SC Bar's Employment and Labor Law Newsletter: Winter 2013 - February 15, 2013
In recent months, both the Fourth Circuit Court of Appeals, which has jurisdiction over federal cases in North and South Carolina, and the S.C. Supreme Court have addressed the issue of protecting trade secrets and confidential information.
The Fourth Circuit limited an employer’s ability to use the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030, et seq., against a former employee who downloaded company trade secrets. The S.C. Supreme Court held that covenants not to disclose confidential information are not in restraint of trade and are not to be construed strictly in favor of the employee but analyzed under a more general reasonableness standard. Although the N.C. Supreme Court has not ruled recently on the issue, North Carolina affords similar protection for confidential information.
Fourth Circuit addresses application of CFAA to employees
While the CFAA is primarily a criminal statute—it was enacted in 1986 to reduce computer hacking—the law allows an employer who has been damaged to bring an action against an employee who “intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains … information from any protected computer.” 18 U.S.C. §§ 1030(a)(2)(C), (a)(4), (a)(5)(B), and (a)(5)(C). Employers argue that an employee who, in a breach of his duty of loyalty, downloads proprietary information from a company computer and takes that information with him to a new employer has violated the CFAA.
Courts throughout the country disagree on whether an employee in this situation has “accessed a computer without authorization” or “exceed[ed] authorized access.” In WEC Carolina Energy Solutions, LLC v. Miller, 2012 WL 3039213 (4th Cir. 2012), the Fourth Circuit joined the Ninth Circuit in narrowly interpreting the application of the CFAA to an employee’s downloading of information from a company computer. However, five other circuits have interpreted the CFAA to apply to employees who violate company policies regarding the use of information stored on company computers. WEC Carolina has filed a petition for a writ of certiorari with the U.S. Supreme Court.
Mike Miller worked as project director for WEC, a company that provides specialized welding and related services to the power generation industry. WEC allowed Miller the use of a company laptop and provided him access to company trade secrets and confidential information. To protect such information, WEC maintained policies that prohibited an employee from using the information without authority or downloading it to a personal computer.
WEC alleged that prior to resigning from the company in April 2010, Miller e-mailed confidential documents to a personal e-mail address and, along with the help of his assistant, Emily Kelly, downloaded confidential documents to a personal computer. WEC also claimed that Miller, who went to work for a competitor, used these documents to make a presentation on behalf of the competitor to a WEC customer.
WEC sued Miller and Kelly, alleging that they violated the CFAA. WEC reasoned that under its policies, Miller and Kelly were not permitted to download confidential documents to a personal computer and that, in doing so, they violated their duty of loyalty to WEC, thereby either losing or exceeding their authority to access WEC’s computers.
The Fourth Circuit, however, disagreed, reasoning that the terms “without authorization” or “exceeds authorized access” do not apply where an employee has access to an employer’s data on a computer and then uses that information improperly. Although Miller and Kelly did not have authority to misappropriate trade secrets, they did have authority to access the information as employees of the company. Thus, their acts of downloading the confidential documents did not violate the CFAA. The Fourth Circuit noted:
Our conclusion here likely will disappoint employers hoping for a means to rein in rogue employees. But we are unwilling to contravene Congress’s intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy.
WEC Carolina Energy Solution, LLC v. Miller, 2012 WL 3039213 at *13.