Authorized Access of Proprietary Information and Impact on CFAA Claim

Employers continuously face a key employee or consultant leaving or separating from the company to join or start a competing business. In these inevitable scenarios, the loss – potential or actual – of the company's proprietary information and associated business is of utmost concern. When misappropriation does occur, companies often seek to protect themselves through claims based on versions of the Uniform Trade Secret Act, the Defend Trade Secrets Act or the Computer Fraud & Abuse Act (CFAA). A recent Middle District of Tennessee decision on a motion to dismiss takes an interesting look at the pleading requirements for claims based upon such a scenario.

In RN Entertainment, LLC v. Clement et al., 380 F. Supp.3d 711 (M.D. Ten. 2019), plaintiff, a luxury tour bus company RN Entertainment, claimed that defendants, a pair of employees, started and ran a competing tour bus company using RN Entertainment's proprietary information gathered, among other ways, from access to RN Entertainment's computer systems while they were still employed.

With respect to RN Entertainment's CFAA claim, the Court noted that any CFAA violation is predicated upon unauthorized access to computer systems or data. The Court adopted the "narrow" reading of unauthorized access, holding that accessing proprietary information that RN Entertainment otherwise gave defendants authority to access did not violate the CFAA even though defendants later improperly used that information to form and run a competing business. The Court pointed out, however that if RN Entertainment's claim was based upon defendants withholding passwords, deleting emails, or impairing RN Entertainment's access to its website or computer systems after defendants were terminated, those actions would give rise to a CFAA claim.

There continues to exist a significant split on the issue of what access "exceeds authorization" under the CFAA. In some courts, including the court in RN Entertainment, defendants may, depending on the facts, use a company's systems to improperly access or misappropriate proprietary information without CFAA liability as long as access to the systems was authorized at the time of their receipt of the data. For example, an employee uses his company issued password to access the systems and take information. Other courts have held that CFAA liability may be implicated based on unauthorized use of proprietary information, even if the defendants were originally authorized to access it. For example, even if an employee used his company issued password to access the systems, the employee's use of the systems to take information exceeded his authorization and therefore an afoul of the CFAA.

While the Court did not specifically address the line between a CFAA claim and a trade secret claim, RN Entertainment's trade secret claims were based upon the same allegations and were sufficiently pled. The case, therefore, is a helpful illustration of how CFAA and trade secret claims can be valuable in making sure that all aspects of electronic theft are covered. In addition, this opinion serves as a reminder to trade secret stakeholders to implement procedures for revoking an employee's access to computers containing proprietary information once the relationship ends. This good IP hygiene may not only serve as grounds to support a trade secret misappropriation claim but could also support a CFAA claim.