Written by David Barmak and Crystal Barnes
The Ninth Circuit’s opinion in LVRC Holdings LLC, v. Brekka et al. calls into question the utility of the Computer Fraud and Abuse Act (CFAA) for employers seeking to redress employee theft or misuse of company information. In LVRC Holdings, the Ninth Circuit affirmed a district court opinion finding that Christopher Brekka, a former employee of LVRC, did not violate the CFAA when he emailed company documents to his and his wife’s personal email account during his employment with LVRC.
LVRC operates a residential treatment center for addicted persons in Nevada and hired Brekka to oversee internet marketing programs and interact with LRVC’s internet provider, LOAD, Inc. While at LVRC, Brekka requested and received an administrative user name and password to access LRVC and LOAD websites. Near the end of his employment with LVRC, Brekka emailed multiple LVRC documents to his and his wife’s personal email account, including the company’s financial statement, marketing budget, admissions report for patients, and names of past and current patients. Brekka then left LVRC, which later discovered that someone using Brekka’s user name was accessing company websites.
LVRC brought suit in district court alleging that Brekka violated the CFAA, 18 U.S.C. § 1030, by accessing LVRC’s computer “without authorization” during and after his employment with LVRC. However, the Ninth Circuit concluded that an “employer gives an employee ‘authorization’ to access a company computer when the employer gives the employee permission to use it.” Here, the Court held, Brekka did not act “without authorization” because LVRC had given Brekka permission to use the computer during his employment. Importantly, the Court rejected LVRC’s argument relying on the Seventh Circuit decision in International Airport Centers, LLC v. Citrin, that an employee’s authorized use ends when he violates his duty of loyalty to the employer. In International Airport Centers, the Seventh Circuit, relying heavily on general principles of agency law, held that an employee’s breach of his duty of loyalty terminated any right he otherwise had to authorized access of his employer’s laptop. It concluded, therefore, that the employee’s deletion of data from the employer’s computer - - after the employee had already breached his duty of loyalty by deciding to, and taking steps in furtherance of, competing with his employer - - constituted unauthorized access of the employer’s computers in violation of the CFAA.
While the Ninth Circuit’s LVRC Holdings decision seemingly rejects reliance on general agency principles, it does expressly note that LVRC had neither an employment agreement with the employee, nor any policies or guidelines which expressly prohibited an employee from sending company documents to his personal email account. While it is not clear that the Ninth Circuit would have reached a different result had LVRC had such an employment agreement or policies, it is clear that the absence of an agreement and/or policies can be fatal to an employer’s CFAA claim, at least in the Ninth Circuit. This case serves as yet another reminder, then, that every employer is well served by having in place good computer and business systems policies which make clear the limits of each employee’s rights with respect to authorized access to and use of the employer’s systems.
The LVRC Holdings decision can be found at: