Bunny Bytes: Predicting the 10th Circuit

10th crystal ballThere is currently a circuit split over the CFAA and the words “exceeds authorized access,” as I previously discussed in my post Employees + the CFAA = Circuit Split. When a circuit split exists, there is a high likelihood that a petition for writ of certiorari will be granted by the Supreme Court to resolve the dispute among the Federal Circuit Courts of Appeal. Looking forward in a feeble attempt to predict the outcome of the future fate of the CFAA, I decided to start by figuring out which court of appeals SCOTUS tends to agree with the most in a circuit split and see which side of the CFAA chasm they stand on.

Although subject to change with the passing of Justice Scalia, Tom Cummins & Adam Aft have reported in their annual Appellate Review series that in recent court terms, SCOTUS has sided most frequently with the 10th Circuit in resolving a split. After that, they agree second most frequently with the 1st Circuit.

Interestingly, the 10th Circuit has yet to weigh in on the CFAA debate, and the 1st Circuit is on the increasingly unpopular side of the split, pulling for a broad interpretation of “exceeds authorized access” with their decision in EF Cultural Travel BV v. Explorica, Inc. (holding that using a web scraping tool to download all of the content off a competitor’s website “exceeded authorized access”).

Let us take a look at how the lower courts in the 10th Circuit have been interpreting “exceeds authorized access,” and whether the 10th Circuit has denied appeals of those decisions. 

US Bioservices Corporation v. Lugo

Where: District of Kansas
When: January 21, 2009
Facts: Defendants, who were former employees of a pharmaceutical care provider, obtained confidential information from their work computers, sent it to their own personal email accounts, and then later disclosed the information to their new employer.
Interpretation of CFAA: This court held that “a person may violate paragraphs (a)(2)(C) and (a)(4) of the CFAA if he exceeds his initially-authorized access to a protected computer by accessing particular information that he is not authorized to access.” Therefore, an employee could violate the CFAA if he viewed files that he was not expressly authorized to see or use within the scope of his employment. The defendants did not perform any traditional “hacking” to obtain this information, as it was readily obtainable within their allowed access to the computers, but they “were not authorized to access the particular information that they [were] accused of obtaining.” The court calls this a narrow interpretation, but I disagree. If it were truly narrow, such as the Nosal decision by the 9th Circuit, an employee’s authorized access to the entire database would be sufficient to find that they did not “exceed” their access. Thus, I would call this a “moderate” interpretation, because the court did find that “exceeds authorized access” is specific to principles of access and not principles of use/misuse.
Status: Appeal never filed.

Farmers Bank & Trust, N.A. v. Witthuhn

Where: District of Kansas
When: October 13, 2011
Facts: Defendants, who were former bank officers, copied, took, and deleted confidential customer information from the bank’s database after they announced their intent to resign, but while still employed.
Interpretation of CFAA: This court followed the lead of US Bioservices (see above) in finding that “exceeding authorized access occurs “when the defendant has permission to access the computer in the first place, but then accesses certain information to which he is not entitled.” However, this court decided that although the defendants did not exceed their access privileges of the information by taking it, the “defendants exceeded their authorization by deleting information in Farmers’ computer system that they were not authorized to delete.”
Status: Appeal never filed.

Cloudpath Networks, Inc. v. SecureW2 B.V.

Where: District of Colorado
When: January 13, 2016
Facts: Before leaving his job with plaintiff company, Cloudpath, to work for a competitor, defendant downloaded a substantial amount of “proprietary information and software code, deleted and corrupted sales leads and customer information.” After his departure, defendant continued to use his login credentials to access Cloudpath’s servers without permission.
Interpretation of CFAA: This court “ultimately agrees with Second, Fourth, and Ninth Circuits’ shared conclusion: “exceeds authorized access” in the CFAA does not impose criminal liability on individuals who are authorized to access company data but do so for disloyal purposes; it applies only to individuals who are allowed to access a company computer and use that access to obtain data they are not allowed to see for any purpose.” However, the court did sufficiently find that when the employee used his login credentials after he was no longer employed, that use did constitute “without authorization” under the CFAA.
Status: Appeal never filed.

Tank Connection, LLC v. Haight

Where: District of Kansas
When: February 8, 2016
Facts: After Haight, a sales manager, left his job at Tank Connection to work for a competitor, a data forensics expert analyzed Haight’s work laptop and determined that just prior to departing the company, he had downloaded confidential sales information and customer contacts. Tank Connection alleged that Haight took advantage of a security breach to access files that were only privileged to upper management, which were files that he otherwise would not have had access to.
Interpretation of CFAA: This court’s interpretation is the most narrow that I have seen within this circuit thus far, finding that “[w]hen an employee has been granted general authority to access a particular area of a computer or server, as was Haight, the fact that his employer had an unexpressed desire or intent to limit his access to a portion of that area does not establish unauthorized access within the meaning of § 1030.” In other words, the fact that the employee was able to access the file at all, without express provisions limiting him otherwise, was enough to conclude that he was authorized to access it.
Status: Appeal filed on March 3, 2016. Pending review.

Prediction

Although a bit convoluted at times, it appears that the district courts within the 10th Circuit generally favor the narrow interpretation of the CFAA. However, we have yet to see the 10th Circuit confirm or deny any of these decisions because up until the recent case of Tank Connection, none of the decisions had been appealed. This blog will continue to watch the progression of Tank Connection and report here whether the 10th Circuit decides to grant or deny the appeal.

 

Crystal ball image above courtesy of Trish2 © 2007 (CC BY-SA 3.0) via Deviant Art. This image has been modified from its original form.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s