When an executive search firm bought the goodwill and other assets of a similar firm and learned that the individual sellers took client lists and diverted business in violation of their non-compete agreements, it terminated the sellers’ employment and sued them and other third-party defendants for violating the Computer Fraud and Abuse Act (“CFAA”) as well as for fraud, breach of contract, tortious interference with contract, tortious interference with business relations, and an accounting.  A New York federal court’s decision to dismiss the former employer’s  CFAA claim in JBCHoldings NY, LLC v. Pakter, Civil Action No. 12 Civ. 7555 (S.D.N.Y. Mar. 20, 2013) continues a trend of district courts in the Second Circuit adopting a narrow reading of this statute.

The court held that when an employee who has been granted access to an employer’s computer misuses that access, either by violating the employer’s  terms of use or by breaching a duty of loyalty to the employer, the employee does not “exceed authorized access” or act “without authorization” as those terms are are defined in the CFAA.  Federal appellate courts are currently split on whether those terms should be interpreted broadly or narrowly.  The First, Fifth, Seventh, and Eleventh Circuits have adopted a broad construction and allowed CFAA claims alleging that en employee misused employer information that he or she was otherwise permitted to access.  The New York court chose to follow the Fourth and Ninth Circuits and other district courts in the Second Circuit, which have held that the statute does not reach the mere misuse of employer information or violations of company use policies.  The court found that the statute is concerned with the actions of employees who lack permitted access, not the actions of employees who exceed a permitted use of employer information.  Under this narrow reading, the CFAA does not prohibit the actions of employees who have permission to access certain information and proceed to use the information for an improper purpose.  The court noted that state law contract and tort claims were already available to address such misappropriation by faithless employees.

In reviewing the former employee’s complaint, the court found that absent allegations that the individual sellers lacked access to the computers that were used to take client lists or lacked authority to access electronic information that was used to set up a competing business, the former employer had no CFAA claim against the individual sellers.  The court also partially dismissed the former employer’s Lanham Act and tortious interference with business relations claims and dismissed fraud and tortious interference with contract claims.  Although pared down, the lawsuit will proceed against most of the defendants under various theories, including breach of contract.

The decision serves as a cautionary reminder that CFAA claims against employees who misuse employer information have been met with mixed success in federal courts.