Estes Forwarding Worldwide LLC v. Cuellar
2017 U.S. Dist. LEXIS 34384, 2017 WL 931617, 239 F. Supp. 3d 918 (2017)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
An employee's authorization to access an employer's computer system, including a cloud-based account created by the employee for business purposes, is terminated upon the cessation of employment. Subsequent access constitutes access 'without authorization' under the Computer Fraud and Abuse Act and the Stored Communications Act.
Facts:
- In 2010, Estes Forwarding Worldwide LLC ('EFW') hired Marcelo S. Cuellar, who signed a Confidentiality Agreement.
- Acting on behalf of and for the benefit of EFW, Cuellar created a Google Drive account to be used by EFW employees for sharing sensitive business information, including trade secrets about logistics.
- EFW employees used the Google Drive account to record daily shipment details, routing decisions, vendor selection, and cost information.
- EFW terminated Cuellar's employment on February 10, 2015.
- On May 19, 2016, more than a year after his termination, Cuellar accessed the EFW Google Drive account from his home.
- During this access, Cuellar removed EFW's recovery phone number and email address, changed the password, created an archive of all the data, downloaded the archive containing over 1,900 spreadsheets, and deleted the account.
- Following these actions, Cuellar began working for two of EFW's competitors.
Procedural Posture:
- In June 2016, Estes Forwarding Worldwide LLC ('EFW') filed a miscellaneous action against Comcast to discover the identity of a subscriber who had accessed its Google Drive account.
- After identifying Marcelo S. Cuellar as the subscriber, EFW filed a civil complaint against him in the U.S. District Court for the Eastern District of Virginia.
- The complaint alleged multiple counts, including violations of the Computer Fraud and Abuse Act (Count 2) and the Stored Communications Act (Count 4).
- Defendant Cuellar filed a Motion to Dismiss Counts 2 and 4 pursuant to Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim.
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
Does a former employee's access of a cloud-based company account, which he created for his employer during his employment, constitute unauthorized access of a protected computer causing a loss sufficient to state a claim under the Computer Fraud and Abuse Act and the Stored Communications Act?
Opinions:
Majority - Judge Henry E. Hudson
Yes. A former employee's access of a company's cloud-based account after termination constitutes unauthorized access sufficient to state a claim under the Computer Fraud and Abuse Act (CFAA) and the Stored Communications Act (SCA). The court reasoned that any authorization Cuellar had to access the account was granted by his employer, EFW, and was unequivocally rescinded upon his termination, a fact supported by the confidentiality agreement he signed. The argument that Google, not EFW, provided the authorization is unpersuasive because Cuellar created the account in the course of his employment and for the sole benefit of EFW, making it a company asset. Furthermore, the cloud-based Google account qualifies as a 'protected computer' under the CFAA because it is connected to and exists entirely on the internet, thereby affecting interstate commerce. Finally, EFW sufficiently pleaded a 'loss' under the CFAA, as the statute's definition includes reasonable costs incurred in responding to and investigating the offense, such as the legal fees EFW spent in its action against Comcast to identify the intruder. The same authorization analysis applies to the SCA claim, and the spreadsheets stored on the drive qualify as 'electronic communications' under the statute's broad definition.
Analysis:
This decision affirms the application of federal computer crime statutes to modern cloud-based work environments. It clarifies that an employee's access rights are strictly tied to their employment status, not to who technically created an account, particularly when the account was created for the employer's benefit. The ruling provides a strong basis for employers to pursue civil claims against former employees who misappropriate data from shared cloud platforms after termination. By broadly interpreting 'loss' to include investigation costs and 'protected computer' to include cloud services, the court strengthens the utility of the CFAA as a tool for corporate data protection in the digital age.
