The top 10 non-compete law developments in 2021 demonstrated a continued hostility by lawmakers and courts toward noncompetition and no-hire agreements, as well as the need for employers to stay current on the diverse state-specific limitations governing restrictive covenants, new federal activity in the area and ongoing case law developments. In light of these trends, national employers would do well to (1) be selective in identifying those categories of employees required to sign such agreements, (2) rely on allowable choice-of-law and venue provisions to maximize the chances of enforceability, (3) keep a keen eye on likely federal developments in the year ahead and (4) avoid no-poach agreements with employers as a poor substitute for narrowly tailored employee non-compete agreements.
In a decision handed down yesterday, the Supreme Court held that civil liability under the Computer Fraud and Abuse Act (“CFAA”) does not attach for employees who abuse or misuse their access credentials in accessing their current or former employers’ computer networks. Rather, to be liable under the CFAA, the employees must access databases or other electronic materials that are outside of their access rights and otherwise off-limits to them.
The case, Van Buren v. United States, arose out of the actions of a former police sergeant. The former officer, Van Buren, used his valid login credentials to search his police department database for a particular license plate number in exchange for a bribe, but was caught by an FBI sting operation. Van Buren was charged with a felony violation of the CFAA—18 U.S.C. § 1030(a)(2). An individual is liable under this section (which can carry both civil and criminal penalties) if he “intentionally accesses a computer without authorization or exceeds authorized access.” The statute defines “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).
In WEC Carolina Energy Solutions LLC v. Miller, 2012 WL 3039213 (4th Cir) decided July 26, 2012, the Fourth Circuit sided with the Ninth Circuit in deciding that the Computer Fraud and Abuse Act (“CFAA”) does not apply to employees and former employees who were authorized to access the employer’s electronic information. The decision stands in contrast to the position taken by the Seventh Circuit in Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420–21 (7th Cir.2006). The Fourth Circuit rejects the interpretation of the CFAA taken by the Seventh Circuit, which interprets the CFAA much more broadly. The Seventh Circuit concludes that an employee’s misappropriation of electronic information from his employer is a breach of the employee’s duty of loyalty that immediately terminates his agency relationship and with it his authority to access the laptop, because the only basis of his authority had been that relationship.
WEC Carolina Energy Solutions Inc. argued that its former employee violated the CFAA’s ban on access “without authorization” by taking files from his work computer to a rival company. The employer had argued in the District Court that by misappropriating the information, Miller voided his agreement with the company, and, therefore, he was no longer permitted to access his computer under the CFAA. The District court rejected that interpretation of the CFAA and the Fourth Circuit affirmed. In so ruling the Court “ adopt[s] a narrow reading of the terms “without authorization” and “exceeds authorized access” and hold[s] that they apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.”
The Fourth Circuit, like the Ninth and Seventh Circuits, found the crux of the issue presented to be “the scope of ‘without authorization’ and ‘exceeds authorized access,’” but the Fourth Circuit finds the Ninth Circuit argument in United States v. Nosal, 676 F.3d 854, 863 (9th Cir.2012) (en banc), the better interpretation of “authorization” as being “that an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer. Thus, he accesses a computer ‘without authorization’ when he gains admission to a computer without approval. Similarly, we conclude that an employee ‘exceeds authorized access’ when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access. Notably, neither of these definitions extends to the improper use of information validly accessed. (citations omitted.)” Unlike the Ninth Circuit, however, which was willing to find that a CFAA violation could be established where an employee exceeded his authority under a company access policy, the Fourth Circuit ruling is even more restrictive than the Ninth Circuit’s view. The Fourth Circuit “adopt[s] a narrow reading of the terms ‘without authorization’ and ‘exceeds authorized access’ and hold that they apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.”
Given that the CFAA has both criminal and civil liability the Fourth Circuit chose to strictly construe the language. Even “under the Nosal panel’s approach, because [the employee] obtained information ‘in a manner’ that was not authorized (i.e., by downloading it to a personal computer), he nevertheless would be liable under the CFAA. See § 1030(a)(2)(C). Believing that Congress did not clearly intend to criminalize such behavior, we decline to interpret ‘so’ as ‘in that manner.’” The bottom line—the Fourth Circuit approach, “reject[s] an interpretation of the CFAA that imposes liability on employees who violate a use policy, choosing instead to limit such liability to individuals who access computers without authorization or who obtain or alter information beyond the bounds of their authorized access.”
While the lines of the split in Circuits has become more defined with WEC Carolina Energy Solutions LLC, predicting what the Supreme Court will do with that split is another story. My money is on Judge Posner’s interpretation in International Airport Centers, partly because he is a brilliant jurist and I practice in the Seventh Circuit, but mostly because that is the interpretation that expands an employer’s arsenal of protections against cheating employees. However, until the fat lady [U.S. Supreme Court] sings employers should continue to draft and implement a computer access and use policy for its employees that assumes that a well drafted policy violated by an employee can be enforced under the CFAA, so long as the employer can demonstrate $5,000 in damages to the employer resulted from the employee’s actions.