Exceeding Authorized Access in the Workplace: Prosecuting Disloyal Conduct Under the Computer Fraud and Abuse Act
2013; Wiley; Volume: 50; Issue: 2 Linguagem: Inglês
10.1111/ablj.12010
ISSN1744-1714
AutoresStephanie M. Greene, Christine Neylon O'Brien,
Tópico(s)Digitalization, Law, and Regulation
ResumoAmerican Business Law JournalVolume 50, Issue 2 p. 281-335 Original Article Exceeding Authorized Access in the Workplace: Prosecuting Disloyal Conduct Under the Computer Fraud and Abuse Act Stephanie Greene, Stephanie GreeneSearch for more papers by this authorChristine Neylon O'Brien, Christine Neylon O'BrienSearch for more papers by this author Stephanie Greene, Stephanie GreeneSearch for more papers by this authorChristine Neylon O'Brien, Christine Neylon O'BrienSearch for more papers by this author First published: 28 May 2013 https://doi.org/10.1111/ablj.12010Citations: 3 We wish to thank Professor Margo E.K. Reder, Boston College, for her research and assistance on this article. This article was selected as Holmes Cardozo Finalist and Distinguished Proceedings Paper and received the Best Employment Paper Award sponsored by Jackson Lewis LLP at the Academy of Legal Studies in Business Conference 2012. Read the full textAboutPDF ToolsExport citationAdd to favoritesTrack citation ShareShare Give accessShare full text accessShare full-text accessPlease review our Terms and Conditions of Use and check box below to share full-text version of article.I have read and accept the Wiley Online Library Terms and Conditions of UseShareable LinkUse the link below to share a full-text version of this article with your friends and colleagues. Learn more.Copy URL Share a linkShare onEmailFacebookTwitterLinkedInRedditWechat Footnotes 1See Ed Frauenheim, Stop Reading this Headline and Get Back to Work (July 11, 2005), Cnet/News, http://news.cnet.com/Stop-reading-this-headline-and-get-back-to-work/2100-1022_3-5783552.html (discussing a web survey of 10,000 employees conducted by salary.com and web portal America Online that showed surfing the web was the largest time waster at work, and noting that most employees spend more than two of their eight work hours on personal, nonwork matters) see also Andrew T. Hernacki, Comment, A Vague Law in a Smartphone World: Limiting the Scope of Unauthorized Access Under the Computer Fraud and Abuse Act, 61 Am. U. L. Rev. 1543, 1544–48 (2012) (noting widespread use of cellphones, smartphones, and mobile devices with mobile applications and arguing that broad interpretation of unauthorized access under the CFAA violates the vagueness doctrine and due process). 2See Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, Pub. L. No. 98-473, § 2102(a), 98 Stat. 2190, 2190–92 (1984). The Computer Fraud and Abuse Act, Pub. L. No. 99-474, 100 Stat. 1213 (1986), is the name of the 1986 amendment to 18 U.S.C. § 1030 (2006). See Part I infra for a detailed explanation of the relevant sections of the CFAA. 3See discussion infra at Part V.A; see also LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130–31 (9th Cir. 2009); Int'l Ass'n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 495–96 (D. Md. 2005). Hacking is used to describe a variety of compromises to networked computers, ranging from innocuous customizations ("modding"), to circumventing security protocols, and further, criminal acts done to systems that perpetrate even more harm. See Fernando M. Pinguelo & Bradford W. Muller, Virtual Crimes, Real Damages: A Primer on Cybercrimes in the United States and Efforts to Combat Cybercriminals, 16 Va. J.L. & Tech. 116, 132–35 (2011); Julian E. Barnes & Daniel Lippman, Malware Threat to Internet Corralled, Wall St. J., July 9, 2012, at B3. 4See Part II.A & B discussing a broad interpretation of the CFAA. While the cases courts have considered to date have involved serious transgressions, Part III of this article discusses the en banc decision of the Ninth Circuit Court of Appeals in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), where the majority noted that the less serious transgressions would be subject to the same analysis and consequences as more serious infractions. Id. at 862; see also WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012) (rejecting an interpretation that would hold employees liable for checking "the latest Facebook posting or sporting event scores"); Orin S. Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1599 (2003) (discussing the alarming prospect of broad interpretation of the CFAA resulting in expanding criminal liability to breach of contract cases). 5See Greg Pollaro, Disloyal Computer Use and the Computer Fraud and Abuse Act: Narrowing the Scope, 2010 Duke L. & Tech Rev., No. 12, at ¶ 3 (concluding "the CFAA was not designed to apply to employer/employee claims that are traditionally handled under state tort and contract law"). It should be noted that egregious disloyalty may be proffered as a defense by employers who have disciplined or discharged employees for engaging in concerted activities that are protected by section 7 of the National Labor Relations Act. See Christine Neylon O'Brien, The First Facebook Firing Case Under Section 7 of the National Labor Relations Act: Exploring the Limits of Labor Law Protection for Concerted Communication on Social Media, 45 Suffolk U. L. Rev. 29, 49–58 (2011) (discussing the Supreme Court's ruling in NLRB v. Local Union No. 1229, Int'l Bhd. Elec. Workers (Jefferson Standard), 346 U.S. 464, 476–77 (1953), that an employer need not retain an employee when conduct is so disloyal to the employer that it provides a separate cause for discharge); cf. Matthew W. Finkin, Disloyalty! Does Jefferson Standard Stalk Still?, 28 Berkeley J. Emp. & Lab. L. 541, 551–57 (2007) (questioning the value of disloyalty as a standard and noting it chills speech of social value). The concept of disloyalty is based upon the agency concept that an employee owes a duty of loyalty to his or her employer. See Charles A. Sullivan, Mastering the Faithless Servant?: Reconciling Employment Law, Contract Law, and Fiduciary Duty, 2011 Wis. L. Rev. 777, 777–78, 806 (noting that the most recent Restatement of Agency (Third) (2006) views employees as a species of agent). An employee violates the duty of loyalty owed to the employer when the employee does not act solely for the benefit of the employer in matters connected to the agency/employment, and, in such cases, the employer may recover secret profits as well as wages paid during the period of disloyalty. See Marisa Warren & Arnie Pedowitz, Practitioner's Note, Social Media, Trade Secrets, Duties of Loyalty, Restrictive Covenants and Yes, The Sky Is Falling, 29 Hoftsra Lab. & Emp. L.J. 99, 105 (2011) (discussing cases relying upon the Restatement (Second) of Agency). Numerous statutory employment protections are limited by the concept that even if an employee has engaged in protected activity, he or she may nonetheless be subjected to discipline or discharge for separate unprotected activities that provide an independent cause for discipline. Thus, engaging in protected activities, or being a member of a protected class, does not provide carte blanche for employee misbehavior, including that which is disloyal to the employer. In the context of CFAA cases, the agency-based interpretation of authorization is perhaps best illustrated in the Seventh Circuit's decision in Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420–21 (7th Cir. 2006), discussed infra Part II, in which the court ruled the employer/employee agency relationship terminated when the employee violated a duty of loyalty by failing to disclose his adverse interests. See Matthew Kapitanyan, Beyond WarGames: How the Computer Fraud and Abuse Act Should Be Interpreted in the Employment Context, 7 I/S: J.L. & Pol'y for Info. Soc'y 405, 423 (2012) (discussing Citrin as "the marquee case for the agency-based interpretation of authorization"). 6See, e.g., Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1122 (W.D. Wash. 2000) (listing plaintiff's allegations, which included, in addition to violations of the CFAA, misappropriation of trade secrets, conversion, unfair competition, and tortious interference with a business expectancy). 7See Margo E.K. Reder & Christine Neylon O'Brien, Managing the Risk of Trade Secret Loss Due to Job Mobility in an Innovation Economy with the Theory of Inevitable Disclosure, 12 J. High Tech. L. 373, 382 (2012) (defining the law of trade secrets); Unif. Trade Secrets Act §§ 1–12 (1985), available at http://www.uniformlaws.org/shared/docs/trade%20secrets/utsa_final_85.pdf (last visited Oct. 29, 2012). 8Pub. L. No. 104-294, § 101, 110 Stat. 3488 (1996) (codified at 18 U.S.C. §§ 1831–1839 (2006)). 9See Sorodsky v. Cuomo, No. 12-CV-4420 (ARR) (LB), 2012 U.S. Dist. LEXIS 151581, at * 9–10 (E.D.N.Y. Oct. 11, 2012) ("[Plaintiff's] claim … cannot proceed as there is no private right of action under the EEA."); Cooper Square Realty, Inc. v. Jensen, No. 04 Civ. 01011 (CSH), 2005 U.S. Dist. LEXIS 323, at *3 (S.D.N.Y. Jan. 5, 2005) ("[C]ongressional intent—articulated in the text of the EEA as well as its legislative record—expressly and unambiguously demonstrates that Congress did not establish a private cause of action in the EEA."); Kyle W. Brenton, Trade Secret Law and the Computer Fraud and Abuse Act: Two Problems and Two Solutions, 2009 U. Ill. J.L.Tech. & Pol'y 429, 454 (noting that the EEA's lack of a private right of action could be the "most telling piece of evidence that Congress did not intend the CFAA to apply to trade secret theft"). 10See Thomas E. Booms, Note, Hacking into Federal Court: Employee "Authorization" Under the Computer Fraud and Abuse Act, 13 Vand. J. Ent. & Tech. L. 543, 544–46 (2011) (noting increasing workplace computer use and employers looking to the CFAA to prevent insiders from misappropriating confidential information and seeking monetary relief from disloyal employee misappropriation). 11See id. at 557–59 (discussing courts that have adopted a broad view that employee misuse vitiates authorization). 12See Garrett D. Urban, Causing Damage Without Authorization: The Limitations of Current Judicial Interpretations of Employee Authorization Under the Computer Fraud and Abuse Act, 52 Wm. & Mary L. Rev. 1369, 1376–79 (2011) (discussing cases applying agency and contract theories to exceeding authorized access under the CFAA). 13See Exec. Office for U.S. Attorneys, U.S. Dep't of Justice, Prosecuting Intellectual Property Crimes 5–7 (3d ed. Sept. 2006), available at http://www.lb5.uscourts.gov/ArchivedURLs/Files/09-20074%281%29.pdf (reasoning that "criminal sanctions are often warranted to punish and deter the most egregious violators" and detailing strategies for prosecution). 14See Brenton, supra 9, at 430–31 (noting the CFAA does not contain the same proof requirements as trade secret law and disrupts the delicate equilibrium between employer and employees); see also R. Mark Halligan, Protection of U.S. Trade Secret Assets: Critical Amendments to the Economic Espionage Act of 1996, 7 J. Marshall Rev. of Intell. Prop. L. 656, 673–75 (2008) (discussing use of the CFAA in the trade secret context and the need for a private right of action under the EEA). 15 United States v. Nosal, 676 F.3d 854, 857 (9th Cir. 2012) [hereinafter Nosal IV]. See supra 3 and accompanying text discussing hacking. 16Nosal IV, 676 F.3d at 857. 17Id. at 863 ("We … respectfully decline to follow our sister circuits . …"). 18 WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 203 (4th Cir. 2012). 19See United States v. Rodriguez, 628 F.3d 1258, 1263–64 (11th Cir. 2010), cert. denied, 131 S. Ct. 2166 (2011) (holding the CFAA was violated due to employer policy breach); United States v. John, 597 F.3d 263, 270–273 (5th Cir. 2010) (holding the CFAA was violated due to breach of the duty of loyalty based on unlawful use of material lawfully accessed); Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420–421 (7th Cir. 2006) (holding the CFAA was violated based on unlawful access when agency relationship terminated due to breach of employment contract and breach of duty of loyalty); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 581–582 (1st Cir. 2001) (holding the CFAA was violated based on terms of a broad confidentiality agreement prohibiting access to employer information). The Second Circuit's stance on CFAA cases is possibly in flux at this time. Compare United States v. Morris, 928 F.2d 504 (2d Cir. 1991) (finding CFAA violation for unauthorized access), with United States v. Aleynikov, 676 F.3d 71, 75 (2d Cir. 2012) (noting that the district court dismissed the CFAA charge on grounds that "authorized use of a computer in a manner that misappropriates information is not an offense under the Computer Fraud and Abuse Act"). See infra Part IV (discussing the split among the circuits on interpretation of the terms "without authorization" and "exceeds authorized access" in the CFAA). 20See Rodriguez, 628 F.3d at 1263–64; John, 597 F.3d at 271; Citrin, 440 F.3d at 420–21; EF Cultural Travel, 274 F.3d at 581–82. 21676 F.3d at 860–63. 22See Charles Doyle, Cong. Research Serv., 97-1025, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws (Dec. 27, 2010), available at http://www.fas.org/sgp/crs/misc/97-1025.pdf. 23See Frank P. Andreano, The Evolution of Federal Computer Crime Policy: The Ad Hoc Approach to an Ever-Changing Problem, 27 Am. J. Crim. L. 81, 81–82 (1999); see also Dodd S. Griffith, Note, The Computer Fraud and Abuse Act of 1986: A Measured Response to a Growing Problem, 43 Vand. L. Rev. 453, 460 (1990). 24 Andreano, supra 23, at 85–88. 25See Shawn E. Tuma, "What Does CFAA Mean and Why Should I Care?"—A Primer on the Computer Fraud and Abuse Act for Civil Litigators, 63 S.C. L. Rev. 141, 154–60 (2011) (discussing the Act's rationale and evolution). 2618 U.S.C. § 1030(g) (2006). See S. Rep. No. 104-357, at 11–12 (1996); see also Matthew Andris, Comment, The Computer Fraud and Abuse Act: Reassessing the Damage Requirement, 27 J. Marshall J. Computer & Info. L. 279, 284–87 (2009) (reviewing each of the amendments to the CFAA); Nick Akerman & Patricia Finnegan, Computer Law: Civil Relief Under CFAA, Nat'l L.J., Dec. 24–31, 2001, at A19. 27See Brenton, supra 9, at 440–47 (discussing the Act's redundancies with state trade secret laws). 2818 U.S.C. § 1030(a)(3). 29Id. § 1030(a)(2). 30Id. § 1030(a)(5). "Protected computer" is defined at id. § 1030(e)(2). 31Id. § 1030(a)(4). 32Id. § 1030(a)(7). 33Id. § 1030(a)(6). 34Id. § 1030(a)(1). Attempt and conspiracy to commit these crimes are prohibited by id. §1030(b). 35See id. § 1030(c). 36See id. 37See generally Nosal IV, 676 F.3d at 857–58. See generally Obie Okuh, Comment, When Circuit Breakers Trip: Resetting the CFAA to Combat Rogue Employee Access, 21 Alb. L.J. Sci. & Tech. 637, 650–55 (2011). 3818 U.S.C. § 1030(a)(2)(C) (2006). 39Id. § 1030(a)(5)(C). 40See Violent Crime Control and Law Enforcement Act of 1994, Pub. L. No. 103-322, § 290001(d), 108 Stat. 1796, 2098 (1994) (codified at 18 U.S.C. § 1030(g)). See also Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561, 1563–71 (2010) (detailing the expansion of the CFAA). 4118 U.S.C. § 1030(c)(4)(A)(i). 42See id. § 1030(e)(2); Kerr, supra 40, at 1568 (noting that because every computer connected to the Internet is used in interstate commerce, every computer connected to the Internet is a protected computer). The definition was amended to include computers "used in interstate commerce or communication." Id. A further amendment changed the definition to include computers "used in or affecting interstate or foreign commerce or communication," signaling Congress's intent that it be able to regulate to the full extent of its Commerce Clause power. See id. at 1570; see also Freedom Banc Mortg. Servs, Inc. v. O'Harra, No. 2:11-cv-01073, 2012 U.S. Dist. LEXIS 125734, at *12–15 (S.D. Ohio Sept. 5, 2012) (tracing the CFAA's expanded definition of "protected computer" and concluding that "[a] computer that is connected to the internet [ ] satisfies [the CFAA's] interstate commerce requirement even if the plaintiff used that connection to engage in only intrastate communications"; NCMIC Fin. Corp. v. Artino, 638 F. Supp. 2d 1042, 1060 (S.D. Iowa 2009). 43See cases cited supra 19. 44Compare 18 U.S.C. § 1030(a)(1) (using both phrases), with § 1030(a)(5) (using just the "without authorization" phrase). 45See Brandon Darden, Comment, Definitional Vagueness in the CFAA: Will Cyberbullying Cause the Supreme Court to Intervene?, 13 SMU Sci. & Tech. L. Rev. 329, 333 (2010). 4618 U.S.C. § 1030(e)(6). 47See, e.g., WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012) (recognizing "that the distinction between these terms is arguably minute"). 48For a discussion of hackers and insiders who exceed authorized access, see Part V infra. 49See Kerr, supra 4, at 1643 (recommending use of breach of code-based access as a trigger for "exceeding authorized access"). Code-based security regulates access to a computer through computer code. See David J. Rosen, Limiting Employee Liability Under the CFAA: A Code-Based Approach to Exceeds Authorized Access, 27 Berkeley Tech. L.J. 737, 740 (2012). Other crimes that damage computers or computer systems are also prohibited by the CFAA, such as inserting worms and distributing denial-of-service attacks. See Kerr, supra 4, at 1603–04 (discussing these damaging acts); see also Office of Legal Educ., Exec. Office for U.S. Attys, Dep't of Justice, Prosecuting Computer Crimes 35 (2007), available at http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf (noting a virus or worm can use up all available bandwidth on an employer's computer network thus denying employees access, deleting files, crashing computers, installing malicious software, and in general doing things to impair the computer's security; also noting that denial-of-service attacks flood a victim's computer with useless information and prevent legitimate users from access). 50See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 581–82 (1st Cir. 2001) (holding that the CFAA was violated based on terms of a broad confidentiality agreement prohibiting such access to employer information). 51See Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420–21 (7th Cir. 2006) (holding the CFAA was violated through unlawful access when the agency relationship terminated because the employee breached his duty of loyalty by destroying files that were employer property). 52Id. at 421 (citing Restatement (Second) of Agency § 112 (1958); Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1123, 1125 (W.D. Wash. 2000)). 53See Kerr, supra 4, at 1640. 54See Kerr, supra 40, at 1576–77 (characterizing the CFAA as "breathtakingly broad" and arguing that courts must adopt a meaning of unauthorized access that limits "the discretion of law enforcement authorities to bring charges at their whim" and "does not give the government the power to arrest any typical computer user"). 55See LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130–31 (9th Cir. 2009); Int'l Assoc. of Machinists and Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 495–96 (D. Md. 2005). 56See cases collected supra at 19 and accompanying text; see also NCMIC Fin. Corp. v. Artino, 638 F. Supp. 2d 1042, 1058–1059 (S.D. Iowa 2009) (arguing that the CFAA's legislative history supports liability for misappropriation of confidential information); Shurgard Storage Ctrs., 119 F. Supp. 2d at 1127–1129 (concluding same). 57 Shurgard Storage Ctrs., 119 F. Supp. 2d at 1124 n.3 (W.D. Wash. 2000). In 2003, the Ninth Circuit recognized that the CFAA could provide a civil remedy to a third party whose computer was accessed without authorization, because the statute states that "any person who suffers damage or loss" may recover. Theofel v. Farey-Jones, 341 F.3d 978, 986 (9th Cir. 2003). 58 P.C. Yonkers, Inc. v. Celebrations the Party & Seasonal Superstore, LLC, 428 F.3d 504, 510 (3d Cir. 2005) (citing Pacific Aerospace & Elecs., Inc. v. Taylor, 295 F. Supp. 2d 1188, 1196 (E.D. Wash. 2003)). 59Id. 60 EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). 61See Booms, supra 10. 62 EF Cultural Travel, 274 F.3d at 579. 63Id. 64Id. 65Id. at 579–80. 6618 U.S.C. § 1030(a)(4) (2006). 67 EF Cultural Travel, 274 F.3d at 583. 68Id. at 581. 69Id. at 583. 70440 F.3d 418, 420 (7th Cir. 2006). 71Id. at 419. 72Id. 73Id. (citing 18 U.S.C. § 1030(a)(5)(A) (2006)) (emphasis added). 74Id. at 420. 75Id. (citation omitted). 76Id. at 420. 77Id. at 420–21. 78119 F. Supp. 2d 1121, 1125 (W.D. Wash. 2000). 79Id. 80 Restatement (Second) of Agency § 112 (1958). 81See, e.g., NCMIC Fin. Corp. v. Artino, 638 F. Supp. 2d 1042, 1059 (S.D. Iowa 2009); Guest-Tek Interactive Entm't, Inc. v. Pullen, 665 F. Supp. 2d 42, 45–46 (D. Mass. 2009) (following the First Circuit's broad interpretation). See generally Katherine Mesenbring Field, Note, Agency, Code, or Contract: Determining Employees' Authorization Under the Computer Fraud and Abuse Act, 107 Mich. L. Rev. 819, 823–829 (2009) (discussing agency and contract-based interpretations). 82 Kerr, supra 4, at 1599, 1637–39. Professor Kerr also noted some of the analytical problems presented in the earliest case decided under the CFAA, that of United States v. Morris, 928 F.2d 504 (2nd Cir. 1991). Id. at 1629–32. This was a criminal case involving not a disloyal employee, but an outside hacker. Morris unleashed a worm on a computer that he was authorized to use, but his intent to access computers that he was not authorized to use was implied because he knew that the worm would invade computers that he was not authorized to access. Id. He used weaknesses in programs to obtain access in unintended ways. Id. at 1632. Thus, Morris's use of the computer that he was authorized to use was an unintended, as opposed to an intended use, and was "without authorization." Id. The intended function test used by the Second Circuit to indict Morris was not adopted by other courts. For a further discussion of United States v. Morris, see infra text accompanying 229-233. 83See Kerr, supra 4, at 1599. 84See, e.g., EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583 (1st Cir. 2001); Field, supra 81, at 827–29. 85119 F. Supp. 2d 1121 (W.D. Wash. 2000). 86See Richard Warner, The Employer's New Weapon: Employee Liability Under the Computer Fraud and Abuse Act, 12 Emp. Rts. Employ. Pol'y J. 11, 19, 27 (2008) (noting "widespread endorsement" of Shurgard and that "Shurgard's approach is likely to stand"). 87 United States v. John, 597 F.3d 263, 271 (5th Cir. 2010). 88Id. at 269. 89Id. at 271. 90Id. at 272. 91Id. 92 United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010). 93Id. at 1260. 94Id. 95Id. 96See United States v. John, 597 F.3d 263, 271 (5th Cir. 2010). 97 Rodriguez, 628 F.3d at 1260–62. 98Id. at 1260. 99Id. 100Id. 101Id. at 1263. 102Id. at 1264. 103Id. 104Id. at 1263. In United States v. Teague, 646 F.3d 1119 (8th Cir. 2011), the Eighth Circuit Court of Appeals upheld the conviction of a woman who allegedly used her privileged access to the National Student Loan Data System to access President Obama's student loan records. Teague was convicted under sections 1030(a)(2)(B) and (c)(2)(A) of the CFAA and sentenced to two years of probation. Id. at 1120. The appeal did not address whether she had "exceeded authorized access," but rather whether she had the right to a computer expert to review certain discovery documents. The court found that Teague did not demonstrate that the expert was necessary to her defense. Id. at 1123–24. 105See, e.g., US Bioservices Corp. v. Lugo, 595 F. Supp. 2d 1189, 1192 (D. Kan. 2009); Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 965 (D. Ariz. 2008); Diamond Power Int'l, Inc. v. Davidson, 540 F. Supp. 2d 1322, 1342 (N.D. Ga. 2007); Lockheed Martin Corp. v. Speed, No. 6:05-CV-1580-ORL-31KRS, 2006 U.S. Dist. LEXIS 53108, at *15 (M.D. Fla. Aug. 1, 2006). 106See Lockheed Martin, 2006 U.S. Dist. LEXIS 53108, at *17–24. "[T]he rule of lenity, a rule of statutory construction for criminal statutes, requires a restrained, narrow interpretation." Id. at *23. See also infra text accompanying 121. 107581 F.3d 1127 (9th Cir. 2009). 108676 F.3d 854 (9th Cir. 2012). 109Brekka, 581 F.3d at 1135. 110Id. at 1129 111Id. at 1129–30. 112Id. at 1130–31 113Id. at 1133–35. The case also considered whether Brekka was "without authorization" in accessing the company's website after he left the employer. The court stated that if he had done so he would have acted "without authorization," but there was insufficient evidence to determine that Brekka had accessed the website after he left the employer. Id. at 1136–37. 114Id. at 1133. 115Id. 116Id. 117Id. at 1135. 118Id. 119Id. at 1129. 120Id. at 1134. 121Id. 122Id. at 1135. 123597 F.3d 263, 272 (5th Cir. 2010). 124Id. at 273. 125Id. 126Id. 127Id. 128 United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (citing LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1129 (9th Cir. 2009)). 129See id. 130648 F.3d 295 (6th Cir. 2011). A 2012 decision in the U.S. District Court for the Eastern District of Michigan states that "Pulte suggests the Sixth Circuit would adopt a narrow interpretation of the CFAA when the issue presents itself in the context of an employment dispute." Ajuba Int'l, L.L.C. v. Saharia, No. 11-12936, 2012 U.S. Dist. LEXIS 66991, at *31 (E.D. Mich. May 14, 2012). The Ajuba court adopted the narrow reading of the CFAA. Id. at *32. 131Pulte, 648 F.3d at 299. 132Id. at 304. 133Id. at 303–04. 134Id. at 304 (citing Lockheed Martin Corp. v. Speed, No. 6:05-cv-1580-Orl-31KRS, 2006 U.S. Dist. LEXIS 53108, at *14 (M.D. Fla. Aug. 1, 2006)). 135676 F.3d 854 (9th Cir. 2012). 136Id. See supra 19 and accompanying text. 137676 F.3d at 856. 138Id. 139Id. at 859–61. 140Id. at 855–61. 141 United States v. Nosal, No. C 08-0237 MHP, 2010 U.S. Dist. LEXIS 24359, at *3 (N.D. Cal. Jan. 5, 2010) [hereinafter Nosal II]. 142Id. 143Id. 144Id. at *4. 145 United States v. Nosal, No. CR 08-00237 MHP, 2009 U.S. Dist. LEXIS 31423 at *3–4 (N.D. Cal. Apr. 13, 2009) [hereinafter Nosal I]. 146See id. at *4; 18 U.S.C. § 1030(a)(4) (2006). 147Nosal II, 2010 U.S. Dist. LEXIS 24359, at *3–4. 148Id. at *18–20. 149Nosal I, 2009 U.S. Dist. LEXIS 31423, at *19–22. 150Id. at *20. 151Nosal II, 2010 U.S. Dist. LEXIS 24359, at *2. 152Id. at *16. 153Id. at *20 (alterations in original) (citing 18 U.S.C. § 1030(e)(6) (2006)). 154Id. at *20–21. 155Id. at *22. 156 United States v. Nosal, 642 F.3d 7
Referência(s)