In Advanced Micro Devices, Inc. v. Feldstein, currently pending in the District of Massachusetts, AMD brought claims against former employees who copied large volumes of confidential files before leaving to work for a competitor. The court previously entered an injunction against the defendants. For a good discussion of the case background and the injunction order, see John Marsh’s post on his Trade Secrets Litigator Blog.
AMD’s complaint included a claim for violating the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, among others. On June 10, the court entered an order on the defendants’ motion to dismiss.
This is the first time I’ve addressed the CFAA on this blog. The CFAA bars, among other things, “intentionally access[ing] a computer without authorization or exceed[ing] authorized access and thereby obtain[ing] . . . information from any protected computer,” and
knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.
Courts have adopted two different interpretations of the CFAA. The AMD court does a good job describing these two interpretations, one broad and the other narrow. In a nutshell, under the broad interpretation, an employee violates the CFAA by using a computer/server/system he is authorized to use in a manner that exceeds his authority. In contrast, under the narrow interpretation, an employee would only violate the CFAA by accessing a computer/server/system he is not authorized to access.
Here, AMD alleged that the defendants logged in to AMD’s systems with valid credentials, but used the systems to download confidential information in violation of their contractual obligations and duties of loyalty. Thus, it needed the court to adopt the broad interpretation.
The First Circuit has not yet addressed this issue, thus leaving the court to evaluate the two positions. The court applied the narrow interpretation, reasoning that Congress did not intend to supplement state trade-secret misappropriation laws, and that the broad interpretation could convert benign and common conduct like checking personal email at work into a federal crime.
But the court did not dismiss AMD’s CFAA claim. Instead, it noted that this is an unsettled area of law and gave AMD a chance to plead into the narrow standard:
If AMD can plead specific details indicating that some or all of the defendants used fraudulent or deceptive means to obtain confidential AMD information, and/or that they intentionally defeated or circumvented technologically implemented restrictions to obtain confidential AMD information, than the CFAA claims will surpass the Twombly/Iqbal standard.
While I think that the narrow interpretation is more logical and practical, it is hard to reconcile with the “exceeding authorized access” language in the statute. Regardless, bringing a CFAA claim requires a careful analysis of the relevant circuit’s precedent and the facts at issue.
Here is a link to the court’s opinion: