The Supreme Court’s decision in this case will likely have a significant impact on the strategies available to employers to defend against FLSA collective actions and will also resolve a circuit split on this issue.

The Court will hear the case in the term beginning October 2012, and a ruling is expected by the end of the term in June 2013.

 

©2025 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy