by ·0 Comments

A New York federal judge rules that misuse of computer information  gained through legal access does not violate the CFAAAdvanced Aerofoil Techs., AG v. Todaro, 2013 WL 410873 (S.D.N.Y. Jan. 30, 2013)

Judge Carter of the Southern District of New York joined a growing number of federal courts adopting a narrow interpretation of the Computer Fraud and Abuse Act (CFAA) that precludes liability for misappropriation under the Act.  Several high-level personnel in the plaintiff companies (AAT) defected to a competing company, apparently taking with them AAT’s confidential and proprietary technology.  AAT sued the ex-employees for, among other things, alleged violations of the CFAA.

An obstacle that AAT faced in pressing the CFAA claim was the fact that the ex-employees had “unfettered and unlimited access” to the information they took with them.  Liability under the CFAA requires that the defendant have “access[ed] a computer without authorization.”  Courts across the country are split on whether the CFAA is violated where a person legally accesses to a computer but misuses the information obtained with such access, such as what the former AAT employers allegedly did.

After noting that the Second Circuit has not decided the issue, and surveying decisions on both sides of the issue, including those written by his colleagues in the same district, Judge Carter answered the question in the negative.  A CFAA violation occurs when one accesses a computer without permission.  Judge Carter gave three reasons for his conclusion.  First, the ordinary meaning of the word “authorization” refers to the absence of permission.  Second, the legislative history of the CFAA indicates that the Act is directed primarily at access instead of misuse.  Third, a violation of the CFAA could lead to criminal liability, the statute should be read narrowly, and ambiguities should be resolved in favor of the defendant.  Because AAT had not revoked the defendants’ unlimited access to its system when they siphoned off the confidential and proprietary information, the court dismissed the CFAA claim.

LegalTXTS Note: I’ve blogged on this issue quite a bit.  That indicates increased use of the CFAA in data misappropriation cases, or the uneasiness courts have in stretching the CFAA beyond its origin as an anti-hacking statute–or both.  Here are my previous posts on similar cases.

Court Carves Back Oracle’s Computer Fraud and Abuse Act Claim Against Gray Market Reseller

CFAA: Recent Cases

One Is Not Like the Other: Access vs. Use Restrictions Under the CFAA

Don’t Just Because You Can

by ·1 Comment

NLRB Strikes Down Restrictions on Employee Communications on Social Media and Elsewhere — DirectTV U.S. DirecTV Holdings, LLC, 359 NLRB 54 (Jan. 25, 2013)

On the same day that the D.C. Circuit Court of Appeals ruled that President Obama’s recess appointments to the National Labor Relations Board (NLRB) were unconstitutional, the NLRB struck down several of DirectTV’s work rules, including one relating to social media use.  The ruling comes as little surprise, as it mirrors the positions and rationale stated in previous Guidance Memoranda issued by the NLRB’s Office of General Counsel.  Of course, this decision carries more weight because it’s issued by the Board itself (but query the ruling’s validity in light of the D.C. Circuit decision).

Restrictions on employee communication with the media

The first two rules instructed employees to “not contact the media,” and “not contact or comment to any media about the company unless pre-authorized by Public Relations.”  Section 7 of the National Labor Relations Act (NLRA) protects employee communications with the media concerning labor disputes.  The broad and unequivocal language of the rules could lead an employee to believe that such protected activity is not permitted under the rules, which is unlawful, the NLRB.  The rules did not distinguish between protected and unprotected communications (e.g., maliciously false statements).

Restrictions on employee communication with NRLB agents

The next rule in question stated: “If law enforcement wants to interview or obtain information regarding a DIRECTV employee, whether in person or by telephone/email, the employee should contact the security department . . . who will handle contact with law enforcement agencies and any needed coordination with DIRECTV departments.”  The NLRB found that this rule would make employees think that they must go through their employer before cooperating with an NLRB investigation, as NLRB agents could reasonably be considered “law enforcement” as far as labor matters are concerned.  This violates Section 8(a)(4) of the NLRA, which protects employees who file unfair labor practice charges or who provide information in the course of an NLRB investigation.  While an employer could have a legitimate interest in knowing about attempts by law enforcement agents to interview employees, the rule failed to separate out those situations from those in which the Section 8(a)(4) protections apply.

Confidentiality

DirecTV instructed employees to “[n]ever discuss details about your job, company business or work projects with anyone outside the company” and to “[n]ever give out information about customers or DIRECTV employees.”  The rule identified “employee records” as one of the categories of “company information” that must be kept confidential.  The NLRB struck down these rules because employees could reasonably understand them to restrict discussion of their wages and other terms of conditions of employment.  The rule was also deficient in not exempting protected communications with third parties such as union representatives, NLRB agents, or other governmental agencies concerned with workplace matters.

Online Disclosures of “Company Information”

DirecTV posted a corporate policy on its intranet stating: “Employees may not blog, enter chat rooms, post messages on public websites or otherwise disclose company information that is not already disclosed as a public record.”  In addition to the policies on the intranet, DirecTV issued a handbook with overlapping sets of rules governing employee conduct and effectively directed employees to read them as one.  The handbook contains a confidentiality rule that defines “company information” as including “employee records.”  Reading the two policies together, an employee could understand the intranet policy to prohibit online disclosure of information concerning wages, discipline, and performance ratings.

LegalTXT NotesThis ruling isn’t groundbreaking, but it confirms that the Board agrees with the positions taken in the previous OGC Guidance Memoranda on social media policies.  The D.C. Circuit does cast a pall over the validity of this ruling, although the NLRB supported the ruling with multiple Board decisions that were issued well before the recess appointments were made.