ANITA B. BRODY, District Judge.
Plaintiff Dresser-Rand Company ("Dresser-Rand") brings a variety of claims against G. Curtis Jones, Jeffrey King, Albert E. Wadsworth, I V, and Global Power Specialist, Inc. ("Global Power"), including a claim for violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 ("the CFAA").
G. Curtis Jones and Jeffrey King worked as managers for the Dresser-Rand Company, a $2 billion corporation that provides technology, product and services used for developing energy and natural resources. Dresser-Rand's business includes manufacturing industrial equipment and field services operations to maintain and service industrial equipment for Dresser-Rand clients who own power plants, industrial plants and refineries. Jones resigned from Dresser-Rand on February 9, 2010 from his position as Regional Field Services Manager. King resigned from Dresser-Rand on February 26, 2010 from his position as Project Manager.
On January 20, 2010, prior to the resignations of Jones and King, Albert Wadsworth incorporated Global Power Specialist, Inc. and became Global Power's president. Jones and King became Global Power's two employees. Global Power performs field services work to fix gas turbines. Jones and King had Global Power cell phones and e-mail addresses and performed work to benefit Global Power before they resigned from Dresser-Rand. Before Jones and King left Dresser-Rand, they downloaded Dresser-Rand documents to external hard drives and flash drives. Dresser-Rand's forensic computer expert found that on multiple occasions from December 2009 through February 2010 Jones and King downloaded Dresser-Rand files onto at least five external devices. They downloaded the files days before they each resigned.
Dresser-Rand's computer expert found that thousands of Dresser-Rand's files were transferred from the external devices to Global Power's computers. Defendants accessed some of these files from Global Power computers after they left Dresser-Rand. Wadsworth received e-mails from Jones and King sent from their Dresser-Rand computers containing Dresser-Rand business information. He reviewed and edited some of these documents.
Dresser-Rand's Director of Services for the Mid-Atlantic Region Glenn "Chip" Jones stated that he had "no reason to believe that [Jones and King] accessed information other than what they had authorized access to do through their Dresser-Rand user name and password." Def. Ex. A 191:23-25, 192:2-5. Chip Jones testified as an individual. Pl. Response at 5 n. 5.
Dresser-Rand has several policies that govern employee use of Dresser-Rand resources and information. These policies include a Code of Conduct that covers conflicts of interest, competition and fair dealing, confidentiality, privacy, protection and proper use of company assets, and other topics. Pl. Ex. B. Dresser-Rand's Internet Access and Usage Policy provides that unauthorized use of the internet includes "[s]ending, receiving or posting without authorization company-sensitive or privileged information ...". Ex. G. Dresser-Rand's Acceptable Use Policy states that "Any unauthorized use, disclosure or transmission of [protected] information or content is prohibited. Users are required to comply with all applicable laws, agreements and Company policies before placing any information of a proprietary, confidential, or trade secret nature into Dresser-Rand's computers." Pl. Ex. H at 2. Each time Dresser-Rand employees log on to a company computer, they must acknowledge and accepts the company's "Legal Notice and Acceptable Use Statement":
Pl. Ex. I.
Defendants filed a partial motion for summary judgment on November 9, 2010 concerning the CFAA claims only. On December 16, 2010 the case was placed in
Summary judgment will be granted "if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Fed.R.Civ.P. 56(a). A fact is "material" if it "might affect the outcome of the suit under the governing law...." Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). A factual dispute is "genuine" if the evidence would permit a reasonable jury to return a verdict for the nonmoving party. Id.
The moving party bears the initial burden of demonstrating that there is no genuine issue of material fact. Celotex Corp. v. Catrett, 477 U.S. 317, 323, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986). The nonmoving party must then "make a showing sufficient to establish the existence of [every] element essential to that party's case, and on which that party will bear the burden of proof at trial." Id. at 322, 106 S.Ct. 2548. However, the nonmoving party may not "rely merely upon bare assertions, conclusory allegations or suspicions" to support its claims. Fireman's Ins. Co. of Newark, N.J. v. DuFresne, 676 F.2d 965, 969 (3d Cir.1982).
In essence, the inquiry at summary judgment is "whether the evidence presents a sufficient disagreement to require submission to a jury or whether it is so one-sided that one party must prevail as a matter of law." Anderson, 477 U.S. at 251-52, 106 S.Ct. 2505.
The Computer Fraud and Abuse Act prohibits seven types of computer crimes mainly involving accessing computers without authorization or in excess of authorization, and then obtaining information or damaging computer data. 18 U.S.C. § 1030(a). The statute, enacted by Congress in 1984, was originally exclusively a criminal statute. Since then the statute has been amended several times, including in 1994, when Congress amended the act to add a civil provision. Computer Abuse Amendments Act of 1994, Pub.L. No. 103-322, § 290001(d), 108 Stat. 1796 (codified at 18 U.S.C. § 1030(g)). A violation of the statute exposes one to both civil and criminal liability.
Legislative history reveals that "[t]he general purpose of the CFAA was to create a cause of action against computer hackers (e.g., electronic trespassers)." Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 965 (D.Ariz.2008) (internal quotation marks omitted); accord U.S. Bioservices Corp. v. Lugo, 595 F.Supp.2d 1189, 1193 (D.Kan.2009) ("The CFAA was intended as a criminal statute focused on `hackers' who trespass into computers...."). For example, the 1984 House Committee Report noted that under § 1030 "the conduct prohibited is analogous to that of `breaking and entering' rather than using a computer (similar to the use of a gun) in committing the offense." H.R.Rep. No. 98-894, at 20 (1984), reprinted in 1984 U.S.C.C.A.N. 3689, 3706. Additionally, other Congressional reports have characterized the CFAA as a statute prohibiting computer trespass. Orin S. Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.Y.U.L. Rev. 1596, 1618, 1668 n. 90 (2003) (citing S.Rep. No.
The statutory provision relevant to this case provides that
"Access" is not defined. "Exceeds authorized access" is defined as: "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6).
Dresser-Rand argues that all of the Defendants — King, Jones, Wadsworth and Global Power violated this section of the CFAA. Dresser-Rand's arguments supporting this allegation are summarized as follows:
To demonstrate that the Defendants violated section 1030(a)(4) of the CFAA, Dresser-Rand must prove that "(1) [the] defendant had accessed a `protected computer;' (2) has done so without authorization or by exceeding such authorization as was granted; (3) has done so `knowingly' and with `intent to defraud;' and (4) as a result has `further[ed] the intended fraud and obtain[ed] anything of value.'" See P.C. Yonkers, Inc. v. Celebrations The Party and Seasonal Superstore, LLC, 428 F.3d 504, 508 (3d Cir.2005).
The Computer Fraud and Abuse Act governs activity that involves accessing or damaging computers.
Dresser-Rand argues that Wadsworth is nonetheless implicated because Jones and King acted as his agents when they downloaded the files. Yet Dresser-Rand provides no legal basis in the CFAA or otherwise to justify imputing liability from the individuals who access a computer without authorization to others who may eventually benefit from their actions. Therefore Wadsworth cannot be held liable for a CFAA claim under these theories and I will grant Defendant's partial motion for summary judgment as to Wadsworth.
Unlike Wadsworth, King and Jones undisputedly accessed Dresser-Rand's computers. Whether King and Jones are liable under the CFAA turns on whether they "exceed[ed] authorized access" when they downloaded files from their laptops. As noted above, although the CFAA does not define the word "access," it defines "exceeds authorized access," to mean, "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to so obtain or alter." 18 U.S.C. § 1030(e)(6). The term "authorization" is not further defined, leaving courts to wrestle with the breadth of its meaning as increasingly, employers have used a statute originally designed to punish hackers against disloyal employees. See P.C. Yonkers, Inc. v. Celebrations The Party and Seasonal Superstore, LLC, 428 F.3d 504, 510 (3d Cir.2005). Determining an employee's authorization to company computer systems is further complicated by the proliferation of employer computer and internet use policies.
The circuit courts are split between what is cast as a broad versus a narrow interpretation of the term "without authorization." Under the narrow view, an employee given access to a work computer is authorized to access that computer regardless of his or her intent to misuse information and any policies that regulate the use of information. See WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir.2012); U.S. v. Nosal, 676 F.3d 854 (9th Cir.2012) (en banc); LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). Under the broad view, if an employee has access to information on a work computer to perform his or her job, the employee may exceed his or her access misusing the information on the computer, either by severing the agency relationship through disloyal activity, or by violating employer policies and/or confidentiality agreements. See U.S. v. John, 597 F.3d 263 (5th Cir.2010); U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir.2010); Int'l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir.2006); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir.2001). Rather than using "broad" versus "narrow" labels, academics have helpfully divided the approaches of courts into three
Courts that adopt the narrow view base their reasoning on the plain language of the statute, dictionary definition of "authorization," and the rule of lenity. See, e.g. WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir.2012); U.S. v. Nosal, 676 F.3d 854 (9th Cir.2012) (en banc); LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir.2009); Bro-Tech Corp. v. Thermax, Inc., 651 F.Supp.2d 378, 406-07 (E.D.Pa.2009); Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962 (D.Ariz.2008); Brett Senior & Assoc., P.C. v. Fitzgerald, 2007 WL 2043377 (E.D.Pa. July 13, 2007). The Fourth Circuit goes through this analysis for a factual scenario very similar to this case. A WEC employee emailed downloaded confidential WEC documents to a personal computer prior to resigning from the company to work for one of its competitors.
The Court began with examining the plain language of the statute. Id. at 203. It recites the Oxford English Dictionary definition for "authorization": "formal warrant, or sanction." Id. at 204 (citing Oxford English Dictionary (2d ed.1989; online version 2012)). Citing the Ninth Circuit's analysis in LVRC Holdings LLC v. Brekka,
As for any ambiguity surrounding the term "without authorization," the Court noted that its interpretation would apply to both the civil and criminal parts of the statute, and therefore any ambiguity would be resolved in favor of lenity. Id. at 204. This rule ensures that we are shielded from unexpected criminal consequences of ambiguous statutes. Id. As a result, the Court was "unwilling to contravene Congress's intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy." Id. at 207.
In an en banc opinion, the Ninth Circuit rejected the notion that that the CFAA encompasses corporate use restrictions. U.S. v. Nosal, 676 F.3d 854 (9th Cir.2012) (en banc).
Nosal, 676 F.3d at 860. Going a step further, the Ninth Circuit expressed concern over terms of service agreements on internet sites that could change at a moment's notice, making previously legal behavior suddenly criminal through no act of Congress. Id. at 862. Employers could use the CFAA against employees in wrongful termination suits, or threaten to report employees to law enforcement. Id. at 860, n. 6. As a result, the Ninth Circuit urged against applying the CFAA broadly based on employer use policies, fearing that it "would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute." Id. at 857. The Court concluded, "[i]f Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly." Id. at 863. It clarified that "without authorization" applies to outside hackers, while "exceeds authorized access" applies to inside hackers. Id. at 858.
By adopting the narrow theory, the Ninth and Fourth Circuits rejected the Seventh Circuit's broad theory that authorization can be defined based on principles of agency law. See WEC Carolina, 687 F.3d at 206; Nosal, 676 F.3d at 862; Brekka, 581 F.3d at 1134. Under the Seventh Circuit's theory, when employees breach their duty of loyalty to their employers, they end their agency relationship with the company and are no longer authorized to access their work computers. Citrin, 440 F.3d at 420-21. Thus when an employee destroyed all of his files on his work laptop prior to quitting, the Seventh Circuit found that his "breach of his duty of loyalty terminated his agency relationship... and with it his authority to access the laptop, because the only basis of his authority had been that relationship." Id. at 419-20. The Ninth Circuit rejected the notion that a change in an employee's mental state from "loyal employee" to "disloyal competitor" will alter the employee's culpability under the CFAA based on the rule of lenity and plain meaning of the statute. Brekka, 581 F.3d at 1134. Such a rule bases authorization on the whim of the
No circuit courts have since evoked Citrin's agency law theory. However, the First, Fifth and Eleventh Circuits have bowed to the whim of employer use policies and confidentiality agreements
These rulings wrap the intent of the employees and use of the information into the CFAA despite the fact that the statute narrowly governs access, not use. Courts in the Eastern District of Pennsylvania have rejected this notion. In Brett Senior Judge McLaughlin urged against looking at a defendant's motivation in accessing information because to do so would collapse the independent requirements of the statute into a single inquiry. Brett Senior, at *4. Subjective intent departs from the original view that the CFAA concerns what is "tantamount to trespass in a computer." Clinton Plumbing and Heating of Trenton, Inc. v. Ciaccio, et. al., No. 09-2751, 2010 WL 4224473, at 5 (E.D.Pa. Oct. 22, 2010). The Ninth Circuit disapproved of the Eleventh, Fifth and Seventh Circuits' failure to consider the broad consequences of incorporating intent into the definition of "authorization," and to apply the rule of lenity. Nosal, 676 F.3d at 862-63. The statute simply does not support a broad interpretation of "authorization" based on employer use policies. Based on this conclusion, Jones' and King's conduct cannot be punishable under the CFAA.
First, the extent of Jones' and King's authorized access must be determined. Courts in the Eastern District of Pennsylvania have allowed CFAA claims to proceed when genuine issues of material fact exist as to the level of an employee's authorization. Bro-Tech Corp., 651 F.Supp.2d at 407 (finding that "the quality or extent of a particular individual's authorization to access a computer is informed by the facts of the case."). In Bro-Tech the court denied summary judgment because questions of fact existed regarding the nature and extent of the employees' authorization to delete files they
Jones and King accessed their work laptops and downloaded thousands of documents to external storage devices. If Jones and King were authorized to access their work laptops and to download files from them, they cannot be liable under the CFAA even if they subsequently misused those documents to compete against Dresser-Rand. The Plaintiff alleges that "Jones and King used the Company's computers that they were authorized to use for legitimate Dresser-Rand business purposes to instead access and copy Dresser-Rand's property, including its trade secrets and confidential information ...". Compl. ¶ 46 (emphasis added). King and Jones had user names and passwords to access the Dresser-Rand network and had access to their Dresser-Rand issued laptops and external hard drives. Chip Jones, Director of Services for the Mid-Atlantic Region, stated that he had "no reason to believe that [King and Jones] accessed information other than what they had authorized access to do through their Dresser-Rand user name and password." Def. Ex. A, 191:23-25, 192:2-5. Dresser-Rand does not argue that there are limitations on employees' ability to copy documents to which they would otherwise have access to external storage devices like hard drives or flash drives. King and Jones' December 2009, January 2010 and February 2010 downloads all occurred while still employed by Dresser-Rand. Pl. Ex. A, Ex. 1-8. Based on this evidence, Jones and King were authorized to access their laptops and download files while they still were employed at Dresser-Rand.
Dresser-Rand argues that genuine issues of material fact exist regarding Defendants' authorization to access their computers. However, none of its asserted issues of material fact are actually material. Dresser-Rand arguing that Jones and King exceeded their authorized access when the violated Dresser-Rand's computer use policies and Code of Conduct. Dresser-Rand's corporate use restrictions, which resemble the policies in Nosal and WEC, cannot alter Jones' and King's authorized access. Dresser-Rand's "Legal Notice and Acceptable Use Statement" that appears before any employee can log on to the Dresser-Rand system is similar to the notice that appeared before accessing the database in Nosal. Like WEC's policies, Dresser-Rand's policies governed use, not access, strictly prohibiting "[a]ny use or activity that jeopardizes the integrity of the equipment, violates any Company policy, or is not in the best interests of the Company ...". Pl. Ex. I. Therefore the policies are inapposite.
Dresser-Rand maintains that disputed facts exist concerning the Defendants' subsequent transfer of Dresser-Rand files to Global Power computers. Dresser-Rand's forensic computer expert noted that Jones and King accessed Dresser-Rand-originated files after they ceased their employment on Global Power computers. Because the CFAA is based on unauthorized computer access — not file access, the fact that files were accessed on Global Power computers is immaterial to the CFAA claim.
Because Jones and King had authorization to access their work computers, they did not hack into them when they downloaded the files. Their alleged misuse of the files may have remedies under other laws, but not under the CFAA. Therefore I will grant Defendants' partial motion for summary judgment as to Jones and King.
Dresser-Rand asserts that genuine dispute of material facts exists as to "[w]hat actions King took in "shit canning" his computer and thus destroying Dresser-Rand files." Pl. Response at 10. King wrote to Wadsworth that he "shit canned everything on my computer since I have to turn it in tomorrow." Pl. Ex. J. Dresser-Rand takes this e-mail to mean that King destroyed files. Other than this e-mail, there is no other evidence that King destroyed any files. In fact, Dresser-Rand's forensic computer expert made no mention of destroyed or missing files in his report, despite the fact that he analyzed King's Dresser-Rand laptop. More importantly, Dresser-Rand presents no arguments that by deleting files on his laptop, King would have exceeded his authorized access. Dresser-Rand does not point to any restrictions on King's access that, for instance, would allow him to view files on his laptop but forbid him from deleting them. There is therefore insufficient evidence to sustain a CFAA claim against King on this basis.
Dresser-Rand brings the CFAA claim against all Defendants, including Global Power. Dresser-Rand argues that Global Power is implicated under the CFAA through Jones, King and Wadsworth, working as agents of Global Power. Because the CFAA claim cannot survive against any of these Defendants, it cannot survive against Global Power.
For the foregoing reasons I will grant Defendants' partial motion to dismiss the