Technology Team Newsletter: “Brekking” Into an Employer’s Computer System Just Got a Little EasierOctober 1, 2009
In the recent case of LVRC Holdings, LLC v. Brekka, the Ninth Circuit Court of Appeals affirmed a judgment of the district court and held that an employee who emailed his employer's documents to himself both during and after his employment, did not violate the Computer Fraud and Abuse Act. (CFAA)
Christopher Brekka resided in Florida and worked in Nevada for LVRC Holdings, LLC in its internet marketing operation (LVRC) or the Company. LVRC owned and operated a residential treatment center for addicts in Nevada.
Brekka owned two consulting businesses, Employee Business Solutions, Inc., in Nevada (EBSN), and Employee Business Solutions, Inc., in Florida (EBSF). Both EBSN and EBSF obtained referrals for addiction rehabilitation services and provided referrals of potential patients to rehabilitation facilities via internet sites.
While commuting between Florida and Nevada, Brekka, who was assigned a computer at LVRC, emailed company documents to himself, including financial documents, marketing information, and a patient list. Six months into his employment with LVRC, Brekka and LVRC began negotiations for Brekka to buy a financial interest in LVRC. These negotiations eventually failed and Brekka stopped working for LVRC.
A little more than a year after Brekka left LVRC, an LVRC employee discovered that someone using Brekka's password and login was continuing to access LVRC's website.
LVRC sued Brekka, EBSN, and EBSF (collectively, Brekka) in district court. LVRC alleged that Brekka violated the CFAA by accessing LVRC's computer without authorization, both while Brekka was employed at LVRC and after he left the company.
The district court granted summary judgment in favor of Brekka, and LVRC appealed.
The court of appeals affirmed, holding that Brekka did not use LVRC's computer without authorization under CFAA.
The court determined that Brekka did not access a computer without authorization in violation of CFAA when he emailed documents to himself prior to leaving LVRC, given that he was authorized to use LVRC's computers while he was employed there.
Nor did Brekka's emailing those documents exceed his authorized access under CFAA because he was entitled to obtain the documents.
CFAA does not define "authorization." Thus, the ordinary, contemporary, common meaning of CFAA suggested that Brekka did not act "without authorization" because LVRC permitted him to use the company computer.
There was no dispute that Brekka had permission to access the computer, since his job required him to use the computer. Moreover, there was no dispute that Brekka was still employed by LVRC when he emailed the documents to himself.
Further, LVRC failed to establish whether Brekka accessed the LVRC website without authorization after he left the company.
There was undisputed evidence that at least two LVRC employees used the computer, and that others had access to the computer after Brekka left LVRC.
Simply stated, there was not enough evidence upon which a reasonable jury could find that Brekka violated CFAA after he left LVRC.
What It All Means
Although the Brekka decision makes it more difficult for employers to use CFAA to protect against pirating employees, all is not lost.
Any claim under CFAA not dependent on showing "unauthorized access" is alive and well.
Claims against former employees who access their employer's computers also are alive and well. That claim failed in Brekka only because LVRC could not prove that it was Brekka who accessed the computer.
Brekka has no impact on state common law claims, such as interference with business relations, misappropriation of trade secrets, etc.
Using tightly crafted written policies and procedures employers can limit their employees' access to information stored on company computers.