A federal judge has determined that an employee who failed to return her laptop after taking a job with a competitor, and then used software to remove data from the laptop, could not be sued under the Computer Fraud and Abuse Act.
The plaintiff employer maintained that the laptop was considered a “protected” computer under the CFAA because the defendant employee had been using it in interstate commerce before she left. Thus, the employer argued, her unauthorized use violated the CFAA.
But U.S. District Court Judge Indira Talwani in Boston disagreed.
“The Act requires … that a computer, to be protected, ‘is used in’ interstate commerce,” Talwani wrote, granting the employee’s motion to dismiss. “And at the time of her unauthorized use of the [l]aptop, the [l]aptop was not being used in interstate commerce. … [T]he fact that the [l]aptop was formerly used in interstate commerce does not make the later deletion of files … a crime that is ‘interstate’ in nature. Instead, such actions are appropriately addressed under state law.”
The seven-page decision is Pine Environmental Services, LLC v. Carson, et al.
‘Makes the heart beat faster’
John W. Davis of North Reading, Massachusetts, who represented the employee, said the decision illustrates a trend among judges in the 1st Circuit to interpret the CFAA narrowly.
In Pine, Davis said, his client may have created the perception of impropriety by attempting to scrub the company’s laptop after she was no longer employed, but she never attempted to access the employer’s network or server after the employment relationship ended.
Given that, Davis said, it is not surprising that the judge would be reluctant to apply the CFAA, which was intended as a criminal statute designed to target hackers.
“In Massachusetts, there’s a trend to dismiss CFAA claims absent proof that a former employee was motivated by a desire to deceive or dupe the company,” he said.
However, Bronwyn L. Roberts, counsel for the employer, said the ruling raises “the alarming prospect that employees can destroy, abuse and misappropriate computers and their contents without fear of punishment.”
Roberts, a partner at Duane Morris in Boston, said that poses a problem for employers that allow employees to take equipment offsite to do their work and do not want to risk loss of data and trade secrets to competitors.
“It could set a dangerous precedent, and I imagine that businesses with similar concerns will want to address this ruling either in court or through legislation,” Roberts said. “We don’t mean to take it lying down.”
Boston business litigator John R. Bauer, who was not involved in the case, agreed.
“You have to be concerned that employees will use this as an incentive to use a scrubbing device and take things off a laptop they have no right to take,” Bauer said, adding that the 7th U.S. Circuit Court of Appeals recognized a cause of action under the CFAA in a very similar case.
At the same time, the Birnbaum & Godkin lawyer said, Pine shows leeriness on the part of federal judges in Massachusetts when it comes to using the CFAA in ordinary non-compete cases.
“I think the federal judges are thinking these days that we have state courts for that purpose, and we don’t want these cases flooding the federal courts,” he said.
And while Bauer said he could understand why some employers would want to bring their cases to federal court, where they can always get a full evidentiary hearing, “quite frankly most lawyers in town who do a lot of non-compete law in particular understand that the Business Litigation Session [of the Superior Court] is generally very plaintiff-friendly and is probably a better place for employers to bring these actions anyway.”
Jonathon D. Friedmann of Rudolph Friedmann in Boston, who represents employees in CFAA cases, said he is pleased that federal judges in Massachusetts are unwilling to allow employers to use the CFAA in garden-variety employment disputes as a means of intimidation.
“When a suit is brought to make sure the employee complies with a non-compete agreement or a similar-type claim, and the former employer throws in the CFAA claim, it has a real chilling effect on the employee and on the new employer,” he said. “The mental impression it gives, the fear it instills in people, it ratchets everything up a number of notches. Just the name — the ‘Computer Fraud and Abuse Act’ — and the mental impression that gives, makes the heart beat faster.”
Unauthorized use
Defendant Charlene Carson began working for plaintiff Pine Environmental Services in 2012. The New Jersey company provides rental environmental equipment to other businesses.
In June 2013, Pine provided Carson with a company laptop. According to Pine, she used the laptop to communicate with and maintain information about customers and customer locations with which Pine was engaged in interstate commerce.
Carson left Pine on Feb. 19 to work for defendant Palms Environmental and Survey, a competitor of Pine, but did not return her laptop immediately.
On April 17, Carson’s roommate apparently observed her working on the laptop in their shared apartment. He left the room for a while; when he came back, he saw that Carson had left behind the computer with a note asking him to return it to Pine.
After the roommate returned the laptop, a Pine employee apparently discovered that customer-related files had been accessed on the computer on April 17.
A forensic analysis subsequently determined that, on the evening of April 17, a software program called “CCleaner” had been installed on the laptop and used to destroy data and files, Internet browsing histories, and event log entries.
On July 1, Pine sued Carson and Palms in U.S. District Court, alleging misappropriation of trade secrets, breach of contract and violation of the CFAA. The employer also moved for a preliminary injunction preventing Carson from working for Palms.
The defendants moved to dismiss, arguing that there was no $75,000 in controversy as required for diversity jurisdiction and that the CFAA did not apply to the case, resulting in a lack of subject-matter jurisdiction.
Non-protected computer
Talwani agreed with the defendants that the CFAA was inapplicable in the case, finding that the laptop in question was not a “protected computer” within the meaning of the statute.
The judge noted that a computer is not protected under the CFAA unless it is used in interstate commerce, and while Carson used the laptop in interstate commerce while she was working for Pine, her use was authorized at that time.
At the time of Carson’s unauthorized use, however, she was not using the laptop in interstate commerce, Talwani said.
“Indeed, as Pine conceded at the hearing on the pending motions, there is no allegation here that Carson used the [l]aptop to access Pine’s network or server after her employment was terminated,” she wrote.
The judge also looked to the legislative history behind the CFAA to support her narrow construction of its applicability.
Citing a Senate committee report from when the CFAA was under consideration, Talwani pointed out that the committee explicitly rejected the idea that the CFAA should be a sweeping law that leaves no potential computer crime uncovered.
Rather, Talwani observed, the committee sought a balance between the federal government’s interest in stopping computer crime and the interests and abilities of states to deal with such offenses.
The fact that Carson had used the computer in interstate commerce while authorized did not make her deletion of files while it was unauthorized a crime that was “interstate” in nature, the judge said.
Instead, the case presented matters for state courts to resolve, Talwani said, concluding that the suit should be dismissed for lack of subject-matter jurisdiction.