WEC Carolina Energy Solutions v. Willie Miller ( 2012 )

               Certiorari dismissed, January 2, 2013
PUBLISHED
UNITED STATES COURT OF APPEALS
FOR THE FOURTH CIRCUIT
WEC CAROLINA ENERGY SOLUTIONS            
LLC,
Plaintiff-Appellant,
v.
        No. 11-1201
WILLIE MILLER, a/k/a Mike; EMILY
KELLEY; ARC ENERGY SERVICES
INCORPORATED,
Defendants-Appellees.

Appeal from the United States District Court
for the District of South Carolina, at Rock Hill.
Cameron McGowan Currie, District Judge.
(0:10-cv-02775-CMC)
Argued: April 2, 2012
Decided: July 26, 2012
Before SHEDD and FLOYD, Circuit Judges, and
HAMILTON, Senior Circuit Judge.
Affirmed by published opinion. Judge Floyd wrote the opin-
ion, in which Judge Shedd and Senior Judge Hamilton joined.
2        WEC CAROLINA ENERGY SOLUTIONS v. MILLER
COUNSEL
ARGUED: Kirsten Elena Small, NEXSEN PRUET, LLC,
Greenville, South Carolina, for Appellant. James William
Bradford, Jr., JIM BRADFORD LAW FIRM, LLC, York,
South Carolina; Brian S. McCoy, MCCOY LAW FIRM,
LLC, Rock Hill, South Carolina, for Appellees. ON BRIEF:
Mark Gordon, Anthony J. Basinski, PIETRAGALLO GOR-
DON ALFANO BOSICK & RASPANTI, LLP, Pittsburgh,
Pennsylvania; Angus H. Macaulay, NEXSEN PRUET, LLC,
Greenville, South Carolina, for Appellant. Daniel H. Har-
shaw, BRICE LAW FIRM, LLC, York, South Carolina, for
Appellees.
OPINION
FLOYD, Circuit Judge:
In April 2010, Mike Miller resigned from his position as
Project Director for WEC Carolina Energy Solutions, Inc.
(WEC). Twenty days later, he made a presentation to a poten-
tial WEC customer on behalf of WEC’s competitor, Arc
Energy Services, Inc. (Arc). The customer ultimately chose to
do business with Arc. WEC contends that before resigning,
Miller, acting at Arc’s direction, downloaded WEC’s propri-
etary information and used it in making the presentation.
Thus, it sued Miller, his assistant Emily Kelley, and Arc for,
among other things, violating the Computer Fraud and Abuse
Act (CFAA), 

.
The district court dismissed WEC’s CFAA claim, holding
that the CFAA provides no relief for Appellees’ alleged con-
duct. We agree and therefore affirm.
WEC CAROLINA ENERGY SOLUTIONS v. MILLER                     3
I.
A.
In 1984, Congress initiated a campaign against computer
crime by passing the Counterfeit Access Device and Com-
puter Fraud and Abuse Act of 1984. Pub. L. No. 98-473, 

. Shortly thereafter, in 1986, it expanded the Act
with a revised version, the Computer Fraud and Abuse Act of
1986, Pub. L. No. 99-474, 

. Today, the CFAA
remains primarily a criminal statute designed to combat hack-
ing. A.V. ex rel. Vanderhye v. iParadigms, LLC, 

, 645 (4th Cir. 2009). Nevertheless, it permits a private
party "who suffers damage or loss by reason of a violation of
[the statute]" to bring a civil action "to obtain compensatory
damages and injunctive relief or other equitable relief." 

(g). Notably, although proof of at least one of
five additional factors is necessary to maintain a civil action,1
a violation of any of the statute’s provisions exposes the
offender to both civil and criminal liability.
Among other things, the CFAA renders liable a person who
(1) "intentionally accesses a computer without authorization
or exceeds authorized access, and thereby obtains . . . infor-
mation from any protected computer," in violation of
§ 1030(a)(2)(C); (2) "knowingly and with intent to defraud,
accesses a protected computer without authorization, or
exceeds authorized access, and by means of such conduct fur-
thers the intended fraud and obtains anything of value," in
violation of § 1030(a)(4); or (3) "intentionally accesses a pro-
tected computer without authorization, and as a result of such
conduct, recklessly causes damage[,] or . . . causes damage
and loss," in violation of § 1030(a)(5)(B)-(C). Here, WEC
1
Maintenance of a civil action requires one of the factors outlined in
§ 1030(c)(4)(A)(i)(I)-(V). Here, WEC alleges that its aggregate losses as
a result of Appellees’ conduct were "at least $5,000 in value" during a
one-year period, which satisfies § 1030(c)(4)(A)(i)(I).
4         WEC CAROLINA ENERGY SOLUTIONS v. MILLER
alleges that Miller, Kelley, and Arc violated all three of these
provisions.
B.
WEC and Arc are competitors, providing specialized weld-
ing and related services to the power generation industry.
Both companies are incorporated in South Carolina and main-
tain their principal places of business in York County, South
Carolina. Prior to April 30, 2010, WEC employed Mike Mil-
ler as a Project Director and Emily Kelley as his assistant.
Both individuals now work for Arc.
When Miller worked for WEC, the company provided him
with a laptop computer and cell phone, and authorized his
access to the company’s intranet and computer servers.
According to WEC’s complaint, "Miller had access to numer-
ous confidential and trade secret documents stored on . . .
computer servers, including pricing terms, pending projects[,]
and the technical capabilities of WEC." To protect its confi-
dential information and trade secrets, WEC instituted policies
that prohibited using the information without authorization or
downloading it to a personal computer. These policies did not
restrict Miller’s authorization to access the information, how-
ever.
On April 30, 2010, Miller resigned from WEC. WEC
alleges that prior to resigning, Miller, at Arc’s direction, "ei-
ther by himself or by his assistant, Kelley, downloaded a sub-
stantial number of WEC’s confidential documents" and
emailed them to his personal e-mail address. WEC also
alleges that Miller and Kelley downloaded confidential infor-
mation to a personal computer. Twenty days after leaving
WEC, Miller reportedly used the downloaded information to
make a presentation on behalf of Arc to a potential WEC cus-
tomer.
The customer ultimately awarded two projects to Arc.
WEC contends that as a result of Miller’s and Kelley’s
WEC CAROLINA ENERGY SOLUTIONS v. MILLER               5
actions, it "has suffered and will continue to suffer impair-
ment to the integrity of its data, programs, systems or infor-
mation, including economic damages, and loss aggregating
substantially more than $5,000 during a one-year period."
In October 2010, WEC sued Miller, Kelley, and Arc, alleg-
ing nine state-law causes of action and a violation of the
CFAA. Regarding its CFAA claim, WEC averred that Miller
and Kelley violated the Act because "[u]nder WEC’s policies
they were not permitted to download confidential and propri-
etary information to a personal computer." Thus, by doing so,
they "breache[d] their fiduciary duties to WEC" and via that
breach, they either (1) lost all authorization to access the con-
fidential information or (2) exceeded their authorization.
WEC sought to hold Arc liable because it claimed that Miller
and Kelley undertook this conduct as Arc’s agents.
Appellees moved for dismissal pursuant to Federal Rule of
Civil Procedure 12(b)(6), and the district court held that WEC
failed to state a claim for which the CFAA provided relief:
[I]n this case, WEC’s company policies regulated
use of information not access to that information.
Thus, even if Miller and Kelley’s purpose in access-
ing the information was contrary to company poli-
cies regulating use, it would not establish a violation
of company policies relevant to access and, conse-
quently, would not support liability under the CFAA.
WEC Carolina Energy Solutions, LLC v. Miller, No. 0:10-cv-
2775-CMC, 

, at *5 (D.S.C. Feb. 3, 2011).
Thus, it dismissed the CFAA claim and declined to exercise
jurisdiction over the remaining state-law claims.2
2
WEC has since moved forward with these claims in South Carolina
state court.
6         WEC CAROLINA ENERGY SOLUTIONS v. MILLER
II.
We review de novo a district court’s dismissal pursuant to
Rule 12(b)(6), Gilbert v. Residential Funding LLC, 

, 274 (4th Cir. 2012), accepting as true all factual allega-
tions contained in the complaint, Erickson v. Pardus, 

, 94 (2007)(per curiam).
A.
WEC alleges that Appellees violated §§ 1030(a)(2)(C),
(a)(4), (a)(5)(B), and (a)(5)(C), each of which require that a
party either access a computer "without authorization" or "ex-
ceed[ ] authorized access." The district court held that Appel-
lees’ alleged conduct—the violation of policies regarding the
use and downloading of confidential information—did not
contravene any of these provisions. Accordingly, the crux of
the issue presented here is the scope of "without authoriza-
tion" and "exceeds authorized access." We particularly exam-
ine whether these terms extend to violations of policies
regarding the use of a computer or information on a computer
to which a defendant otherwise has access. Before delving
into statutory analysis, however, we briefly review the per-
spectives of our sister circuits.
In short, two schools of thought exist. The first, promul-
gated by the Seventh Circuit and advanced by WEC here,
holds that when an employee accesses a computer or informa-
tion on a computer to further interests that are adverse to his
employer, he violates his duty of loyalty, thereby terminating
his agency relationship and losing any authority he has to
access the computer or any information on it. See Int’l Airport
Ctrs., LLC v. Citrin, 

, 420-21 (7th Cir. 2006).
Thus, for example, the Seventh Circuit held that an employee
who erased crucial data on his company laptop prior to turn-
ing it in at the end of his employment violated the CFAA. 

. It reasoned that his "breach of his duty of loyalty
terminated his agency relationship . . . and with it his author-
WEC CAROLINA ENERGY SOLUTIONS v. MILLER              7
ity to access the laptop, because the only basis of his authority
had been that relationship." 

.
The second, articulated by the Ninth Circuit and followed
by the district court here, interprets "without authorization"
and "exceeds authorized access" literally and narrowly, limit-
ing the terms’ application to situations where an individual
accesses a computer or information on a computer without
permission. See United States v. Nosal, 

, 863
(9th Cir. 2012) (en banc); LVRC Holdings LLC v. Brekka, 

, 1134-35 (9th Cir. 2009). Thus, in Nosal, the Ninth
Circuit, sitting en banc, held that the defendant’s co-
conspirators, a group of employees at an executive search
firm, did not violate the CFAA when they retrieved confiden-
tial information via their company user accounts and trans-
ferred it to the defendant, a competitor and former employee.
Nosal, 

. It reasoned that the CFAA fails
to provide a remedy for misappropriation of trade secrets or
violation of a use policy where authorization has not been
rescinded. 

. As we explain below, we agree with
this latter view.
B.
As with any issue of statutory interpretation, we focus on
the plain language of the statute, seeking "first and foremost
. . . to implement congressional intent." United States v.
Abdelshafi, 

, 607 (4th Cir. 2010) (quoting United
States v. Passaro, 

, 213 (4th Cir. 2009)) (internal
quotation marks omitted). Thus, "‘we give the terms [of the
statute] their ordinary, contemporary, common meaning,
absent an indication [that] Congress intended’ the statute’s
language ‘to bear some different import.’" 

 (quoting Ste-
phens ex rel. R.E. v. Astrue, 

, 137 (4th Cir.
2009)).
Where, as here, our analysis involves a statute whose provi-
sions have both civil and criminal application, our task merits
8          WEC CAROLINA ENERGY SOLUTIONS v. MILLER
special attention because our interpretation applies uniformly
in both contexts. See Leocal v. Ashcroft, 

, 11 n.8
(2004). Thus, we follow "the canon of strict construction of
criminal statutes, or rule of lenity." United States v. Lanier,

, 266 (1997). In other words, in the interest of
providing fair warning "of what the law intends to do if a cer-
tain line is passed," Babbitt v. Sweet Home Chapter of Com-
munities for a Great Or., 

, 704 n.18 (1995)
(quoting United States v. Bass, 

, 348 (1971))
(internal quotation marks omitted), we will construe this crim-
inal statute strictly and avoid interpretations not "clearly war-
ranted by the text," Crandon v. United States, 

,
160 (1990).
1.
The CFAA is concerned with the unauthorized access of
protected computers. Thus, we note at the outset that "access"
means "[t]o obtain, acquire," or "[t]o gain admission to."
Oxford English Dictionary (3d ed. 2011; online version
2012). Moreover, per the CFAA, a "computer" is a high-speed
processing device "and includes any data storage facility or
communications facility directly related to or operating in
conjunction with such device." § 1030(e)(1). A computer
becomes a "protected computer" when it "is used in or affect-
ing interstate or foreign commerce." § 1030(e)(2).3
With respect to the phrase, "without authorization," the
CFAA does not define "authorization." Nevertheless, the
Oxford English Dictionary defines "authorization" as "formal
warrant, or sanction." Oxford English Dictionary (2d ed.
1989; online version 2012). Regarding the phrase "exceeds
authorized access," the CFAA defines it as follows: "to access
a computer with authorization and to use such access to obtain
3
Neither party disputes that the computers involved in this case are
"protected computers."
WEC CAROLINA ENERGY SOLUTIONS v. MILLER             9
or alter information in the computer that the accesser is not
entitled so to obtain or alter." § 1030(e)(6).
Recognizing that the distinction between these terms is
arguably minute, see Citrin, 

, we nevertheless
conclude based on the "ordinary, contemporary, common
meaning," see Perrin v. United States, 

, 42 (1979),
of "authorization," that an employee is authorized to access a
computer when his employer approves or sanctions his admis-
sion to that computer. Thus, he accesses a computer "without
authorization" when he gains admission to a computer with-
out approval. See Brekka, 

. Similarly, we
conclude that an employee "exceeds authorized access" when
he has approval to access a computer, but uses his access to
obtain or alter information that falls outside the bounds of his
approved access. See 

 Notably, neither of these definitions
extends to the improper use of information validly accessed.
2.
WEC presses instead an ostensibly plain-language interpre-
tation articulated in the Nosal panel decision, which was sub-
sequently reversed en banc. See United States v. Nosal, 

 (9th Cir. 2011), rev’d en banc, 

 (9th
Cir. 2012). In that decision, the panel fixated on the word "so"
in the definition of "exceeds authorized access." See id. at
785. The panel declared that, in context, this conjunction
means "in a manner or way that is indicated or suggested." Id.
(quoting Webster’s Third New Int’l Dictionary 2159 (Philip
Babcock Gove ed., 2002)) (internal quotation marks omitted).
Thus, it found that an employee "exceed[s] [his] authorized
access" if he uses such access "to obtain or alter information
[on] the computer that [he] is not entitled [in that manner] to
obtain or alter." Id. at 785-86. (third alteration in original)
(quoting § 1030(e)(6)) (internal quotation marks omitted).
Armed with this interpretation, the court held that the defen-
dant’s co-conspirators "exceed[ed] their authorized access"
because although they had permission to access the propri-
10        WEC CAROLINA ENERGY SOLUTIONS v. MILLER
etary information that they transferred to the defendant, they
violated the company’s policy regarding the use and disclo-
sure of that information. See id. at 787-89. The court reasoned
that the co-conspirators’ violation of the use and disclosure
policy constituted access "in a manner" to which they were
not entitled. Thus, they violated the CFAA. See id.
As an initial manner, we believe the Nosal panel’s conclu-
sion is a non sequitur. To us, defining "so" as "in that manner"
only elucidates our earlier conclusion that "exceeds autho-
rized access" refers to obtaining or altering information
beyond the limits of the employee’s authorized access. It does
not address the use of information after access. Indeed, the
Ninth Circuit indicated as much in its en banc reversal, when
it declined to hold that the interpretation of "so" as "in that
manner" necessarily means employees can be liable for use-
policy violations. See 

. Instead, the court
offered hypotheticals illustrating how the panel’s interpreta-
tion of "so" referred to the means of obtaining information,
not the use of information. See 

 For example, if an
employee who has access to view information, but not to
download it, disregards company policy by "cop[ying] the
information to a thumb drive and walk[ing] out of the build-
ing with it," he obtains information "in a manner" that lacks
authorization. 

. Similarly, if an employee has com-
plete access to information with his own username and pass-
word, but accesses information using another employee’s
username and password, he also obtains information "in a
manner" that is not authorized. 

 In contrast, however,
where such an employee uses his own username and pass-
word to access the information and then puts it to an imper-
missible use, his "manner" of access remains valid. Thus, in
the Ninth Circuit’s view, and ours, interpreting "so" as "in that
manner" fails to mandate CFAA liability for the improper use
of information that is accessed with authorization.
Nevertheless, because WEC alleges that Miller and Kelley
obtained information by downloading it to a personal com-
WEC CAROLINA ENERGY SOLUTIONS v. MILLER              11
puter in violation of company policy, we go a step further.
Although we believe that interpreting "so" as "in that manner"
fails to subject an employee to liability for violating a use pol-
icy, we nonetheless decline to adopt the Nosal panel’s inter-
pretation of the conjunction. The interpretation is certainly
plausible, but it is not "clearly warranted by the text." Cran-
don, 

. Indeed, Congress may have intended
"so" to mean "in that manner," but it "could just as well have
included ‘so’ as a connector or for emphasis." Nosal, 

. Thus, faced with the option of two interpretations, we
yield to the rule of lenity and choose the more obliging route.
"[W]hen [a] choice has to be made between two readings of
what conduct Congress has made a crime, it is appropriate,
before we choose the harsher alternative, to require that Con-
gress should have spoken in language that is clear and defi-
nite." United States v. Universal C. I. T. Credit Corp., 

, 221-22 (1952); see also Nosal, 

.
Here, Congress has not clearly criminalized obtaining or alter-
ing information "in a manner" that is not authorized. Rather,
it has simply criminalized obtaining or altering information
that an individual lacked authorization to obtain or alter.
And lest we appear to be needlessly splitting hairs, we
maintain that the Nosal panel’s interpretation would indeed be
a harsher approach. For example, such an interpretation would
impute liability to an employee who with commendable inten-
tions disregards his employer’s policy against downloading
information to a personal computer so that he can work at
home and make headway in meeting his employer’s goals.
Such an employee has authorization to obtain and alter the
information that he downloaded. Moreover, he has no intent
to defraud his employer. But under the Nosal panel’s
approach, because he obtained information "in a manner" that
was not authorized (i.e., by downloading it to a personal com-
puter), he nevertheless would be liable under the CFAA. See
§ 1030(a)(2)(C). Believing that Congress did not clearly
intend to criminalize such behavior, we decline to interpret
"so" as "in that manner."
12        WEC CAROLINA ENERGY SOLUTIONS v. MILLER
In so doing, we adopt a narrow reading of the terms "with-
out authorization" and "exceeds authorized access" and hold
that they apply only when an individual accesses a computer
without permission or obtains or alters information on a com-
puter beyond that which he is authorized to access.
3.
In adopting these definitions, we reject any interpretation
that grounds CFAA liability on a cessation-of-agency theory.
The deficiency of a rule that revokes authorization when an
employee uses his access for a purpose contrary to the
employer’s interests is apparent: Such a rule would mean that
any employee who checked the latest Facebook posting or
sporting event scores in contravention of his employer’s use
policy would be subject to the instantaneous cessation of his
agency and, as a result, would be left without any authoriza-
tion to access his employer’s computer systems. We recog-
nize that the Seventh Circuit applied its reasoning to
egregious behavior that clearly violated the duty of loyalty.
See Citrin, 

. Nevertheless, we believe that the
theory has far-reaching effects unintended by Congress. See
Nosal, 

 (noting that the Seventh Circuit
"looked only at the culpable behavior of the defendant[ ]
before [it], and failed to consider the effect on millions of
ordinary citizens caused by the statute’s unitary definition of
‘exceeds authorized access’"); cf. Restatement (Third) of
Agency § 8.01 (2012) ("An agent has a fiduciary duty to act
loyally for the principal’s benefit in all matters connected
with the agency relationship."). Although an employer might
choose to rescind an employee’s authorization for violating a
use policy, we do not think Congress intended an immediate
end to the agency relationship and, moreover, the imposition
of criminal penalties for such a frolic.
III.
WEC founds its CFAA claim on Miller’s and Kelley’s vio-
lations of its policies "prohibiting the use of any confidential
WEC CAROLINA ENERGY SOLUTIONS v. MILLER                      13
information and trade secrets unless authorized" and prohibit-
ing the "download[ing] [of] confidential and proprietary infor-
mation to a personal computer." Notably, however, WEC fails
to allege that Miller and Kelley accessed a computer or infor-
mation on a computer without authorization. Indeed, WEC’s
complaint belies such a conclusion because it states that Mil-
ler "had access to WEC’s intranet and computer servers" and
"to numerous confidential and trade secret documents stored
on these computer servers, including pricing, terms, pending
projects[,] and the technical capabilities of WEC." Thus, we
agree with the district court that although Miller and Kelley
may have misappropriated information, they did not access a
computer without authorization or exceed their authorized
access. See 

(a)(2)(C), (a)(4), (a)(5)(B)-(C).
Moreover, because Miller’s and Kelley’s conduct failed to
violate the CFAA, Arc cannot be liable under the statute for
any role that it played in encouraging such conduct. Accord-
ingly, we hold that WEC failed to state a claim for which the
CFAA can grant relief, see Fed. R. Civ. P. 12(b)(6), and we
affirm the district court’s dismissal of the claim.
IV.
Our conclusion here likely will disappoint employers hop-
ing for a means to rein in rogue employees. But we are
unwilling to contravene Congress’s intent by transforming a
statute meant to target hackers into a vehicle for imputing lia-
bility to workers who access computers or information in bad
faith, or who disregard a use policy. See Nosal, 

. ("We construe criminal statutes narrowly so that Con-
gress will not unintentionally turn ordinary citizens into crimi-
nals."). Providing such recourse not only is unnecessary,
given that other legal remedies exist for these grievances,4 but
4
As evidenced by WEC’s complaint, nine other state-law causes of
action potentially provide relief, including conversion, tortious interfer-
ence with contractual relations, civil conspiracy, and misappropriation of
trade secrets.
14       WEC CAROLINA ENERGY SOLUTIONS v. MILLER
also is violative of the Supreme Court’s counsel to construe
criminal statutes strictly. Lanier, 

. Thus, we
reject an interpretation of the CFAA that imposes liability on
employees who violate a use policy, choosing instead to limit
such liability to individuals who access computers without
authorization or who obtain or alter information beyond the
bounds of their authorized access.
AFFIRMED