LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. Sept. 15, 2009) (full-text).
Factual Background Edit
LVRC operates Fountain Ridge, a residential treatment center for addicted persons. In April 2003 LVRC hired defendant Brekka to handle internet marketing as well as a number of other aspects of the facility. LVRC was aware at the time Brekka was hired that he owned and operated BBSN and EBSF, two consulting businesses that obtained referrals for addiction rehabilitation services and provided referrals of potential patients to rehabilitation facilities through the use of internet sites and advertisements.
Because Brekka commuted between Florida and Nevada he would email documents back and forth between his work and home computers. There was no written employment agreement with Brekka, nor were there any employee guidelines maintained by LVRC that would have prohibited such conduct. Brekka also requested, and obtained, administrative access to LVRC’s website using the user login “firstname.lastname@example.org,” and password “cbrekka,” which were sent to his work email address.
In August of 2003 Brekka and LVRC began discussing the possibility of Brekka purchasing an ownership interest in LVRC. Consequently Brekka emailed a number of LVRC documents to his personal email account and his wife’s personal email account. Included in these documents were a financial statement for the company, LVRC’s marketing budget, administrative reports for patients at Fountain Ridge, and notes Brekka took from a meeting with another Nevada mental health provider. Brekka also emailed a master admissions report to his personal email account, which included the names of past and current patients at Fountain Ridge.
The discussions between Brekka and LVRC broke down and Brekka stopped working for the company in mid-September 2003. Brekka left his computer at LVRC and did not delete any emails, including the email from the website administrator with his personal login information. Several other employees had access to Brekka’s former computer before the login information was eventually deleted.
In November 2004 the website administrator discovered that someone was logged ino the LVRC website using Brekka’s former username and password. The login was traced to an Internet service provider (ISP) in Redwood City, California. The “cbrekka” account was deactivated and LVRC filed a report with the FBI alleging unlawful access to their computer system.
LVRC brought a claim against its former employee for allegedly violating the Computer Fraud and Abuse Act (CFAA). LVRC’s complaint alleged that the employee violated the CFAA when he emailed LVRC documents to his personal email account and when he allegedly accessed the LVRC website after he stopped working for the company.
The district court granted summary judgment.
Appellate Court Proceedings Edit
The relevant portions of the CFAA provide for criminal penalties to be imposed on a person who “intentionally accesses a computer without authorization or exceeds authorized accesses, and thereby obtains . . . information from any protected computer if the conduct involved in interstate or foreign communication” or who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value. . . ."
LVRC argued that because Brekka accessed the company computer and obtained LVRC’s confidential information to further his own personal interests, rather than the interests of LVRC, such access was “without authorization” sufficient to find a violation of the CFAA. The appellate court reasoned that the definition of “exceeds authorized access” indicates that Congress did not intend to indicate such an implicit limitation on the word “authorization.” The plain language of the phrase “exceeds authorization” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.
This is distinguished from the phrase “without authorization,” which indicates someone with no rights to access the computer whatsoever. When an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations. It is up to the employer to allow or terminate an employee’s authorization to access a computer. It is undisputed that Brekka accessed the computer in question while he was working for LVRC and that he had authorization to do so.
LVRC directed the court to the Seventh Circuit decision in International Airport Centers, LLC v. Citrin, where the court held than an employee’s authorization to access a computer ended for purposes of the CFAA when the employee violated his duty of loyalty to his employer. The court in the instant case refused to apply this reasoning, deciding that the CFAA is primarily a criminal statute and that determining violations based on the principles of agency used by the Seventh Circuit could lead to “unexpected burdens on defendants,” a result warned against by the Supreme Court. “If the employer has not rescinded the defendant’s right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA.” The court’s ruling stated that a person uses a computer “without authorization” when they have not received any authorization to use the computer or when an employee continues to use a computer after the employer has rescinded access.
The appellate court also held that LVRC failed to meet its burden of producing evidence of Brekka accessing the company website after leaving the company, which was required to establish a genuine issue of material fact. LVRC’s argument rested on little else than a login originating from Northern California and circumstantial evidence that Brekka was in that area of the state at the time in question.
Ten days after the decision in this case, U.S. Attorney Mark Krause filed a notice of appeal with the Ninth Circuit in the Lori Drew-MySpace suicide case. The government’s main argument in that case was based on the line of cases overruled by this decision.