Employee Who E-Mailed Company Documents to Home Computer Did Not Violate Computer Hacker Laws

The Ninth Circuit recently issued an opinion that demonstrates the importance of implementing clear computer access policies and ensuring that former employees' passwords are deactivated after their employment ends. In LVRC Holdings v. Brekka (9th Cir. Sept. 15. 2009), the court held that an employee who e-mailed company documents to his home computer did not violate the Computer Fraud and Abuse Act (CFAA).

LVRC Holdings operates a residential treatment center for addicted persons in Nevada. Brekka worked for LVRC conducting internet marketing programs, among other duties. At the time he worked for LVRC, Brekka also owned two consulting businesses that obtained referrals for addiction rehabilitation services and provided referrals of potential patients to rehabilitation facilities through the use of internet sites and advertisements.

While Brekka worked for LVRC, he commuted between Florida, where his home was, and Nevada, where LVRC was located. At times, Brekka e-mailed work-related documents from his work computer to his personal computer. While he was employed, Brekka was given an administrative user name and password, which enabled him to access information about LVRC's web site. Brekka left LVRC's employment in September 2003 after negotiations to purchase an ownership interest in the company broke down. According to the court decision, shortly before his employment ended, Brekka e-mailed documents containing the names of the treatment facility's past and current patients to his personal computer.

LVRC subsequently sued Brekka, claiming he violated the CFAA when he e-mailed company documents to his home computer for his own personal business interests and when he allegedly accessed the company's computers after his employment ended. The trial court ruled in favor of Brekka and the Ninth Circuit affirmed this decision.

The CFAA prohibits individuals from accessing a protected computer without authorization. The Ninth Circuit held that Brekka did not access a protected computer without authorization when he e-mailed company documents to his home computer, even if he did so to further his personal business interests rather than to further the interests of the employer. According to the court, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations. The court found that no language in the CFAA "supports LVRC's argument that the authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer's interests." Further, the court held that "nothing in the CFAA suggests that a defendant's liability for accessing a computer without authorization turns on whether the defendant breached a state law duty of loyalty to an employer."

Additionally, the court found no evidence that Brekka logged into the company's computer after his employment ended. Accordingly, the court affirmed the trial court's decision in favor of Brekka.