In LVRC Holdings, LLC v. Brekka, et. al. (9/15/09), the Ninth Circuit Court of Appeals upheld the trial court’s summary judgment for defendants finding that defendant, Brekka, was “authorized” to use LVRC’s computers while he was employed, and that he did not access the computers “without authorization” under the Federal Computer Fraud and Abuse Act (CFAA) when he emailed documents to himself and his wife prior to leaving LVRC.

Factual Background.

Brekka was hired by LVRC in April 2003 to oversee a number of aspects of its residential treatment facility in Nevada. His duties included internet marketing programs and interacting with LVRC’s website consultant, LOAD, Inc. At the time he was hired, he owned and operated two other consulting businesses himself which were also in the addiction rehabilitation services. While he worked for LVRC, Brekka commuted between Florida where he resided and one of his businesses was located, and Nevada. He was assigned a computer at LVRC but while commuting back and forth between Florida and Nevada, he would email documents he obtained or created at LVRC to his personal computer. There was no written policy at LVRC regarding the emailing of LVRC documents to personal computers. 

In June 2003, Brekka asked a LOAD administrator, Nick Jones, for a log-in for LVRC’s website and it was provided. With this log-in, Brekka could gain access to information about LVRC’s website. In August 2003, Brekka and LVRC entered into discussions regarding the possibility of Brekka purchasing an ownership interest in the company. He emailed a number of LVRC documents to his personal email account and his wife’s personal email account. They included a LVRC financial statement, its marketing budget, admissions reports for patients at the facility, among other things.  After discussions between LVRC and Brekka broke down in mid-September 2003, Brekka quit. He left his LVRC computer at the company and it still contained the email in which LOAD had sent him the log-in information. After he left, another employee or consultant of LVRC deleted that email with the log-in information. During a routine monitor of the website on November 19, 2004, a LOAD administrator noticed that someone was logged into the LVRC website using the log-in and password given to Brekka back in June 2003. The log-in and password were then deactivated and LVRC filed a report with the FBI alleging that Brekka had been unlawfully logging into LVRC’s website.

The Case.

LVRC filed a civil lawsuit claiming that Brekka committed two of the crimes established by the CFAA: 1) that he intentionally accessed a computer without authorization or exceeded his authorized access; and 2) that he obtained information from a protected computer (and the conduct involved an interstate or foreign communication). (18 U.S.C. §§ 1030(a)(2) and (a)(4).) LVRC alleged that Brekka violated these sections of the CFAA when he emailed LVRC documents to himself in September 2003 and when he continued to access the website after he left LVRC. 

The CFAA prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data. (18 U.S.C. § 1030(a)(1)-(7).) While violation of the CFAA carries with it criminal penalties, section 1030(g) of the statute provides for a civil private right of action by persons injured by the crimes.[1]

The trial court granted Brekka’s summary judgment motion holding that LVRC had failed to establish a violation of section 1030(a)(2) or (a)(4). The trial court found that “It is undisputed that when Brekka was employed by Plaintiff that he had authority and authorization to access the documents and emails that were found on his home computer and laptop.” There was no evidence that Bekka accessed an LVRC computer or any of the documents on the computer “without authorization.”   Brekka had “authorization” to access the LVRC computers for purposes of sections 1030(a)(2) and (a)(4) because he was employed by LVRC at the time he emailed documents to himself and his wife, and there was no evidence that he had agreed to keep the emailed documents confidential or to return or destroy those documents upon the conclusion of his employment. Also, the trial court found that LVRC had failed to put forth any evidence that Brekka logged into the LVRC website after leaving LVRC’s employ. 

The Ninth Circuit found that while the CFAA does not define “authorization,” based on the fundamental canon of statutory construction, the word is to be given its ordinary and common meaning. Therefore, it held that “an employer gives an employee ‘authorization’ to access a company computer when the employer gives the employee permission to use it.” According to the court, because LVRC permitted Brekka to use the company computer, he did not act “without authorization.” Further, the court found that Brekka did not “exceed authorized access.” This phrase was defined by Congress to mean “access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” (18 U.S.C. § 1030(e)(6).) According to the Court, based on this definition, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has “exceeded authorized access.” On the other hand, a person who uses a computer “without authorization” has no rights, limited or otherwise, to access the computer in question. In this case, the court found that there was no dispute that Brekka had permission to access the computer without limitation and he was still employed by LVRC when he emailed the documents to himself and his wife. The Court affirmed the trial court’s summary judgment finding that Brekka did not access LVRC’s computer without authorization.

The Court also affirmed the trial court’s summary judgment that Brekka did not violate CFAA by logging onto the website after he left LVRC because LVRC did not meet its burden of producing evidence that a genuine issue of material fact existed in this regard.

Note to Employers.

This case review addresses solely the CFAA. LVRC and other employers often have other legal remedies available if a departing employee misappropriates its confidential and proprietary information or fails to return its property. 

However, it is important that employers have clear and concise Electronic Use Policies and Confidentiality & Proprietary Information Policies in place. These policies can help to protect against an employee’s improper use of the company’s electronic media (e.g. computers, telephones, and remote communication devices) and the improper access to, and disclosure of, the company’s confidential and proprietary information. The employment lawyers at WGC regularly draft such policies and would be happy to assist employers in the review and/or drafting of such policies.

[1] Section 1030(g) provides in part that “Any person who suffers damages or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”