This week the Ninth Circuit Court of Appeals issued a published opinion rejecting an employer’s argument that its former employee violated the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, when he emailed company client lists and financial data to himself for personal use. LVRC Holdings LLC v. Brekka, ___ F.3d ___, 2009 WL 2928952 (9th Cir. 2009).
The Seventh Circuit reached the opposite conclusion in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), reasoning that when an employee breaches his duty of loyalty to the employer, the agency relationship terminates and the employee is no longer “authorized” to access the employer’s computer within the meaning of the CFAA.
The Ninth Circuit rejected this statutory interpretation as contrary to the rule that where a statute has both criminal and noncriminal applications, courts should interpret it consistently in both contexts and resolve ambiguity in favor of lenity, avoiding interpretations that are “surprising and novel.” Because the employee in LVRC Holdings was authorized to use the company computer and to access the information, he did not violate the statute regardless of his motivation.
The opinion suggests that the result might have been different if the employer had a policy prohibiting employees from emailing company data to their personal email accounts or requiring employees to return or destroy confidential information upon the conclusion of their employment.