Chancery Court Interprets the Computer Fraud and Abuse Act
By: Scott E. Waxman and Stephanie S. Liu
In AlixPartners, LLP v. Benichou, (C.A. No. 2018-0600-KSJM (Del. Ch. May 10, 2019)), the Court of Chancery decided, as a matter of first impression, that the federal Computer Fraud and Abuse Act (“CFAA”) narrowly provides a cause of action in Delaware for unauthorized computer access or unauthorized access to information; it does not cover incidents involving misuse of information that was obtained through authorized access.
Plaintiffs are AlixPartners, LLP, a corporate restructuring advisory firm, and AlixPartners Holdings, LLP, its parent holding company. Both entities, organized as Delaware limited liability partnerships, work with multinational clients in a range of industries. Defendant David Benichou was an employee and partner with the firm.
Defendant worked for Plaintiffs for 11 years, with the last four years as a Managing Director in Plaintiffs’ office in Paris. Defendant was responsible for business development, recruitment, and developing intellectual property for the firm. In the course of his employment, Defendant had access to Plaintiffs’ confidential and proprietary information and was subject to policies limiting use of that data. Specifically, when Defendant became a Partner, he signed as a party to Plaintiffs’ LLP agreement, which includes confidentiality requirements protecting non-public information. Plaintiffs also have a written employee data policy that set forth the terms for acceptable use of its data, networks, systems, devices, and applications.
While Defendant was employed with Plaintiffs, he kept thousands of confidential files on the local disk drive of his work-issued computer. These were all files he had authorized access to in the course of his position with the firm, and such files included reports, revenue assessments, and other strategic documents. In early 2017, two months before Defendant resigned from his position at the firm, Defendant allegedly transferred the confidential files on his work-issued computer drive to his own personal external drive. He continued working at the firm for another two months until he resigned from his position with Plaintiffs.
The complaint alleged that three days after Defendant was dismissed from his duties, he again connected the same personal external drive to his work issued computer. The complaint alleged that Defendant copied folders containing hundreds of files from the computer’s drive onto his personal external drive. Defendant never informed Plaintiffs that he transferred confidential documents to his personal drive, and, after he left the firm, he did not return any of the confidential information that was copied to the drive.
A few months after leaving the firm, Defendant began working for a corporate restructuring group that directly competes with Plaintiffs. Plaintiffs believed that Defendant shared confidential information with the new employer while he was still employed with Plaintiffs, and that he took confidential information when he left in order to use it for the benefit of his new employer.
As a result, Plaintiffs brought a suit against Defendant asserting four causes of action: Count I alleged breach of the confidentiality provisions of the LLP Agreement; Count II alleged breach of Delaware’s Uniform Trade Secrets Act (“DUTSA”); Count III alleged common law conversion; and Count IV alleged violation of § 1030(a)(2)(C) of the CFAA. Defendant moved to dismiss Counts II through IV.
Defendant argued that Count II, violation of DUTSA, should be dismissed because the complaint failed to plead a DUTSA claim, or in the alternative, because DUTSA does not apply extraterritorially to conduct alleged to have occurred solely in France. The Court found that Plaintiffs did adequately allege the elements of a trade secrets claim, which requires allegations sufficient to show (1) the existence of a trade secret; (2) which the plaintiff communicated to the defendant; (3) under an express or implied understanding that the defendant would respect the secrecy of the matter; and that (4) the defendant used or disclosed the information in breach of that understanding to the injury of the plaintiff. The Court also stated that Defendant’s extraterritoriality argument was not appropriately addressed at the pleadings stage.
Defendant argued that Count III, common law conversion, is preempted by DUTSA. The Court denied Defendant’s motion to dismiss Count III, providing that the conversion claim hinges on issues that are inappropriate to decide on a motion to dismiss. Whether Plaintiffs’ trade secret claims preempt the conversion claim would depend on what law applies, which the Court states is not a pleadings-stage issue.
Count IV alleged that Defendant violated the CFAA by “exceeding authorized access” when he misappropriated information that was stored on his work-issued computer. Defendant’s motion to dismiss Count IV focused on the meaning of “without authorization” and “exceeds authorized access.” Defendant argued that the CFAA provides a narrow cause of action under which Plaintiffs can hold Defendant liable for unauthorized access of protected computers. Defendant argued that the CFAA does not protect against misuse of information by a person otherwise authorized to access the information at issue. Plaintiffs argued that the CFAA creates liability for misusing information obtained through authorized access to a protected computer. The Court considered whether the scope of the CFAA includes the misuse of information that is gained through authorized access. This issue was a matter of first impression in Delaware, with the Court noting that there is a circuit split across the U.S., with some courts taking a broader approach that encompasses misuse of information, and other courts adopting a more narrow interpretation of the law. The Court considered principles of statutory interpretation to determine the meaning of the relevant terms “accesses a computer without authorization” and “exceeds authorized access” in the CFAA. The Court reasoned that the ordinary, contemporary meaning of those terms would only include situations where someone gained unauthorized access to a computer, or exceeded the scope of their access to obtain information to which they were not authorized. As such, the CFAA would not include claims where someone misused information that they were otherwise authorized to access.
Applying the rule to this case, the Court partially granted Defendant’s summary judgment motion as to the CFAA claim for the information he copied while he was employed at the firm. However, the Court denied Defendant’s motion regarding the second act of data copying that occurred three days after he was dismissed. The Court found that it was reasonably conceivable that Defendant was not authorized to access that information since he had notice of his dismissal and at that point had ceased to perform work for the Plaintiffs.