Delaware Court of Chancery Weighs-In on CFAA

In AlixPartners, LLP and AlixPartners Holdings, LLP v. David Benichou, C.A. No. 2018-0600-KSJM, the Court of Chancery was tasked with interpreting the Computer Fraud and Abuse Act (CFAA) absent direct federal authority on the issue.

Image result for computer fraud and abuse act

Federal courts are divided on the proper interpretation between a broad approach and a narrow approach. The relevant section of the CFAA renders a person liable who “intentionally accesses a computer without authorization, or exceeds authorized access, and thereby obtains…information from any protected computer.”[1] The crux of the disagreement centers on the interpretation of the terms “without authorization” and “exceeds authorized access”.

The First, Fifth, Seventh, and Eleventh Circuits have adopted a broad approach which establishes liability where an employee’s use violates an obligation related to computer access. While these Circuits agree on the correct approach, the rationales diverge. The First Circuit held that an employee was exceeding his or her authorized access if that use was in violation of an access-related agreement. In contrast, the Seventh Circuit reasoned that an employee using information in a manner adverse to his employer is violating his loyalty duties, thereby effectively terminating the agency relationship and removing authority to access the information.

 The narrow approach adopted by the Second, Fourth, and Ninth Circuits interprets these provisions to establish liability only where there is unauthorized access of protected computers. The lead rationale for this interpretation is the potentially “far-reaching effects” conceivable under the broad approach, such as imposing liability on an employee who violates company policy by downloading information from her work computer to work at home.

In AlixPartners, the Court of Chancery chose to adopt the narrow approach. This decision was made in consideration of the plain language of the statute, its legislative intent, and the rule of lenity. The Court’s interpretation would impose liability only when an individual accesses a computer or information on that computer without permission. This interpretation would not impose liability for misuse of information to which the individual had authorized access. 

The case at hand that advanced this question involves a former partner of AlixPartners, David Benichou, who allegedly transferred documents from his work computer to a personal external hard drive on two separate occasions. The first instance alleged occurred prior to Benichou’s dismissal from AlixPartners and the second instance after. Applying the newly adopted approach, the Court of Chancery held that the data transfer while Benichou was still employed with AlixPartners did not support a claim under the CFAA as he had authorized access at the time. However, Benichou’s authorization was terminated upon his dismissal and therefore AlixPartners was able to assert a claim under the CFAA for the later data transfer.

Read the full opinion here.

Kaitlin McCaffrey

[1] 18 U.S.C. § 1030(a)(2)(C)

This entry was posted in Delaware Court of Chancery, Delaware District Court and tagged , , , , . Bookmark the permalink.

Leave a Reply