WEC Carolina Energy Solutions v. Willie Miller
2012 WL 3039213, 36 I.E.R. Cas. (BNA) 874, 687 F.3d 199 (2012)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
Under the Computer Fraud and Abuse Act (CFAA), the term 'exceeds authorized access' is limited to situations where an individual obtains or alters information on a computer that they do not have authorization to access, and does not encompass the misuse or misappropriation of information to which they were granted access by their employer.
Facts:
- WEC Carolina Energy Solutions, Inc. (WEC) employed Mike Miller as a Project Director, providing him with a company laptop and authorized access to its computer servers containing confidential and trade secret documents.
- WEC had company policies that prohibited employees from downloading confidential information to personal computers or using it without authorization, though these policies did not restrict Miller's permission to access the data for his work.
- While still employed at WEC, Miller, allegedly at the direction of competitor Arc Energy Services, Inc. (Arc), downloaded a substantial number of WEC's confidential documents and emailed them to his personal email address.
- On April 30, 2010, Miller resigned from WEC.
- Twenty days after his resignation, Miller, now working for Arc, used the downloaded WEC information to make a presentation on Arc's behalf to a potential WEC customer.
- The customer ultimately awarded two projects to Arc instead of WEC.
Procedural Posture:
- WEC Carolina Energy Solutions, Inc. sued its former employees, Miller and Kelley, and their new employer, Arc Energy Services, Inc., in the U.S. District Court for the District of South Carolina.
- The complaint alleged nine state-law claims and one federal claim for violation of the Computer Fraud and Abuse Act (CFAA).
- The defendants (Appellees) filed a motion to dismiss the CFAA claim under Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim upon which relief can be granted.
- The district court granted the motion, dismissing the CFAA claim on the grounds that the alleged conduct did not constitute unauthorized access under the statute.
- The district court then declined to exercise supplemental jurisdiction over the remaining state-law claims.
- WEC (Appellant) appealed the district court's dismissal of its CFAA claim to the U.S. Court of Appeals for the Fourth Circuit.
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
Does an employee who is authorized to access information on a company computer violate the Computer Fraud and Abuse Act by 'exceeding authorized access' if they subsequently use that information for a purpose contrary to the employer's interests or policies?
Opinions:
Majority - Judge Floyd
No. An employee does not 'exceed authorized access' under the Computer Fraud and Abuse Act (CFAA) merely by violating an employer's computer use policies or by misappropriating information they were otherwise permitted to access. The court adopts a narrow interpretation of the statute, holding that 'exceeds authorized access' means to obtain or alter information on a computer that the user is not entitled to access, regardless of their motive or subsequent use of that information. This interpretation is based on the plain language of the statute and the rule of lenity, which requires ambiguous criminal statutes to be construed strictly to avoid criminalizing ordinary behavior. The court expressly rejects the broader 'cessation-of-agency' theory, which holds that an employee's authorization terminates when they act contrary to their employer's interests. Adopting such a broad theory would improperly transform the CFAA from an anti-hacking statute into a tool for policing employee disloyalty and could criminalize minor workplace infractions like checking personal email or sports scores. Other state-law remedies, such as trade secret misappropriation, are the proper vehicles for addressing employee misconduct of this nature.
Analysis:
This decision significantly narrows the scope of the CFAA in the Fourth Circuit, aligning it with the Ninth Circuit's interpretation and deepening a circuit split with the Seventh Circuit's broader view. By rejecting the 'cessation-of-agency' theory, the court prevents employers from using the federal anti-hacking statute as a cause of action for ordinary employee disloyalty or trade secret theft. This ruling effectively pushes such disputes out of federal court under the CFAA and back into the domain of state contract and tort law, reinforcing the statute's original purpose as a tool against external hacking rather than internal misuse of data.
