Misuse of proprietary data alone doesn't violate CFAA, judge rules
Court rules that Computer Fraud and Abuse Act governs how data is accessed, not how it is used by persons with valid access
Computerworld - Federal courts have started ruling against companies using the much-reviled Computer Fraud and Abuse Act (CFAA) to pursue employees and others who allegedly misappropriate proprietary data.
The latest example involves the dismissal of a lawsuit in which Enki Corp., a Denver, Colo.-based managed services provider, alleges that former employee Keith Freedman violated provisions of the CFAA when he accessed and copied certain proprietary information from the company's servers.
The U.S. District Court for the Northern District of California last week dismissed the lawsuit on the grounds that the company had failed to properly state a claim under CFAA.
District Judge Paul Grewal ruled that Enki could not sue for unauthorized access under the CFAA because Freedman used valid login credentials provided to him by Enki. Any misuse of data accessed with valid credentials doesn't constitute a violation of CFAA, the judge said.
An Enki spokesman noted that his firm's case firm wasn't dismissed entirely as several of its state claims were allowed to survive. The judge ruled that Enki can amend dismissed CFAA-related claims as well as those raised under a California data access and fraud statute, the spokesman said. Enki can refile amended claims if it chooses to, he added.
The spokesman also said that the ruling retains several other California state law claims to remain against Freedman and Zuora.
The ruling is similar to ones made by multiple federal courts in recent years.
For instance, appellate courts for the Ninth and Fourth Districts each ruled that people or entities with valid access to corporate data could not be held liable under the CFAA for abusing that access to steal, sabotage or misuse the data.
Other courts, including the Eleventh, Fifth and Seventh Circuit appellate, had earlier arrived at the opposite conclusion, ruling that CFAA can be used to prosecute individuals in such cases.
The recent trend suggests that enterprises should be careful about how they use CFAA, said Evan Brown, senior counsel with InfoLawGroup LLP in Chicago.
"Enterprises who wish to have the CFAA as a remedy must ensure that there are restrictions on access to data, not merely restrictions on what may be done with that data," he said. "The CFAA is often not the best tool for dealing with departing or former employees who wrongly take the organization's information or technology."
Typically, a company stands a better chance of succeeding by suing for breach of contract, a misappropriation of trade secrets, or copyright infringement, Brown said.
In the latest case, Freedman, a former employee at Enki, left the company in 2011 to set up another firm, called Freeform.
Shortly after Freedman's departure, Enki signed up billing services provider Zuora as a customer. Under the agreement, Enki would provide consulting, cloud computing and other IT services for Zuora. Enki then hired Freedman's company as a subcontractor to help service the Zuora contract.
- Aberdeen Group: Marketing Analytics for Manufacturing: Forging Customer Insights There are no recalls for poor marketing. Manufacturers need to get their customer intelligence and messaging right the first time. Learn how.
- The Brave New World of Customer-Centric Manufacturing The Unique Opportunity for Manufacturers to Better Understand their Consumers
- See the Possibilities Utilizing Data Visualization Do you simply want to collect data, or do you want to derive business insights from it? What if you could quickly and...
- 5 Customers Deliver Virtual Desktops and Apps to Empower a Modern Workforce Learn how Citrix solutions helped 5 companies realize the full value of desktop virtualization through a project-by-project approach based on key business priorities.
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All IT Industry White Papers | Webcasts