9th Circuit Construes Meaning of Without Authorization in Section 1030
September 15, 2009. The U.S. Court of Appeals (9thCir) issued its opinion [19 pages in PDF] in LVRC v. Brekka, a civil case involving Section 1030 and unauthorized access to a protected computer system. The Court of Appeals affirmed the summary judgment of the District Court for a former employee of a company that accused him of unauthorized access both during and after his employment.
This opinion addresses in detail the meaning of the statute's phrases "without authorization" and "exceeds authorized access". Notably, this Court declined to follow the shaky reasoning of Judge Posner's 7th Circuit opinion in International Airport Centers v. Citrin. See, 440 F.3d 418, and story titled "7th Circuit Applies Computer Hacking Statute to Use of Trace Removers on Employee Laptops" in TLJ Daily E-Mail Alert No. 1,418, July 26, 2006.
Background. Christopher Brekka worked for LVRC Holdings LLC in a position that related to web and e-mail marketing. LVRC provided him with a computer at work. His job entailed using it. Brekka and LVRC had no employment contract or agreement that covered his use and access to LVRC's computer system. LVRC had no relevant company policy. Brekka lived in Florida, and computed to Nevada to work. He sent e-mail copies of company documents to himself in connection with performing his job responsibilities.
After he left his employment, LVRC filed a complaint against Brekka, his consulting businesses, and others alleging various state law claims, and violation of 18 U.S.C. §§ 1030(a)(2) & (4) in connection with his sending e-mail while employed by LVRC, and accessing the companies restricted access web site after his departure.
The District Court granted summary judgment to Brekka on the Section 1030 claims, and declined to exercise jurisdiction over the state law claims. LVRC brought the present appeal.
Statute. The Computer Fraud and Abuse Act (CFAA), which is codified at 18 U.S.C. § 1030, is the main federal computer hacking criminal statute. It contains numerous criminal bans related to unauthorized accessing of computers to steal information or cause damage.
In addition, some of the bans can also give rise to civil liability. Subsection 1030(g) provides, in part, that "Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B). ..."
Subsection 1030(a)(2) provides that "(a) Whoever ... (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... (C) information from any protected computer if the conduct involved an interstate or foreign communication;
Subsection 1030(a)(4) provides that "(a) Whoever ... (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;"
The five types of conduct listed in subsection 1030(a)(5)(B) are as follows:
"(i) loss to 1 or more persons during any 1-year period (and, for purposes of
an investigation, prosecution, or other proceeding brought by the United States
only, loss resulting from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;"
Court of Appeals. The Court affirmed the judgment of the District Court.
First, as to the allegation of post employment access, the Court held that LVRC presented insufficient evidence to survive a motion for summary judgment. Basically, it offered evidence that someone using Brekka's username logged into the LVRC web site. However, the evidence also showed that this information was on Brekka's computer when he left the company, and any subsequent user of that computer could have logged on with Brekka's information.
Second, the Court held that the allegation that Brekka acted "without authorization" or exceeded "authorized access" during his employment fail. It wrote that he was an employee, given a computer, and expected to use it, which he did.
LVRC relied upon the unfortunate 2006 opinion [7 pages in PDF] of the U.S. Court of Appeals (7thCir) in Citrin, a post-employment dispute involving Section 1030(a)(5) and an employee's use of a trace remover tools on the laptop assigned by his employer.
In Citrin the 7th Circuit held that an employee acted without authorization, in the absence of any violation of a contract or policy, or instructions, based upon obscure principles of agency law. However, the Court of Appeals in the present case wrote that "We are unpersuaded by this interpretation" of "without authorization".
The Court wrote in the present opinion that "No language in the CFAA supports LVRC's argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer's interest. Rather, the definition of ``exceeds authorized access´´ in § 1030(e)(6) indicates that Congress did not intend to include such an implicit limitation in the word ``authorization.´´"
In other words, the Court wrote, "for purposes of the CFAA, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations. It is the employer's decision to allow or to terminate an employee's authorization to access a computer that determines whether the employee is with or ``without authorization.´´"
In continued, "According to LVRC, Citrin supports its argument that the CFAA incorporates an additional limitation in the word “authorization,” such that an employee can lose authorization to use a company computer when the employee resolves to act contrary to the employer's interest. In Citrin, the court held that an employee's authorization to access a computer ended for purposes of § 1030(a)(5) when the employee violated his duty of loyalty to his employer. The employee had decided to start a competing business in violation of his employment contract and erased all data from his work laptop computer before quitting his job."
The Court wrote that were it to accept the reasoning in Citrin, Brekka would have acted "without authorization". But, it rejected Citrin, because it does not comport with the language of Section 1030, and because Section 1030 is primarily a criminal statute, and courts should not interpret "criminal statutes in surprising and novel ways that impose unexpected burdens on defendants".
The Court of Appeals held that "a person uses a computer ``without authorization´´ under §§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway". (Parentheses in original.)
The case is LVRC Holdings LLC v. Christopher Brekka, et al., U.S. Court of Appeals for the 9th Circuit, App. Ct. No. 07-17116, an appeal from the U.S. District Court for the District of Nevada, D.C. No. CV-05-01026-KJD, Judge Kent Dawson presiding. Judge Sandra Ikuta wrote the opinion of the Court of Appeals, in which Judges Margaret McKeown and James Selna (USCD/CDCal) joined.