LVRC Holdings LLC v. Brekka - 581 F.3d 1127 (9th Cir. 2009)

Rule:

In interpreting the phrase "without authorization" in the Computer Fraud and Abuse Act (CFAA), 18 U.S.C.S. § 1030, courts start with the plain language of the statute. The CFAA does not define "authorization," and it is a fundamental canon of statutory construction. that, unless otherwise defined, words will be interpreted as taking their ordinary, contemporary, common meaning. Authorization is defined in the dictionary as permission or power granted by an authority. Based on that definition, an employer gives an employee "authorization" to access a company computer when the employer gives the employee permission to use it.

Facts:

In 2003, LVRC Holdings, LLC (LVRC) hired appellee Christopher Brekka to oversee a number of aspects of the facility. Part of his duties included conducting internet marketing programs and interacting with LOAD, Inc., the company retained by LVRC to provide email, website, and related services for the facility. At the time Brekka was hired, Brekka owned and operated EBSN and EBSF, two consulting businesses that obtained referrals for addiction rehabilitation services and provided referrals of potential patients to rehabilitation facilities through the use of internet sites and advertisements. Stuart Smith, the owner and operator of LVRC, was aware of Brekka's businesses. In June 2003, Brekka sent an email to LOAD's administrator, Nick Jones, requesting an administrative log-in for LVRC’s website. Jones sent an email with the administrative user name, "cbrekka@fountainridge.com," and password, "cbrekka," to Brekka's work email, which Brekka downloaded onto his LVRC computer. By using the administrative log-in, Brekka gained access to information about LVRC's website, including the usage statistics gathered by LOAD. At the end of August 2003, Brekka emailed a number of LVRC documents to his personal email account and his wife’s personal email account. In mid-September 2003, Brekka ceased working for LVRC. Brekka left his LVRC computer at the company and did not delete any emails from the computer, so the June 2003 email from Nick Jones, which included the administrative user name and password, remained on his computer. On November 19, 2004, while performing routine monitoring of the LOAD website, Jones noticed that someone was logged into the LVRC website using the user name "cbrekka@fountainridge.com" and was accessing LVRC's LOAD statistics. Subsequently, LVRC filed a report with the FBI, alleging that Brekka had unlawfully logged into LVRC's website. LVRC then brought an action in federal court, alleging that Brekka violated the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, when he emailed LVRC documents to himself in September 2003 and when he continued to access the LOAD website after he left LVRC. The district court granted summary judgment in favor of Brekka. LVRC appealed. 

Issue:

Did Brekka use LVRC’s computer “without authorization,” thereby giving rise to a claim under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030? 

Answer:

No.

Conclusion:

The appellate court noted that under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030(a)(2) and (4), a person used a computer "without authorization" when the person had not received permission to use the computer for any purpose, such as when a hacker accessed someone's computer without any permission, or when the employer had rescinded permission to access the computer and the defendant used the computer anyway. Based on that interpretation of the Computer Fraud and Abuse Act, 18 U.S.C.S. § 1030, the appellate court had to consider whether Brekka acted "without authorization" when he e-mailed the LLC's documents from his work computer to himself and to his wife. There was no dispute that Brekka was given permission to use the LLC's computer and that he accessed documents to which he was entitled by virtue of his employment with the LLC. Because Brekka had authorization to use the LLC's computer, he did not access a computer "without authorization." Therefore, the district court did not err in holding that the LLC failed to raise a genuine issue of material fact with respect to its claim that Brekka violated 18 U.S.C.S. §§ 1030(a)(2) and (4) while he was still employed by the LLC.