U.S. Appeals Court for Ninth Circuit.

Workers who use company email for disloyal activities may be targeted for administrative sanctions, but they’re not necessarily criminals under U.S. law, according to a recent decision by a federal court. The ruling by the Court of Appeals for the Ninth Circuit, which includes California, found that an employee for a residential treatment center for addicted persons in Nevada could not be prosecuted under the federal Computer Fraud and Abuse Act (CFAA) for emailing himself client files for use in a competing business after his employment was terminated from the center.

The case, LVRC Holdings v. Brekka, involves Christopher Brekka, who was hired by LVRC and worked at its Fountain Ridge facility in Nevada. Brekka’s duties included conducting Internet marketing programs and interacting with Web metrics company, LOAD, which LVRC employed to provide email, Web site, and related services for the treatment center. At the time of his hiring, Brekka owned and operated EBSN and EBSF, two consulting businesses that obtained referrals for addiction rehabilitation services and provided referrals of potential patients to rehabilitation facilities through the use of Internet sites and advertisements. According to the court, LVRC was aware of Brekka’s involvement with EBSN and EBSF when it brought him on board.

While working for LVRC, Brekka commuted between Florida, where his home and one of his businesses were, and Nevada, where Fountain Ridge and his other business were located. Brekka was issued a computer by LVRC, but routinely emailed himself documents he used at LVRC to his personal computer in Florida. After working for LVRC for several months, Brekka legitimately obtained an administrative log-in for the company’s Website to obtain metrics about the site which he used to manage its internet marketing.

Brekka did not have a written employment agreement with LVRC and the company did not have any employee guidelines governing emailing company documents to the personal computers of workers.

About six months after hiring Brekka, LVRC terminated its relationship with him. Later, LVRC discovered someone accessing their computers using Brekka’s login. When LVRC discovered that, they voided Brekka’s login and filed a number of lawsuits against the former employee,  including one alleging he violated the CFAA when he emailed documents to his personal computer and continued his administrative access the company’s Web site.

The CFAA, enacted in 1984, is a federal law aimed at punishing computer hackers who access computers to steal information or to disrupt or destroy a computer’s functionality. Among the crimes cited in the law are accessing computers without authorization or in excess of authorization and stealing information or damaging a computer or its data. LVRC argued that Brekka violated the authorized access provisions of the law.

LVRC contended that Brekka’s access to confidential information to further his interests rather than the company’s constituted unauthorized access under the federal law. But the court didn’t see it that way. “[A]n employer gives an employee ‘authorization’ to access a company computer when the employer gives the employee permission to use it,” it reasoned. “Because LVRC permitted Brekka to use the company computer…Brekka did not act ‘without authorization.’”

As for the allegations that Brekka accessed LVRC’s computers after he left the company, the court found that LVRC did not meet its burden of proof to support that contention.

“Brekka holds that a person uses a computer ‘without authorization’ when she has not received permission to use the computer for any purpose, or when the employer has rescinded permission to access the computer and she uses the computer anyway,” Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, wrote in an analysis of the decision posted at the EFF’s Web site.

“Similarly, a person who is authorized to use a computer does not exceed authorization simply by acting contrary to the computer owner’s interest, but only by obtaining or altering information in the computer that she is not entitled to obtain or alter,” she continued.

“The Brekka opinion is in line with the more recent and better line of district court cases that have rejected a ‘thought crime’ interpretation of the CFAA where the employee’s mental state determines whether she was authorized or not,” she added. “Brekka says that neither the statutory language nor the canons of criminal law allow such a broad reading that leaves people uncertain of when this criminal statute would apply.”

What lessons can be learned by email administrators from this court decision? Certainly, the ruling illustrates the importance of an email policy for companies. If you don’t want your workers forwarding important documents to their home computers, then you should tell them so in black and white. It also might be wise to work with your HR and Legal departments to make sure email issues like those raised in Brekka are addressed in boilerplate employment agreements your company executes with contract employees.