IN THE COURT OF CHANCERY OF THE STATE OF DELAWARE
ALIXPARTNERS, LLP, and )
ALIXPARTNERS HOLDINGS, )
LLP, )
Plaintiffs, )
)
v. ) C.A. No. 2018-0600-KSJM
)
DAVID BENICHOU, )
)
Defendant. )
OPINION
Date Submitted: January 31, 2019
Date Decided: May 10, 2019
Bradley R. Aronstam, Eric D. Selden, R. Garrett Rice, ROSS ARONSTAM &
MORITZ LLP, Wilmington, Delaware; Robert S. Berezin, Nicholas J. Pappas,
WEIL, GOTSHAL & MANGES LLP, New York, New York; Counsel for Plaintiffs
AlixPartners, LLP and AlixPartners Holdings, LLP.
John P. DiTomo, Matthew R. Clark, Barnaby Grzaslewicz, MORRIS, NICHOLS,
ARSHT & TUNNELL LLP, Wilmington, Delaware; Counsel for Defendant David
Benichou.
McCORMICK, V.C.
The plaintiffs operate a global corporate restructuring advisory firm. The
defendant was the managing partner of the plaintiffs’ Paris office. As a partner, the
defendant had access to the plaintiffs’ confidential information. When he became a
partner, the defendant also became party to a limited liability partnership agreement
that contained confidentiality obligations. The defendant resigned from his position
in early 2017. Shortly before his resignation, the defendant connected a personal
data drive to his work-issued computer and accessed the plaintiffs’ business files.
Shortly after his resignation, the defendant repeated this act.
After his resignation, the defendant began working for one of the plaintiffs’
competitors. Concerned that defendant may use their confidential information to
benefit the competitor, the plaintiffs sought assurances from the competitor
regarding the defendant’s confidentiality obligations. The plaintiffs were
dissatisfied with the competitor’s response and initiated an investigative proceeding
in Paris courts seeking targeted data searches of certain devices. The plaintiffs then
sued in this court for breach of the confidentiality provisions of the limited liability
partnership agreement. They also asserted three non-contractual claims for relief:
for violating the Delaware Uniform Trade Secrets Act (or “DUTSA”), for common
law conversion, and for violating the federal Computer Fraud and Abuse Act (or the
“CFAA”). The defendant moved to dismiss each of the non-contractual claims.
The defendant’s motion to dismiss the CFAA claim raises an issue of first
impression for this Court. The provision of the CFAA on which the plaintiffs rely
renders liable a person who “intentionally accesses a computer without
authorization, or exceeds authorized access, and thereby obtains . . . information
from any protected computer[.]” 1 The plaintiffs argue that the defendant “exceeded
authorized access” by using information in violation of the plaintiffs’ limited
partnership agreement and policies. The defendant argues that this language
provides a narrow cause of action under which he can be liable for unauthorized
access of protected computers only, not for misuse of information that he was
authorized to access.
Federal courts split on the interpretation of the CFAA disputed by the parties,
the Third Circuit has not weighed in, and district courts in the Third Circuit diverge.
Relying on principles of statutory construction, this decision adopts the narrow
approach first set forth by the Ninth Circuit in LVRC Holdings LLC v. Brekka.2
Under the narrow approach, the defendant’s actions while he was employed by the
plaintiffs and had authorized access to the plaintiffs’ confidential information do not
support a claim under the CFAA. By contrast, it is reasonably conceivable that the
defendant did not have authorized access to the documents he allegedly transferred
after his resignation. As to the defendant’s post-resignation conduct, the plaintiffs’
1
18 U.S.C. § 1030(a)(2)(C) (emphasis added).
2
581 F.3d 1127 (9th Cir. 2009).
2
CFAA claim is legally viable. The motion to dismiss the CFAA claims is thus
granted, but only in part.
The Court denies dismissal for the remainder of the plaintiffs’ non-contractual
claims. Because all of the alleged acts of misappropriation occurred in France, the
defendant moves to dismiss the plaintiffs’ claim under DUTSA based on the
presumption against extraterritoriality. The parties’ extraterritoriality analysis
involves a fact-intensive inquiry. Nearly all states have adopted the Uniform Trade
Secrets Act. It is reasonably conceivable that some state’s Uniform Trade Secrets
Act applies given the plaintiffs’ global brand. Under Delaware’s liberal pleading
standard, the plaintiffs need not identify which law applies at the pleadings stage.
The defendant’s other dismissal arguments likewise fail. The defendant
argues that the plaintiffs have not adequately alleged the elements of a trade secrets
claim, but the complaint easily meets the plaintiff-friendly pleading standard. The
defendant argues that the plaintiffs’ conversion claim is duplicative of the
contractual claim, but those claims arise from different obligations and appropriately
stand alone. The defendant argues that DUTSA preempts the plaintiffs’ conversion
claim, but that conclusion depends on which state’s trade secrets laws—if any—
apply. Such a determination is premature and as a result, dismissal of the plaintiffs’
conversion claim is inappropriate.
3
I. FACTUAL BACKGROUND
The facts are drawn from the complaint 3 and matters not subject to reasonable
dispute.
A. Defendant’s Employment by Plaintiffs
AlixPartners, LLP and AlixPartners Holdings, LLP (collectively,
“Plaintiffs”), are a corporate restructuring advisory firm and its holding company
parent, respectively. Both entities are organized as Delaware limited liability
partnerships. Plaintiffs were founded in 1981 and now have a “global reputation”
built through work with “multinational clients” in a range of industries.4
Defendant David Benichou (“Defendant”) joined Plaintiffs on February 27,
2006. He served as Managing Director in Plaintiffs’ Paris offices from January 1,
2013 to October 25, 2017. In that position, Defendant was responsible for: building
and maintaining client relationships; leading complex engagements; recruiting top
talent; and developing intellectual property for the firm. In carrying out these
responsibilities, Defendant had access to Plaintiffs’ confidential and proprietary
information.
When Defendant became a Partner, he signed as a party to Plaintiffs’
January 12, 2017 Second Amended and Restated LLP Agreement (the “LLP
3
C.A. No. 2018-0600-KSJM Docket (“Dkt.”) 1, Verified Compl. (“Compl.”).
4
Compl. ¶ 13.
4
Agreement”). The LLP Agreement includes confidentiality requirements protecting
Plaintiffs’ non-public information. Plaintiffs also have a written data policy on the
acceptable use of Plaintiffs’ “data, networks, systems, devices, and applications.”5
B. Defendant Accesses Plaintiffs’ Confidential Information
During his employment with Plaintiffs, Defendant kept thousands of
Plaintiffs’ confidential documents on the local C drive of his work-issued computer
in a folder titled “BatDocuments.” 6 These documents included “numerous
PowerPoint presentations related to Defendant’s work on behalf of [Plaintiffs],
reports, revenue assessments, studies prepared by [Plaintiffs], notes from meetings,
pricing analyses, and other strategic documents,” Plaintiffs allege. 7
The complaint sets out in granular detail facts from which this Court can infer
that Defendant transferred these confidential documents to a personal data device
before and after his resignation. The complaint alleges that, around March 8, 2017,
“Defendant connected a Western Digital 250 GB personal external hard drive to his
Computer.” 8 Then,
[a]t approximately 7:31 AM CEST (Paris local time),
Defendant accessed the subfolder “Presentation” within a
matter-named subfolder in the “BatDocuments” folder on
the C drive of Defendant’s Computer with the pathname
5
Id. ¶ 18.
6
Id. ¶ 45.
7
Id. ¶ 50.
8
Id. ¶ 46.
5
C:\Users\dbenichou\Documents\Batdocuments\39-
[Matter Name]\Presentation.
. . . [O]ne minute later, at 7:32 AM CEST, Defendant
accessed a subfolder on his personal external hard drive,
with the identically named pathname
D:\Batdocuments\39-[Matter Name]\Presentation.9
Defendant resigned from his position with Plaintiffs in 2017, providing notice
on May 1, 2017. Plaintiffs dismissed Defendant from his duties on July 25, 2017,
and he stopped performing work for Plaintiffs around that time. Three days later,
on July 28, 2017, “Defendant again connected his personal external hard drive to his
Computer.”10 The complaint alleges:
At 8:22 AM (CEST) on July 28, 2017, [Defendant] created
the folder entitled “Personnel et confidentiel 2” on the
local C drive of his Computer. Defendant then copied
folders containing hundreds of files from the
“BatDocuments” folder on the C drive of his Computer
into the “Personnel et confidentiel 2” folder on his
Computer. At or around 10:54 AM local time, Defendant
cut and pasted the “Personnel et confidentiel 2” folder—
which then contained those hundreds of files—from his
Computer onto his personal external hard drive.
Defendant proceeded to review other files on his
Computer, and placed some files in the Recycle Bin on the
Computer.
. . . Defendant also accessed another folder on his
Computer entitled “Personnel et confidentiel,” which he
had created on or around April 13, 2017 and accessed a
number of times between then and July 28, 2017. He
9
Id. ¶¶ 46–47 (footnotes omitted).
10
Id. ¶ 51.
6
deleted the “Personnel et confidentiel” folder at or after
12:40 PM CEST on July 28, 2017.11
Defendant never informed Plaintiffs of his personal data drive, disclosed that
he had transferred these documents to it, or returned any confidential information it
contained.
Defendant started working for the corporate restructuring division of Boston
Consulting Group (“BCG”) around October 2017. BCG’s restructuring division
directly competes with Plaintiffs, according to the complaint.
Plaintiffs allege that BCG employees contacted Defendant in early 2017
before he resigned. Plaintiffs also allege that Defendant disclosed Plaintiffs’
confidential information to BCG employees in the first half of 2017, and that
Defendant “decided to take [Plaintiffs’] confidential information with him when he
left in order to use that confidential information at [BCG] for his benefit and for the
benefit of BCG . . . .” 12
C. Procedural Posture
On August 10, 2018, Plaintiffs initiated this action. The complaint asserts
four causes of action. Count I alleges that Defendant breached the confidentiality
provisions of the LLP Agreement. Count II alleges that Defendant breached the
Delaware Uniform Trade Secrets Act. Count III alleges that Defendant committed
11
Id. ¶¶ 51–52.
12
Id. ¶ 22.
7
common law conversion. Count IV alleges that Defendant violated the federal
CFAA.
On September 28, 2018, Defendant responded by moving to dismiss Counts II
through IV of the complaint. The parties completed briefing on the motion on
January 22, 2019, 13 and the Court heard oral argument on January 31, 2019.14
II. LEGAL ANALYSIS
Defendant moves to dismiss pursuant to Court of Chancery Rule 12(b)(6). On
a Rule 12(b)(6) motion, the Court “accept[s] all well-pleaded factual allegations in
the [c]omplaint as true,” and “draw[s] all reasonable inferences in favor of the
plaintiff . . . .” 15 The Court denies the motion “unless the plaintiff could not recover
under any reasonably conceivable set of circumstances susceptible of proof.” 16 The
Court neither “accept[s] conclusory allegations unsupported by specific facts, Court
13
Dkt. 14, Def.’s Opening Br. in Supp. of His Mot. to Stay or in the Alternative Dismiss
the Verified Compl. (“Def.’s Opening Br.”); Dkt. 18, Pls.’ Answering Br. in Opp’n to
Defendant’s Mot. to Dismiss the Verified Compl. (“Pls.’ Ans. Br.”); Dkt. 23, Def.’s Reply
Br. in Supp. of His Mot. to Stay or in the Alt. Dismiss the Verified Compl. and Mot. to
Stay Disc.; Dkt. 26, Pls.’ Sur-Reply in Opp’n to Def.’s Mot. to Dismiss the Verified Compl.
14
Dkt. 30, Oral Arg. on Mot. to Dismiss and Mot. to Stay before V.C. McCormick. In the
alternative to his dismissal arguments, Defendant sought to dismiss or stay the Delaware
proceedings pursuant to McWane Cast Iron Pipe Corp. v. McDowell-Wellman Eng’g Co.,
263 A.2d 281, 283 (Del. 1970), pending resolution of the French proceedings. The Court
denied the motion by an Order issued on February 7, 2018. Dkt. 31, Order Addressing
Def.’s McWane Mot. to Dismiss or Stay.
15
Cent. Mortg. Co. v. Morgan Stanley Mortg. Capital Hldgs. LLC, 27 A.3d 531, 536 (Del.
2011) (citing Savor, Inc. v. FMR Corp., 812 A.2d 894, 896–97 (Del. 2002)).
16
Id.
8
neither “accept[s] conclusory allegations unsupported by specific facts,
nor . . . draw[s] unreasonable inferences in the plaintiff’s favor.”17
A. Count II—Delaware Uniform Trade Secrets Act
Count II asserts that Defendant misappropriated hundreds of Plaintiffs’
documents, some of which contained trade secrets, in violation of the Delaware
Uniform Trade Secrets Act (or “DUTSA”). Defendant argues that Count II should
be dismissed because the complaint fails to plead a DUTSA claim, and because
DUTSA does not apply extraterritorially to conduct alleged to have occurred solely
in France.
1. Plaintiffs adequately allege the elements of a trade secrets
claim.
A claim for misappropriation of trade secrets under DUTSA requires
allegations sufficient to show: (1) the existence of a trade secret (i.e., information
with commercial utility arising from its secrecy and reasonable steps to maintain this
secrecy); (2) which the plaintiff communicated to the defendant; (3) under an
express or implied understanding that the defendant would respect the secrecy of the
matter; and that (4) the defendant used or disclosed the secret information in breach
of that understanding to the injury of the plaintiff. 18
17
Clinton v. Enter. Rent-A-Car Co., 977 A.2d 892, 895 (Del. 2009).
18
Wilm. Tr. Co. v. Consistent Asset Mgmt. Co., Inc., 1987 WL 8459, at *3 (Del. Ch.
Mar. 25, 1987).
9
Defendant argues that Plaintiffs have not adequately pled the first element, the
existence of a trade secret. To show the existence of a trade secret, a plaintiff must
allege that the information “[d]erives independent economic value, actual or
potential, from not being generally known to, and not being readily ascertainable by
proper means by, other persons who can obtain economic value from its disclosure
or use” and that the information is “the subject of efforts that are reasonable under
the circumstances to maintain its secrecy.” 19 “Trade secrets should be given an
expansive meaning and interpretation.” 20
The complaint sufficiently alleges the existence of a trade secret. According
to the complaint, Plaintiffs have “developed numerous methods, techniques, and
processes for conducting and marketing its consulting business that derive
independent economic value from not being generally known to others who might
use or disclose them for economic gain.” 21 That information includes documents
like “revenue assessments, studies prepared by [Plaintiffs], notes from meetings,
pricing analyses, and other strategic documents.”22 The alleged categories of
19
6 Del. C. § 2001(4).
20
Sanirab Corp. v. Sunroc Corp., 2002 WL 1288732, at *3 (Del. Super. Apr. 29, 2002)
(emphasis omitted).
21
Compl. ¶ 67.
22
Id. ¶ 50.
10
documents are not overly vague or so broad as to be meaningless. 23 It is reasonably
conceivable that these documents have independent economic value. 24
Plaintiffs also took reasonable steps to guard the secrecy of these documents.
Under Delaware law, the existence of a confidentiality agreement satisfies this
requirement. 25 The acceptable use policy provided an added layer of protection.
Plaintiffs also protect their confidential information with passwords, restrict rights
and access to those employees with a need to know, and include confidentiality
provisions in their employment agreements. 26
Next, Defendant argues that Plaintiffs have not adequately pled the fourth
element, that Defendant used or disclosed the trade secrets. It is the rare
misappropriation case in which Plaintiffs have first-hand knowledge of this element
23
Compare id. ¶¶ 45, 50 (describing the organization and nature of the documents
containing trade secrets) with MHS Capital LLC v. Goggin, 2018 WL 2149718, at *14
(Del. Ch. May 10, 2018) (dismissing trade secret claim where complaint vaguely referred
to “potential returns” and “strategies”).
24
GWO Litig. Tr. v. Sprint Sols., Inc., 2018 WL 5309477, at *9–10 (Del. Super. Oct. 25,
2018) (A DUTSA claim will survive a motion to dismiss where the documents in question
are “conceivably of independent economic value.” (emphasis added)).
25
See GWO Litig., 2018 WL 5309477, at *10 (holding that the “reasonable efforts” prong
“is not a high bar” and that “confidentiality provisions or policies intended to prevent
unauthorized disclosure are sufficient”).
26
Compare Compl. ¶ 68 (describing minimum necessary rights and access provided only
to employees “with a need to know”) with Goggin, 2018 WL 2149718, at *14 (granting a
motion to dismiss a trade secrets claim on where the complaint simply repeated as an
allegation and in conclusory form the language of the statute, that “ECM took reasonable
steps to maintain secrecy”).
11
at the pleadings stage. 27 Typically, the Complaint must rely on inferences or
circumstantial evidence. Here, the Complaint alleges the following facts. Defendant
transferred documents containing confidential information and trade secrets onto a
personal hard drive right before and after he left to work for a competitor. Defendant
never disclosed the hard drive to Plaintiffs. Defendant never accounted for the
documents he transferred onto the hard drive when he began working at BCG. And
Defendant refused to confirm his compliance with his contractual obligations despite
Plaintiffs’ requests. It is reasonable to infer, based on the facts alleged, and under a
plaintiff-friendly standard, that Defendant has used or disclosed these documents.
2. Defendant’s extraterritoriality argument is not
appropriately addressed at the pleadings stage.
In the alternative, Defendant argues that Count II should be dismissed because
DUTSA does not apply on its face to actions taken outside Delaware, and each of
Defendant’s alleged actions occurred in France.28 Plaintiffs respond that “this case
does not . . . require consideration of extraterritoriality,” 29 that the extraterritorial
application of DUTSA is more appropriately framed as a choice-of-law question,30
27
See Accenture Glob. Servs. GMBH v. Guidewire Software Inc., 581 F. Supp. 2d 654, 662
(D. Del. 2008) (“It is not common for a trade secret misappropriation plaintiff to know,
prior to discovery, the details surrounding the purported theft.”).
28
Def.’s Opening Br. at 30.
29
Pls.’ Ans. Br. at 32.
30
Id. at 32–33.
12
and that such an analysis is necessarily fact intensive so the Court should not conduct
it on the pleadings. If the Court does conduct the choice-of-law analysis, Plaintiffs
argue that the analysis should focus on the place of Plaintiffs’ injury, which Plaintiffs
say favors applying Delaware law, and not Defendant’s conduct.
This decision assumes that the presumption against extraterritoriality analysis
applies, and that it precludes applying the DUTSA to the conduct at issue, as
Defendant argues. Even assuming these premises, Count III survives Defendant’s
motion to dismiss. Delaware’s liberal notice pleading rules require only “a short and
plain statement of the claim showing that the pleader is entitled to relief[.]”31
Consequently, a plaintiff need not identify the precise law on which it relies.32
Plaintiffs operate in a global market, and nearly all of the states have adopted the
Uniform Trade Secrets Act. The standard is “reasonable conceivability.” 33 It is
reasonably conceivable that the law of Plaintiffs’ principal place of business
(Michigan) or another state’s law applies.
B. Count III—Conversion
Count III alleges that if any of the documents taken by Defendant do not rise
to the level of a trade secret, they still constitute confidential and proprietary
31
Ct. Ch. R. 8(a)(1).
32
Dow Chem. Co. v. Organik Kimya Hldg. A.S., 2018 WL 2382802, at *4 (Del. Ch.
May 25, 2018).
33
Cent. Mortg., 27 A.3d at 537 (citation and internal quotation marks omitted).
13
information.34 Plaintiffs contend that Defendant took possession of these documents
and never returned them. 35
As with Count II, Count III hinges on issues that are inappropriate to decide
on a motion to dismiss. For example, Defendant argues that Count III should be
dismissed because the DUTSA preempts Plaintiffs’ conversion claim. 36 Some
states interpret the Uniform Trade Secrets Act as preempting all common law claims
for conversion of confidential information;37 other states do not. 38 Whether
Plaintiffs’ trade secrets claim preempts the conversion claim will depend on what
law applies. As discussed above, what law applies is not a pleadings-stage issue.
Neither, therefore, is preemption. 39
34
Compl. ¶ 75.
35
Id. ¶ 76.
36
See generally 6 Del. C. § 2007(a) (“[T]his chapter displaces conflicting tort,
restitutionary and other law of this State providing civil remedies for misappropriation of
a trade secret.”); Alarm.com Hldgs. Inc. v. ABS Capital P’rs, 2018 WL 3006118, at *9–11
(Del. Ch. June 15, 2018), aff’d on other grounds, 204 A.3d 113 (Del. 2019).
37
See generally Alarm.com, 2018 WL 3006118, at *11 n.67.
38
See, e.g., Am. Biomedical Gp., Inc. v. Techtrol, Inc., 374 P.3d 820, 827 (Okla. 2016)
(“By its unambiguous language, Section 92(A) of the [Oklahoma Uniform Trade Secrets
Act] displaces conflicting tort claims only for ‘misappropriation of a trade secret.’ It does
not displace tort claims for information not meeting this definition.”); Int’l Paper Co. v.
Gilliam, 2003 WL 23573613, at *4 (Va. Cir. Ct. Dec. 23, 2003) (“The [Virginia Uniform
Trade Secrets Act] does not preempt alternative tort recovery unless it is clear that the
[confidential information at issue] falls within the confines of the Act.”).
39
Plaintiffs have identified a potentially applicable French law, which they describe as the
French Civil Code equivalent to Delaware’s common law claim of conversion. See Pls.’
Ans. Br. at 45–47. This decision does not resolve whether Plaintiffs have or must state a
claim under French law.
14
As an independent basis for dismissal, Defendant argues that Count III should
be dismissed because it is duplicative of Count I’s breach of contract claim. 40 It is
not clear that the “only confidentiality obligation” pleaded derives from the LLP
Agreement, as Defendant contends.41 It is reasonably conceivable that Plaintiffs
have a separate property interest in the confidential information. 42 The Counts were
asserted in the alternative, as permitted under Delaware law. 43
For these reasons, Defendant’s motion to dismiss Count III is denied.
C. Count IV—Computer Fraud and Abuse Act
Count IV alleges that Defendant violated the CFAA. 44 Congress passed the
CFAA in 1984 as the first piece of federal legislation directed solely at computer
40
Def.’s Opening Br. at 46–47.
41
Id. at 47.
42
See, e.g., Rockwell Automation, Inc. v. Kall, 2004 WL 2965427, at *4 (Del. Ch. Dec. 15,
2004) (observing that the plaintiff “has a property interest in its confidential information”);
Sustainable Energy Generation Gp., LLC v. Photon Energy Projects BV,
2014 WL 2433096, at *14 (Del. Ch. May 30, 2014) (holding that it was reasonably
conceivable that plaintiff could prove a property interest in confidential information);
Overdrive, Inc. v. Baker & Taylor, Inc., 2011 WL 2448209, at *5 (Del. Ch. June 17, 2011)
(allowing a claim based on conversion of confidential information to survive a motion to
dismiss along with a separate claim for breach of a contractual confidentiality obligation).
43
Israel Disc. Bank of New York v. First State Depository Co., LLC, 2012 WL 4459802,
at *13 (Del. Ch. Sept. 27, 2012), aff’d, 86 A.3d 1118 (Del. 2014) (“I note that [p]laintiff is
permitted under [Court of Chancery] Rule 8(e)(2) to plead claims in the alternative.
Therefore, even if [the plaintiff’s] breach of contract and conversion claims were mutually
exclusive, that would not preclude [the plaintiff] from pursuing both claims in the
alternative.”).
44
18 U.S.C. § 1030(a)(2)(C).
15
crime. 45 Originally, the CFAA was a criminal statute intended to protect a limited
set of federal computers and financial institutions. 46 It was later expanded to include
a broad category of computers “used in or affecting interstate or foreign commerce
of communication”47 and amended to add a civil cause of action. 48 As a result,
violations of the statute expose offenders to both civil and criminal liability.
Plaintiffs allege that Defendant violated Section 1030(a)(2)(C) of the CFAA
by misappropriating information stored on Defendant’s work-issued computer.
Section 1030(a)(2)(C) renders liable a person who “intentionally accesses a
45
H.R. Rep. No. 98–894, at 6 (1984), reprinted in 1984 U.S.C.C.A.N. 3689, 3691 (“There
is [n]o specific federal legislation in the area of computer crime.”).
46
Brekka, 581 F.3d at 1130 (“The CFAA was enacted . . . to enhance the government’s
ability to prosecute computer crimes.”); Shawn E. Tuma, What Does CFAA Mean and Why
Should I Care?, 63 S.C. L. Rev. 141, 155 (2011) (“This first statute was very narrow. This
statute was limited to ‘three specific scenarios: computer misuse to obtain national security
secrets, computer misuse to obtain personal financial records, and hacking into U.S.
Government computers’ . . . . The CFAA’s general purpose, originally, was to address the
growing problems of computer crime and hacking directed at government interest
computers.” (citations and footnotes omitted)).
47
Economic Espionage Act, Pub. L. No. 104–294, 110 Stat. 3488 (1996); 18 U.S.C.
§ 1030(e)(2).
48
Proof of one of five additional factors is necessary to maintain a civil action. 18 U.S.C.
§ 1030(g) (“Any person who suffers damage or loss by reason of a violation of this section
may maintain a civil action against the violator to obtain compensatory damages and
injunctive relief or other equitable relief.”); S. Rep. No. 104–357, at 11–12, 14 (1996)
(“The amendment to section 1030(g) provides that victims of computer abuse can maintain
a civil action against the violator to obtain compensatory damages, injunctive relief, or
other equitable relief.”); Catherine M. Sharkey, Trespass Torts and Self-Help for an
Electronic Age, 44 Tulsa L. Rev. 677, 693 (2009) (“Originally enacted exclusively as a
criminal statute, the CFAA was amended in 1994 to add a private civil cause of action with
fairly broad jurisdictional reach.” (citations and footnote omitted)).
16
computer without authorization, or exceeds authorized access, and thereby
obtains . . . information from any protected computer.”49
Defendant’s motion to dismiss Count IV focuses on the meaning of the words
emphasized above—“without authorization” and “exceeds authorized access.”
Defendant argues that the CFAA provides a narrow cause of action under which
Plaintiffs can hold Defendant liable for unauthorized access of protected
computers.50 Defendant argues that the CFAA does not protect against misuse of
information by a person otherwise authorized to access the information at issue.
Plaintiffs respond that the CFAA creates liability for misusing information obtained
through authorized access to a protected computer. 51
1. The split in federal authority: the broad and narrow
approaches.
The parties’ dispute parallels a nationwide split of federal authority over the
proper interpretation of the terms “without authorization” and “exceeds authorized
access” in the CFAA.
The first line of cases interprets “accesses a computer without authorization”
and “exceeds authorized access” broadly. First promulgated by the First Circuit in
EF Cultural Travel BV v. Explorica, Inc., and advanced by Plaintiffs here, the broad
49
18 U.S.C. § 1030(a)(2)(C) (emphasis added).
50
Def.’s Opening Br. at 49.
51
Pls.’ Ans. Br. at 51–52.
17
interpretation holds that accessing a computer or information in violation of one’s
use obligations can give rise to liability under the “exceeds authorized access”
provision.52 In EF Cultural, the Court held that the complaint states a claim that the
defendant violated the CFAA by disclosing proprietary information in breach of a
confidentiality agreement and policy. 53 Later, in Citrin, the Seventh Circuit adopted
the First Circuit’s broad interpretation, but framed the analysis as an agency
relationship issue. 54 The Court reasoned when an employee uses information in a
manner adverse to his employer, the employee violates loyalty duties, thereby
implicitly terminating the agency relationship, and losing any authority to access the
computer or any information on it.55 Appellate courts in the Fifth and Eleventh
Circuits have also adopted a broad interpretation of the CFAA. 56
The second line of cases interprets “accesses a computer without
authorization” and “exceeds authorized access” narrowly. First adopted by the Ninth
Circuit in Brekka, the narrow approach does not consider an individual’s intended
52
274 F.3d 577, 582–83 (1st Cir. 2001).
53
Id. (“[The plaintiff] is likely to prove . . . excessive access based on the confidentiality
agreement between [a defendant] and [the plaintiff].”).
54
Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420–21 (7th Cir. 2006).
55
Id.
56
United States v. John, 597 F.3d 263, 272 (5th Cir. 2010); United States v. Rodriguez,
628 F.3d 1258, 1263 (11th Cir. 2010).
18
or actual misuse of accessed information. 57 Appellate courts in the Second and
Fourth Circuits have adopted the narrow approach.58
2. This decision adopts the narrow approach.
The meaning of “accesses a computer without authorization” and “exceeds
authorized access” as used in the CFAA is an issue of first impression for Delaware
courts. No authority that binds this Court has addressed the issue. No Delaware
state court has encountered the question presented.59 In interpreting federal statutes
absent binding precedent, this Court gives great weight to the rulings of the Third
Circuit and Delaware district court.60 But neither the Third Circuit nor the Delaware
57
581 F.3d 1127. See also United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012)
(applying Brekka).
58
United States v. Valle, 807 F.3d 508, 527–28 (2d Cir. 2015); WEC Carolina Energy Sols.
LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012).
59
Delaware has a statutory counterparty to the CFAA—the Misuse of Computer System
Information Statute, 11 Del. C. § 935 et seq. Unlike the CFAA, that statute expressly
prohibits “unauthorized use.” 11 Del. C. § 935(1) (“A person is guilty of the computer
crime of misuse of computer system information when . . . [a]s a result of accessing or
causing to be accessed a computer system, the person intentionally makes or causes to be
made an unauthorized display, use, disclosure or copy . . . .”). Given its distinguishable
language, cases interpreting Section 935(1) are not instructive to the issue at hand.
60
See, e.g., Johnson v. State, 983 A.2d 904, 917 (Del. 2009) (“After reviewing the varied
approaches taken by the Circuit courts in light of somewhat unclear United States Supreme
Court precedents, we adopt the approach taken by the Third Circuit[.]”); Cosby v. Correct
Care Sols., LLC, 2016 WL 7103387, at *6 (Del. Super. Dec. 6, 2016) (“The language of
the DDEA is virtually identical to 42 U.S.C. § 2000(e) of the federal Civil Rights Act of
1964 (Title VII). Accordingly, when construing the DDEA, Delaware courts look to how
the federal courts in the Third Circuit and the District of Delaware have construed Title VII
cases.”); Fusco v. Dauphin, 75 A.2d 701, 702 (Del. Super. 1950) (“[O]ur own Federal
District Court has held that a party is not required to admit facts not within his personal
knowledge. . . . While not actually binding upon me, this decision is entitled to the utmost
19
district court has ruled on the matter. And non-Delaware district courts within the
Third Circuit diverge in their approach. 61
Without clear guidance from state or federal authorities, this Court looks to
principles of statutory interpretation to discern the CFAA’s meaning, and concludes
that the narrow approach is best supported. The analysis starts with the plain
language of the statute.62 If the plain language is clear and unambiguous, the
respect.” (citation omitted)). See also Red Maple Props. v. Zoning Comm’n of Town of
Brookfield, 610 A.2d 1238, 1242 n.7 (Conn. 1992) (“‘The decisions of the federal circuit
in which a state court is located are entitled to great weight in the interpretation of a federal
statute.’” (alteration omitted)); Pignato v. Great W. Bank, 664 So. 2d 1011, 1015 (Fla. Dist.
Ct. App. 1995) (“[A]ccording unusual weight to a decision on an issue rendered by a
federal circuit in which the state is located is an appropriate method for deciding federal
questions where there is no Supreme Court authority[.]”); Littlefield v. State, 480 A.2d 731,
737 (Me. 1984) (“[I]n the interests of existing harmonious federal-state relationships, it is
a wise policy that a state court of last resort accept, so far as reasonably possible, a decision
of its federal circuit court on . . . a federal question.”); Abbott v. Goodwin, 804 P.2d 485,
490 (Or. Ct. App. 1991) (stating that although not bound by lower federal court decisions,
“under principles of federalism, we not only defer to federal court precedents, we should
give weight to those of the Ninth Circuit, in which Oregon lies”), modified on other
grounds, 809 P.2d 716 (Or. 1991).
61
Compare Beauty Plus Trading, Co. v. Adamo, 2018 WL 846918, at *1–2 (D.N.J.
Feb. 13, 2018) (adopting narrow approach), Teva Pharm. USA, Inc. v. Sandhu, 291
F. Supp. 3d 659, 669–70 (E.D. Pa. 2018) (same), Tactical Pers. Leasing, Inc. v. Hajduk,
2018 WL 4740195, *2–3 (W.D. Pa. Oct. 2, 2018) (same), and Adv. Fluid Sys., Inc. v.
Huber, 28 F. Supp. 3d 306, 329 (M.D. Pa. 2014) (same) with Chubb Ina Hldgs. Inc. v.
Chang, 2017 WL 499682, at *6–7 (D.N.J. Feb. 7, 2017) (denying dismissal of CFAA
claims and citing Citrin favorably) and Spinello Cos. v. Silva, 2014 WL 4896530, at *3–4
(D.N.J. Sept. 30, 2014) (same).
62
Jimenez v. Quarterman, 555 U.S. 113, 118 (2009) (“As with any question of statutory
interpretation, our analysis begins with the plain language of the statute.”); Zhurbin v. State,
104 A.3d 108, 110 (Del. 2014) (“Our analysis of the parties’ arguments begins with
the plain language of the statute[.]”).
20
analysis ends.63 If the plain language is susceptible to multiple meanings, the Court
ascertains the meaning of the statute by reviewing the statute’s purpose and
legislative history. 64 When a statute has both civil and criminal applications, the
rule of lenity applies. 65 That rule requires this Court to construe criminal statutes
strictly to avoid interpretations not “clearly warranted by the text.”66 The concept
behind it is that the legislature should not decree punishment without making clear
what conduct incurs that punishment. 67
63
See Nat’l Ass’n of Mfrs. v. Dep’t of Def., 138 S. Ct. 617, 631 (2018); see also BedRoc
Ltd., LLC v. United States, 541 U.S. 176, 183 (2004) (plurality opinion) (“The preeminent
canon of statutory interpretation requires us to presume that the legislature says in a statute
what it means and means in a statute what it says there. Thus, our inquiry begins with the
statutory text, and ends there as well if the text is unambiguous.” (internal quotation marks,
alteration, and citation omitted)); Zhurbin, 104 A.3d at 110 (“Where a statute contains
unambiguous language that clearly reflects the intent of the legislature, then the language
of the statute controls.” (citing Hoover v. State, 958 A.2d 816, 820 (Del. 2008))); Bd. of
Adjustment of Sussex Cty. v. Verleysen, 36 A.3d 326, 331 (Del. 2012) (“[W]hen a statute
is clear and unambiguous there is no need for statutory interpretation.” (citing State v.
Skinner, 632 A.2d 82, 85 (Del. 1993))).
64
Parker v. NutriSys., Inc., 620 F.3d 274, 277 (3d Cir. 2010); Clark v. State, 184 A.3d
1292 (Del. 2018) (TABLE) (“When a statute is ambiguous, a court may refer to the
legislative history to interpret the statute.” (citing Arnold v. Soc’y for Sav. Bancorp, Inc.,
650 A.2d 1270, 1287 (Del. 1994))).
65
U.S. v. Thompson/Ctr. Arms Co., 504 U.S. 505, 518 n.10 (1992) (observing that the rule
of lenity applies to statutes having both criminal and civil applications, even where the
application at issue is civil in nature); Miller, 687 F.3d at 203–04 (applying rule of lenity
in interpreting the CFAA); Dixon v. State, 673 A.2d 1220, 1225 n.3 (Del. 1996) (analyzing
the “general rule” that “ambiguous penal statutes should be strictly construed against the
State”).
66
Crandon v. United States, 494 U.S. 152, 160 (1990).
67
Russello v. United States, 464 U.S. 16, 29 (1983) (“The rule of lenity, which this Court
has recognized in certain situations of statutory ambiguity . . . has no application here. That
rule comes into operation at the end of the process of construing what Congress has
21
Turning to the plain language of the statute, the CFAA distinguishes between
“without authorization” and “exceeds authorized access.”68 The former is not
defined by the statute; the latter is defined as “access to a computer with
authorization and to use such access to obtain or alter information in the computer
that the accesser is not entitled so to obtain or alter.”69 The concepts are closely
related; their distinction is “paper thin.” 70 The concepts hinge on the words “access”
and “authorization.” Because the CFAA does not define those terms specifically,
the terms must be interpreted in accordance with their “ordinary, contemporary,
common meaning.”71
expressed, not at the beginning as an overriding consideration of being lenient to wrong-
doers. . . . Here, the language of the RICO forfeiture provision is clear, and the rule of
lenity does not come into play.” (internal quotation marks and citations omitted)); see also
Moskal v. United States, 498 U.S. 103, 107 (1990) (“We have repeatedly emphasized that
the touchstone of the rule of lenity is statutory ambiguity.” (citation and internal quotation
marks omitted)); United States v. Bass, 404 U.S. 336, 348 (1971) (suggesting that the rule
of lenity derives from constitutional requirements of fair notice and separation of powers:
“[B]ecause of the seriousness of criminal penalties, and because criminal punishment
usually represents the moral condemnation of the community, legislatures and not courts
should define criminal activity.”).
68
18 U.S.C. § 1030(a).
69
18 U.S.C. § 1030(e)(6).
70
Citrin, 440 F.3d at 420 (citation omitted). In Citrin, the Court explained that an employee
exceeded authorized ac6cess to a public website by using his programming knowledge to
obtain confidential information from the public portal. Id.
71
Perrin v. United States, 444 U.S. 37, 42 (1979); French v. State, 38 A.3d 289, 291 (Del.
2012) (“[I]f the words [of the statute] are not defined, they are given their commonly
understood, plain meaning.” (citing Dickerson v. State, 975 A.2d 791, 798 (Del. 2009))).
22
Dictionary definitions define “authorizing” as granting permission, 72 and
“accessing” as “to obtain or acquire” or “to gain admission to.”73 Putting the
definitions together, an employee “accesses a computer ‘without authorization’
when he gains admission to a computer without approval.” 74 An employee
72
Authorization, Black’s Law Dictionary (10th ed. 2014) (“Official permission to do
something; sanction or warrant.”); QVC, Inc. v. Resultly, LLC, 159 F. Supp. 3d 576, 595
(E.D. Pa. 2016) (“The Oxford English Dictionary defines ‘Authorization’ as ‘the action of
authorizing a person or thing’ or ‘formal permission or approval.’ The term, ‘to authorize,’
in turn, ordinarily means ‘to give official permission for or formal approval to (an action,
undertaking, etc.).’ Therefore, based on the ordinary meaning of the word, to act ‘without
authorization’ is to act without formal permission or approval.” (citations omitted)); Valle,
807 F.3d at 524 (“The dictionary defines ‘authorization’ as ‘permission or power granted
by authority.’ Thus, common usage of ‘authorization’ suggests that one ‘accesses a
computer without authorization’ if he accesses a computer without permission to do so at
all.” (quoting Random House Unabridged Dictionary 139 (2001))); Pulte Homes, Inc. v.
Laborers’ Int’l Union of N. Am., 648 F.3d 295, 303–04 (6th Cir. 2011) (“The plain meaning
of ‘authorization’ is ‘[t]he conferment of legality; . . . sanction.’” (quoting 1 Oxford
English Dictionary 798 (2d ed. 1989)); United States v. Aleynikov, 737 F. Supp. 2d 173,
191–92 (S.D.N.Y. 2010) (“‘Authorization’ is generally defined as the ‘act of authorizing’
or ‘permission or power granted by an authority.’ . . . Based on the ordinary meaning of
‘authorization,’ then, a person who ‘accesses a computer without authorization’ does so
without any permission at all. By contrast, a person who ‘exceeds authorized access’ has
permission to access the computer, but not the particular information on the computer that
is at issue.” (quoting The Random House Dictionary of the English Language 100
(Unabridged ed. 1970))).
73
Access, Black’s Law Dictionary (10th ed. 2014) (“A right, opportunity, or ability to enter,
approach, pass to and from, or communicate with.”); Miller, 687 F.3d at 204 (“Thus, we
note at the outset that ‘access’ means ‘[t]o obtain, acquire,’ or ‘[t]o gain admission to.’”
(quoting Oxford English Dictionary (3d ed. 2011))); Synthes, Inc. v. Emerge Med., Inc.,
2012 WL 4205476, at *17 (E.D. Pa. Sept. 19, 2012) (“[O]ther courts have used the common
meaning of the word ‘access’ and defined it as ‘gaining admission to.’” (citing Miller, 687
F.3d at 204)); Sw. Airlines Co. v. BoardFirst, LLC, 2007 WL 4823761, at *12 (N.D. Tex.
Sept. 12, 2007) (using the “dictionary definition” of “access” as “mean[ing] ‘to get at’ or
‘gain access to’” (quoting Merriam-Webster’s Collegiate Dictionary 6 (10th ed. 1998))).
74
Miller, 687 F.3d at 204 (citing Brekka, 581 F.3d at 1133).
23
“‘exceeds authorized access’ when he has approval to access a computer, but uses
his access to obtain or alter information that falls outside the bounds of his approved
access.”75 Under these definitions, an employee does not exceed authorized access
by misusing the information the employee had a right to access. This definition
accords with the narrow interpretation.
Although dictionary definitions favor the narrow interpretation, the federal
split suggests that the CFAA’s plain language is susceptible to multiple meanings.76
This decision therefore reviews the CFAA’s purpose and legislative history.
Turning to a review of statutory purpose and history, Congress adopted the
CFAA to combat computer hacking, as discussed above. In Citrin, the Seventh
Circuit speculated that this purpose targeted not just “long-distance attacks” from
outsiders without authorized access to a system, but also “inside attack[s]” by
“disgruntled programmers who decide to trash the employer’s data system on the
way out . . . .”77 To reach the disgruntled programmer, the statute must be interpreted
broadly, according to the Seventh Circuit. In Miller, however, the Fourth Circuit set
forth a compelling counterargument interpreting Congressional intent in favor of the
75
Id.
76
See, e.g., Valle, 807 F.3d at 524–25 (“If this sharp division means anything, it is that the
statute is readily susceptible to different interpretations.”).
77
Citrin, 440 F.3d at 420.
24
narrow interpretation. 78 The Court did so by positing the following example: An
employee downloads information from her work computer in violation of office
policy, for the commendable purpose of progressing on a project from home. 79
Under the Seventh Circuit’s interpretation of the CFAA, by violating the corporate
use policy, the employee “exceeded her authorized access,” implicitly terminated
her agency relationship, and exposed herself to civil and as well as criminal liability.
This is an extreme outcome that criminalizes banal moments of misuse common in
the modern work force. These “far-reaching effects” seem “unintended by
Congress.” 80 To avoid these clearly unintended consequences, a court must follow
the narrow approach.
Last, the rule of lenity tips decidedly in favor of the narrow approach. As
illustrated by the Fourth Circuit’s example, the broad interpretation of the CFAA
creates criminal liability in multiple common scenarios. The narrow interpretation
avoids that result. Given the criminal application of the CFAA, and the expansive
potential criminal liability created by the broad interpretation, “authorized access”
and “exceeds authorized access” must be narrowly construed.81
78
Miller, 687 F.3d at 206.
79
Id.
80
Id.
81
See, e.g., Valle, 807 F.3d at 528 (adopting narrow approach to avoid “‘unintentionally
turn[ing] ordinary citizens into criminals’” (citing Nosal, 676 F.3d at 863)); Miller, 687
F.3d at 204 (adopting narrow approach and observing “[w]here, as here, our analysis
25
In sum, principles of statutory interpretation weigh in favor of adopting the
narrow view of “without authorization” and “exceeds authorized access.” That
language applies only when an individual accesses a computer or information on that
involves a statute whose provisions have both civil and criminal application, our task merits
special attention because our interpretation applies uniformly in both contexts.” (citations
omitted)); Brekka, 581 F.3d at 1134 (adopting narrow approach and observing that
although the case arose in the civil context, the court’s interpretation is equally applicable
in the criminal context, and recognizing that ambiguity must be resolved in favor of lenity);
Mathey Dearman, Inc. v. H&M Pipe Beveling Mach. Co., 2018 WL 4224897, at *5 (N.D.
Okla. Sept. 5, 2018) (adopting narrow approach, citing the discussion Brekka for its
discussion of the rule of lenity); Hedgeye Risk Mgmt., LLC v. Heldman, 271 F. Supp. 3d
181, 195 (D.D.C. 2017) (adopting narrow approach, citing Valle for its discussion of the
rule of lenity); Giles Const., LLC v. Tooele Inventory Sol., Inc., 2015 WL 3755863, at *3
(D. Utah June 16, 2015) (adopting narrow approach and reasoning that “[i]n the CFAA,
Congress has not clearly criminalized the misuse of lawfully obtained computer
information. And if that conduct is not criminal under the statute, the conduct cannot
provide a basis for a civil cause of action.” (emphasis original)); Enhanced Recovery Co.,
LLC v. Frady, 2015 WL 1470852, at *8 (M.D. Fla. Mar. 31, 2015) (adopting narrow
approach “‘so that Congress will not unintentionally turn ordinary citizens into criminals.’”
(citing Nosal, 676 F.3d at 863)); JBCHldgs. NY, LLC v. Pakter, 931 F. Supp. 2d 514, 524
(S.D.N.Y. 2013) (adopting narrow approach and observing that “the broad reading of
‘exceeds authorized access’ has breathtaking implications. It would federalize, and
potentially subject to federal criminal law, quotidian abuses by employees that have
historically been the sole ambit of state employment and criminal law.” (citation omitted));
Sebrite Agency, Inc. v. Platt, 884 F. Supp. 2d 912, 918 (D. Minn. 2012) (adopting narrow
approach and observing that “the broader interpretation would . . . expose employees who
violate their employers’ computer-use restrictions to criminal liability . . .” (citations
omitted)); Wentworth-Douglass Hosp. v. Young & Novis Prof’l Ass’n, 2012 WL 2522963,
at *3 (D.N.H. June 29, 2012) (adopting narrow approach and observing that “[b]asing
criminal liability on violations of private computer use policies can transform whole
categories of otherwise innocuous behavior into federal crimes simply because a computer
is involved.” (citation omitted)). See also Brand Energy & Infrastructure Servs., Inc. v.
Irex Contr. Gp., 2017 WL 1105648, at *15 (E.D. Pa. Mar. 24, 2017) (rejecting the broad
view in part based on the scope of persons who might be subject to liability, observing “the
[broad] view would subject too wide a class of individuals—such as family members of
employees—to CFAA liability . . . . This was not the intent of the CFAA.” (citations
omitted)).
26
computer without permission. The statute does not impose liability for misusing
information to which the individual had authorized access.
In adopting the narrow approach, this Court acts consistently with the current
trend. The majority of courts deciding this issue since Brekka have adopted the
narrow approach. Since 2009, district courts in the Sixth,82 Eighth,83 Tenth, 84 and
D.C. Circuits 85 have applied Defendant’s “narrow” interpretation of the Act. Within
circuits that initially adopted the broad approach, support for that view is eroding.86
82
Cranel Inc. v. Pro Image Consultants Gp., LLC, 57 F. Supp. 3d 838, 845 (S.D. Ohio
2014) (“The Court agrees with these courts that the narrow interpretation is proper under
the CFAA.”); see also Ajuba Int’l v. Saharia, 871 F. Supp. 2d 671, 687 (E.D. Mich. 2012);
ReMedPar, Inc. v. AllParts Med., LLC, 683 F. Supp. 2d 605, 613, 615 (M.D. Tenn. 2010);
Black & Decker (U.S.), Inc. v. Smith, 568 F. Supp. 2d 929, 934–35 (W.D. Tenn. 2008).
83
Sebrite, 884 F. Supp. 2d at 917–18 (“The Court continues to believe that the narrower
interpretation of the CFAA is more consistent with statutory text, legislative history, and
the rule of lenity.”).
84
Mathey Dearman, Inc. v. H&M Pipe Beveling Mach. Co., 2018 WL 4224897, *5 (N.D.
Okla. Sept. 5, 2018) (“[D]istrict courts in this Circuit uniformly apply the narrow
inquiry . . . .”); accord Tank Connc’n, LLC v. Haight, 161 F. Supp. 3d 957, 969 (D. Kan.
2016), appeal dismissed (10th Cir. July 18, 2016); Cloudpath Networks v. SecureW2 BV,
157 F. Supp. 3d 961, 983–984 (D. Colo. 2016); Cent. Bank & Tr. v. Smith, 215 F. Supp.
3d 1226, 1232–33 (D. Wyo. 2016); Giles, 2015 WL 3755863, at *3.
85
Hedgeye, 271 F. Supp. 3d at 194–95 (“Although the Court recognizes that the statutory
definition of ‘exceeds authorized access’ is not crystal clear, the Second, Fourth and Ninth
Circuits have identified the more persuasive reading of that phrase. . . . Thus, the CFAA
prohibits the authorized computer user from accessing ‘information’ that he is not
‘authorized’ to obtain or alter. The statute says nothing about the misuse of information
that the user was authorized to access.” (emphasis original)); see also Lewis-Burke Assocs.,
LLC v. Widder, 725 F. Supp. 2d 187, 193–94 (D.D.C. 2010).
86
Some district courts in the First Circuit treat the relevant appellate court language as
dicta. Advanced Micro Devices, Inc. v. Feldstein, 951 F. Supp. 2d 212, 218–19 (D. Mass.
2013) (“At the time of this order, the First Circuit has not clearly articulated its position on
this issue. Some district judges have read [EF Cultural] as an endorsement of the broader
27
Although this decision does not rest on the national trend as a basis for adopting the
narrow approach, the fact that the country appears to be moving toward a narrow
approach does provide some assurance of its wisdom.
3. Applying the narrow approach leads to partial dismissal of
the CFAA claim.
Applying the narrow approach requires denying part of Plaintiffs’ CFAA
claim.
The Complaint alleges that, before his termination, Defendant was authorized
interpretation . . . . Others have read [EF Cultural] as supporting a broad interpretation only
in dicta, and have adopted a narrower interpretation. . . . It is not clear to me that [EF
Cultural] is a plain endorsement of a broad interpretation.” (citations omitted)). Some
district courts in the Eleventh Circuit reject the relevant precedent. See, e.g., Frady, 2015
WL 1470852, at *6 (“Other courts, including the majority of district courts in this Circuit
that have considered the question, have adopted a narrower definition of ‘exceeds
authorized access.’”); Power Equip. Maint., Inc. v. AIRCO Power Servs., Inc., 953 F. Supp.
2d 1290, 1296 (S.D. Ga. 2013) (“exceeds authorized access simply means that, while an
employee’s initial access was permitted, the employee accessed information for which the
employer had not provided permission”); Bell Aerospace Servs., Inc. v. U.S. Aero Servs.,
Inc., 690 F. Supp. 2d 1267, 1272 (M.D. Ala. 2010) (finding that the broad interpretation
“ignores the plain language of the statute” and the narrow interpretation “is buoyed by the
nature of the statute itself . . . Because the seven employees who resigned had valid
permission to utilize the Bell Aerospace computers, they were acting with authorization
when they accessed the computers up until the time they each were escorted from the
facility.”); but see Aquent LLC v. Stapleton, 65 F. Supp. 3d 1339, 1346 (M.D. Fla. 2014)
(“In 2010, the Eleventh Circuit joined circuits that take a broader view, holding that when
the employer had a policy limiting an employee’s computer access to that done for business
purposes, an employee who accessed a database for an improper purpose exceeded
authorized access. . . . Accordingly, under Rodriguez [the plaintiff] sufficiently stated a
cause of action . . . .” (citation omitted)). The Eleventh Circuit has observed this trend,
noting the broad interpretation’s “lack of acceptance” and that “several of our sister circuits
have roundly criticized [broad interpretation] decisions . . . .” EarthCam, Inc. v. OxBlue
Corp., 703 Fed. Appx. 803, 808 n.2 (11th Cir. 2017).
28
to access the information at issue. Plaintiffs expressly allege that “[i]n carrying out
[his] responsibilities, Defendant had access to AlixPartners’ trade secrets and other
confidential and proprietary information.” 87 Plaintiffs describe the information
accessed on a “laptop used by Defendant during his employment,” and they describe
“thousands of his work-related files in a folder.”88 Plaintiffs describe how Defendant
“organized his files containing confidential information into subfolders entitled with
the names of sensitive matters related to AlixPartners from the time of his
employment on behalf of AlixPartners.”89 They explain that the “folders generally
contain additional subfolders relevant to the work Defendant performed for
AlixPartners.”90 These allegations reveal that Defendant was authorized to fully
access the computer’s contents. Thus, Plaintiffs’ CFAA claim relating to
Defendant’s March 8, 2017 access is dismissed.
Plaintiffs also allege that Defendant accessed his work computer and its
contents on July 28, 2017, “after AlixPartners provided Defendant notice of his
dismissal by registered letter on July 25, 2017 and after he had ceased to perform
work on behalf of AlixPartners.”91 It is reasonably conceivable that Defendant was
87
Compl. ¶ 14 (emphasis added).
88
Id. ¶ 45 (emphasis added).
89
Id. (emphasis added).
90
Id. (emphasis added).
91
Id. ¶ 51 (emphasis added).
29
not authorized to access that information after his resignation. Thus, Defendant’s
motion to dismiss Count IV as to alleged conduct that occurred after Defendant’s
departure from the Company is dismissed. 92
III. CONCLUSION
For these reasons, Defendant’s motion to dismiss Count IV is GRANTED IN
PART. The remainder of Defendant’s motion is DENIED.
IT IS SO ORDERED.
92
See Bro-Tech Corp. v. Thermax, Inc., 651 F. Supp. 2d 378, 407–08 (E.D. Pa. 2009) (“It
also appears that after leaving the company, [a defendant] retained [the plaintiff’s]
computer for several weeks and accessed its contents, transferring some or all of them to a
[the corporate defendant’s] computer. Some of the information she transferred was
allegedly proprietary customer data. There is, at the very least, a genuine issue of material
fact as to whether she was authorized to access [the plaintiff’s] computer at this time in this
fashion, which precludes summary judgment as to the CFAA claim against her. Because
questions of fact exist regarding the nature and extent of [the individual defendants’]
authorization to alter or access the [plaintiff’s] information they allegedly accessed,
summary judgment will be denied on Plaintiffs’ CFAA claim.”).
30