The Computer Fraud & Abuse Act and N.C.’s Computer Trespass Statute: Paths to Treble Damages?
Cases involving corporate espionage, trade-secret misappropriation, and theft of confidential information frequently involve someone taking information from a company’s computer system. This conduct often spawns claims under North Carolina’s computer trespass statute or a similar federal statute, the Computer Fraud and Abuse Act (CFAA).
Today’s post explores several issues surrounding these statutes. First, could violations of either statute qualify as a section 75-1.1 violation that carries treble damages and a possible attorney’s fee award? Second, does a user violate the computer trespass statute or CFAA if he uses information to which he has access for an unauthorized purpose? Finally, do the employment and internal business disputes exemptions preclude a per se section 75-1.1 claim for the most common types of computer trespass and CFAA violations?
Per Se Liability for CFAA and Computer Trespass Statute Violations
Violations of a statute or regulation can constitute unfair or deceptive conduct under section 75-1.1. We call these per se violations. Per se violations are potent because they graft section 75-1.1’s remedies—treble damages and a potential attorneys’ fees award—onto statutes and regulations that rarely impose those penalties. Neither the computer trespass statute nor the CFAA, for example, provide for exemplary damages or attorney’s fees.
Could violating either the computer trespass statute or the CFAA be a per se violation of section 75-1.1? Possibly. We aren’t aware of any reported judicial decisions addressing these questions.
In a North Carolina federal case, however, the facts supporting a computer trespass claim formed the basis for section 75-1.1 liability. The jury found that a defendant violated the computer trespass statute. The court concluded as a matter of law that the conduct underlying that violation was unfair or deceptive. The court then trebled the jury’s section 75-1.1 damages award—the same amount of damages that the jury awarded on the computer trespass claim. In this case, at least, a violation of the computer trespass statute functioned as a per se violation of section 75-1.1.
Although there isn’t (yet) a reported judicial decision establishing that violations of the computer trespass statute or CFAA are per se section 75-1.1 violations, it’s reasonable to assume that violations of either statute could support a per se liability theory.
Using Authorized Access for an Unauthorized Purpose: A Violation?
A common fact pattern in computer trespass and CFAA cases involves an employee taking data to which he has access but using it in an improper or unauthorized way. Typically, this means acquiring information that the employee plans to use in a new job or share with a competitor. As explained below, this conduct likely violates the computer trespass statute, but not the CFAA.
A North Carolina Business Court decision from earlier this year, Encompass Services, PLLC v. Maser Consulting P.A., illustrates how North Carolina’s computer trespass statute applies to this common fact pattern. Before diving into the case, let’s break down the statute’s key provisions:
The North Carolina computer trespass statute prohibits, among other things, making “an unauthorized copy” of any data, programs, or software. Liability requires a user to be “without authority.” “Without authority” includes using a computer or network “in a manner exceeding the [user’s] right or permission.”
In Encompass Services, an employee copied the contents of his company email account and other documents from his employer’s server to an external storage device shortly before he left to join a competing company. The employer failed to cut off the employee’s server access after he left the company, so he continued downloading and accessing information. The employee argued that he was not “without authority” because he had access to the files and information that he copied, downloaded, and accessed from the server.
The Business Court rejected this argument, pointing to the employee’s confidentiality agreement and the employer’s policies. First, the confidentiality agreement prohibited disclosure or use of various categories of information that included the files he accessed. Second, the employer’s policies said that information provided to employees could be used only for performing their jobs. These documents supported the employer’s claim that the employee accessed its server “without authority.”
The takeaway: An employee who takes information or files to which he has access but then uses for an unauthorized purpose likely violates North Carolina’s computer trespass statute, at least for now.
Does this same conduct violate the CFAA? No, according to the United States Supreme Court’s recent decision in Van Buren v. United States.
The CFAA prohibits, among other things, a user “exceed[ing] authorized access” to obtain information from a computer. “Exceed[ing] authorized access” means accessing “a computer with authorization” and using that “access to obtain or alter information in the computer that the [user] is not entitled so to obtain or alter.”
In Van Buren, a police officer accessed a law-enforcement database to retrieve information about a license plate. He then violated department policy by selling that information. He argued that “exceeds authorized access” under the CFAA means obtaining information to which a user does not have access, not using one’s access to obtain information for an unauthorized or improper purpose.
The Supreme Court agreed. It held that the phrase “exceeds authorized access” means using authorized access to obtain information in areas of a computer to which the user does not have access. Put another way, a user “exceeds authorized access” only when he retrieves information that’s off-limits to him. A user who takes information that he’s allowed to access and uses that information for an improper purpose does not “exceed authorized access” and, therefore, cannot be liable under the CFAA.
Notably, three justices dissented in Van Buren, believing that the CFAA prohibits using information to which one has access for an unauthorized purpose. Van Buren will likely influence interpretation of state statutes that, like North Carolina’s computer trespass statute, contain language similar to the CFAA. It remains to be seen if courts interpreting those statutes will hew more toward Van Buren’s majority or its dissent.
Van Buren was decided just a few weeks before Encompass Services. Van Buren could inform later judicial decisions interpreting North Carolina’s computer trespass statute—a statute that North Carolina’s appellate courts have not yet addressed.
A Potential Roadblock: The Employment and “Internal Business Disputes” Exemptions
We’ve written several times about the employment exemption to section 75-1.1. Employment disputes generally fall outside of section 75-1.1’s scope because they are not “in or affecting commerce.” For the same reason, internal business disputes cannot spawn section 75-1.1 claims.
The cases discussed above involve employees misusing their employers’ computer networks. Although this conduct might violate the computer trespass statute or CFAA, the employment and internal business disputes exemptions could prevent per se liability under section 75-1.1 based on that conduct.
Not surprisingly, we’ve found several cases (here, here, and here) dismissing section 75-1.1 claims under these exemptions while allowing claims under the computer trespass statute or the CFAA to proceed.
Trade-Secret Misappropriation: A Route Around These Exemptions?
In Encompass Services, the defendants argued that the employment exemption barred the section 75-1.1 claim. The court disagreed. Why? It concluded that the plaintiff’s claim for trade-secret misappropriation could be a per se section 75-1.1 violation.
Per se liability typically means that conduct violating a statute or regulation is unfair or deceptive within the meaning of section 75-1.1. But the employment exemption involves a different element of a section 75-1.1 claim—that the conduct is “in or affecting commerce.” Encompass Services, however, apparently took a broader view of per se section 75-1.1 liability, as it allowed the claim to proceed without discussing the employment exemption.
Claims under the North Carolina’s computer trespass statute or the federal CFAA could support per se section 75-1.1 liability. Despite the statutes’ similarities, conduct that runs afoul of the computer trespass statute might not violate the CFAA. Finally, per se section 75-1.1 claims based on violations of the computer trespass statute or CFAA might nonetheless be barred by the employment or internal business disputes exemptions. A trade-secret misappropriation claim, however, could be a per se section 75-1.1 claim that avoids these exemptions.
Author: Steven Scoggan