LVRC Holdings LLC V. Brekka
   HOME

TheInfoList



OR:

''LVRC Holdings v. Brekka'' 581 F.3d 1127, 1135 (9th Cir. 2009) is a Ninth Circuit Court of Appeals Decision that deals with the scope of the concept of "authorization" in the Computer Fraud and Abuse Act. The major finding of this case is that even if an employee accesses a computer for an improper purpose, such as one that violates the duty of loyalty to their employer, the employee remains authorized to access the computer until the employer revokes the employee's access. The findings of this case were upheld by another Ninth Circuit decision in United States v. Nosal, 676 F.3d 854 (9th Cir.2012) (en banc) and are the current law in this circuit. This case is noteworthy because the court differentiated itself from the Seventh's Circuit interpretation of "authorization" by assessing whether the employer made the computer system available to the employee during the employee's access, instead of examining the subjective intent the employee had when accessing the system. Since this decision limited the scope of when an employee could access a computer "without authorization" than the
Seventh Circuit The United States Court of Appeals for the Seventh Circuit (in case citations, 7th Cir.) is the U.S. federal court with appellate jurisdiction over the courts in the following districts: * Central District of Illinois * Northern District of Ill ...
did in a similar case, this case defined a circuit split of authority on the scope of the term "authorization." This issue could be settled by the
Supreme Court A supreme court is the highest court within the hierarchy of courts in most legal jurisdictions. Other descriptions for such courts include court of last resort, apex court, and high (or final) court of appeal. Broadly speaking, the decisions of ...
in the future. Van Buren v. United States is a pending United States Supreme Court case dealing with the Computer Fraud and Abuse Act and its definition of "exceeds authorized access" in relation to one intentionally accessing a computer system they have authorization to access.


Factual background

LVRC Holdings, LLC (LVRC) operated an addiction treatment center in Nevada. In April 2003, LVRC hired Christopher Brekka. Part of his duties included interacting with LVRC's email provider (Load, Inc.) and conducting Internet marketing programs. When Brekka was hired, he owned and operated EBSN and EBSF, two consulting businesses that provided referrals of potential patients to rehabilitation facilities. LVRC's owner was aware of Brekka's businesses. During his time at LVRC, Brekka commuted between his home state, Florida, and Nevada, where LVRC and his first business were located. His second business is based in Florida. Brekka was assigned a computer at LVRC headquarters. Because of this frequent commute between Florida and Nevada, he emailed documents he obtained or created for his work at LVRC to his own personal computer. LVRC and Brekka had no written employment agreement. LVRC had no internal policy which would prohibit the transfer of LVRC documents to personal computers. In June 2003, he emailed the administrative password for the LVRC's email system to his personal account. In August 2003, Brekka and LVRC began discussions regarding the possibilities of Brekka investing in an ownership interest in LVRC. At the end of the month, Brekka emailed to his wife and himself a number of documents including a financial statement for the company, LVRC's marketing budget, and admission reports for patients. On September 4, 2003, he emailed a master admission report containing the names of all the past and current patients at LVRC. The negotiation regarding Brekka's investment in LVRC broke down mid-September 2003. He stopped working for LVRC and left his LVRC computer at the company as is, without deleting any emails. In November 2004, LVRC noticed that someone was accessing its website using Brekka's login. LVRC then sued Brekka in federal court, alleging that he violated the Computer Fraud and Abuse Act (CFAA) when he emailed LVRC's documents to himself.


Court proceedings


District court

In its complaint, LVRC claimed that Brekka violated the Computer Fraud and Abuse Act (CFAA), which punishes intentional access, without authorization, to a computer to obtain information, violating 18 U.S.C. §§ 1030(a)(2) and (a)(4). To prevail, LVRC had to show that Brekka acted without authorization or exceed its authorization. The federal district court held that Brekka had authorization when he accessed LVRC's computer to transfer documents, and that there was no evidence that Brekka agreed to keep LVRC documents confidential or to return or destroy them. Finally, the district court concluded that LVRC was unable to provide evidence that Brekka logged into the LVRC website after Brekka's contract was terminated. The Nevada district court granted summary judgment in favor of Brekka; LVRC contested both rulings in its appeal.


Court of appeals

LVRC argued that Brekka lost authorization to access the computer when he transferred documents to his personal computer to further his own interests rather than the company's. However, The
Ninth Circuit The United States Court of Appeals for the Ninth Circuit (in case citations, 9th Cir.) is the U.S. federal court of appeals that has appellate jurisdiction over the U.S. district courts in the following federal judicial districts: * District o ...
found that this interpretation of "authorization" under the Computer Fraud and Abuse Act would not give defendants sufficient "notice as to which acts are criminal." "If the employer has not rescinded the defendant's right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA. It would be improper to interpret a criminal statute in such an unexpected manner." The Court differentiated itself from the
Seventh Circuit The United States Court of Appeals for the Seventh Circuit (in case citations, 7th Cir.) is the U.S. federal court with appellate jurisdiction over the courts in the following districts: * Central District of Illinois * Northern District of Ill ...
in ''
International Airport Centers, L.L.C. v. Citrin In ''International Airport Centers, L.L.C. v. Citrin'', the Seventh Circuit Court of Appeals evaluated the dismissal of the plaintiffs' lawsuit for failure to state a claim based upon the interpretation of the word "transmission" in the Computer ...
''. In ''Citrin'', the Court used agency principles to find that the employee violated his duty of loyalty to his employer when he set out to start a competing firm and accessed the company computer to further that interest, erasing data on his employer's computer. The Seventh Circuit found that Citrin's "breach of the duty of loyalty to his employer terminated the employee's agency relationship and with it his authority to access the laptop, because the only basis of his authority had been that relationship." See ''Brekka'' citing ''Citrin''. However, The Ninth Circuit applied the rule of lenity to the term "authorization" and found that the Seventh's Circuit interpretation could criminalize a large swath of the population by looking to the subjective intent of the employee or the subsequent use of the information accessed. Instead, the Brekka Court held that "a person uses a computer 'without authorization' under §§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway." Since ''Brekka'', courts in the Ninth Circuit have generally foreclosed an employer's Computer Fraud and Abuse Act claim against former employees, unless the employees' access was conducted post-termination.


Consequences

The Ninth Circuit's interpretation of "authorization" is significantly narrower than the Seventh Circuit's. Given the split between the two high courts, it is likely that the
Supreme Court A supreme court is the highest court within the hierarchy of courts in most legal jurisdictions. Other descriptions for such courts include court of last resort, apex court, and high (or final) court of appeal. Broadly speaking, the decisions of ...
will eventually address the issue. While the most significant consequence of Brekka was narrowing the scope of "without authorization" to exclude breaches of loyalty, the ''Brekka'' court opened a murky area of liability in the post-employment context. The court held that "a person uses a computer 'without authorization' ... when the employer has rescinded permission to access the computer and the defendant uses the computer anyway." This has led several courts to find that anyone can access a computer without authorization after employment, even if the employer has not technologically revoked the employee's access credentials.


See also

* Computer Fraud and Abuse Act * ''
United States v. Lori Drew ''United States v. Drew'', 259 F.R.D. 449 (C.D. Cal. 2009), was an American federal criminal case in which the U.S. government charged Lori Drew with violations of the Computer Fraud and Abuse Act (CFAA) over her alleged cyberbullying of her 13-y ...
'' * ''
United States v. Nosal ''United States v. Nosal'', 676 F.3d 854 (9th Cir. 2012) was a United States Court of Appeals for the Ninth Circuit decision dealing with the scope of criminal prosecutions of former employees under the Computer Fraud and Abuse Act (CFAA). The ...
'' * ''
International Airport Centers, L.L.C. v. Citrin In ''International Airport Centers, L.L.C. v. Citrin'', the Seventh Circuit Court of Appeals evaluated the dismissal of the plaintiffs' lawsuit for failure to state a claim based upon the interpretation of the word "transmission" in the Computer ...
''


References

{{Reflist, refs= {{Cite court , litigants= NetApp, Inc. v. Nimble Storage, Inc. , vol= 41 , reporter= F. Supp. 3d , opinion=816, , date= 2014 U.S. Dist. LEXIS 65818, 2014 WL 1903639 (N.D. Cal. May 12, 2014), url=http://www.cfaainstitute.org/order-granting-motion-to-dismiss-netapp-inc-v-nimble-storage-inc-may-12-2014/ {{Cite court , litigants=LVRC Holdings, LLC, v. Brekka, ''No. 2:05-CV-01026''-KJD-GWF, 2007 U.S. Dist. LEXIS 73662, 2007 WL 2891565 (D. Nev. Sept. 28, 2007) , url=http://www.cfaainstitute.org/order-on-motion-for-summary-judgment-lvrc-holdings-llc-v-christopher-brekka-september-28-2007/ {{Cite court , litigants=International Airport Centers, L.L.C. v. Citrin , vol=440 , reporter=F.3d , opinion=418 , date=2006 , url=http://openjurist.org/440/f3d/418/international-airport-centers-llc-v-citrin {{Cite court , litigants=LVRC Holdings v. Brekka , vol=581 , reporter=F.3d , opinion=1127 , date=2009 , url= http://www.ca9.uscourts.gov/datastore/opinions/2009/09/15/07-17116.pdf {{Cite web, title =The Seventh And Ninth Circuits Split On What Constitutes "Without Authorization" Within The Meaning Of The Computer Fraud And Abuse Act , last= Campbell , first=Dale C. , last2=Muradyan , first2=David, publisher = The IP Law Blog, url= http://www.theiplawblog.com/archives/-webtech-the-seventh-and-ninth-circuits-split-on-what-constitutes-without-authorization-within-the-meaning-of-the-computer-fraud-and-abuse-act.html , accessdate= February 9, 2011 , date=January 27, 2010 {{Cite journal , last1=Brenton , first1=Kyle W. , title= Trade Secret Law and The Computer Fraud and Abuse Act: Two Problems and Two Solutions , journal=University of Illinois Journal of Law, Technology & Policy , volume=2009 , issue=2 , date = Fall 2009,


External links


LVRC's website
United States Court of Appeals for the Ninth Circuit cases United States Internet case law