A California federal court in Enki Corporation v. Freedman held that a former employee’s access of the employer’s computer systems through his log-in credentials did not amount to unlawful hacking under either the Computer Fraud and Abuse Act (“CFAA”) or the California Computer Data Access and Fraud Act (“CDAFA”).
Enki Corporation entered into an agreement with Zuora to provide Zuora with certain consulting and IT services, and as part of these services Enki installed a computer resources and performance monitor on Zuora’s network. In order to fulfill its obligations, Enki contracted with one of its former employees, Keith Freedman, to provide certain consulting services to Zuora. Enki subsequently terminated the contract with Freedman after it learned that Freedman had allegedly spread negative stories about Enki and its work product to Zuora, and alleged that prior to the termination of Freedman’s contract, Freedman and Zuora had accessed Enki’s performance monitor without authorization to download Enki’s proprietary information. Enki subsequently sued both Freedman and Zuora for, among other things, violations of federal and state anti-hacking laws (i.e., the CFAA and CDAFA). However, the federal district court dismissed both claims.
With respect to the CFAA claim, the court held that the employer failed to properly allege that the defendants accessed Enki’s computer system “without authorization.” The court noted that the CFAA “regulates access to data, not its use [or misuse] by those entitled to access it” and because both defendants were authorized to access the data in question there was no CFAA violation.
With these facts, employers often turn to the CFAA and CDAFA to sue former employees who abscond with information from company computers, particularly when such information does not meet the definition of a protectable trade secret. The Freedman case reveals that such suits continue to face significant hurdles in California.