LVRC Holdings v. Brekka
Encyclopedia
LVRC Holdings v. Brekka is an ongoing lawsuit in the U.S. federal courts that deals with the scope of the concept of "authorization" in the Computer Fraud and Abuse Act
. Specifically, it considers the ability of employees to access and use company data for their own purposes. A district court came to the conclusion that what was legal or illegal for employees to do was decided chiefly by the access policies put in place by the employer, not just federal or state law.
It has been upheld by the Ninth Circuit Court of Appeals
. Since it adopted a narrower standard for authorization than the Seventh Circuit
did in a similar case, it is likely to be heard by the Supreme Court in the future.
During his time at LVRC, Brekka commuted between his home state, Florida, and Nevada, where LVRC and his first business were located. His second business is based in Florida. Brekka was assigned a computer at LVRC headquarters. Because of this frequent commute between Florida and Nevada, he emailed documents he obtained or created for his work at LVRC to his own personal computer. LVRC and Brekka had no written employment agreement. LVRC had no internal policy which would prohibit the transfer of LVRC documents to personal computers.
In June 2003, he emailed the administrative password for the LVRC's email system to his personal account. In August 2003, Brekka and LVRC began discussions regarding the possibilities of Brekka investing in an ownership interest in LVRC. At the end of the month, Brekka emailed to his wife and himself a number of documents including a financial statement for the company, LVRC's marketing budget, and admission reports for patients. On September 4, 2003, he emailed a master admission report containing the names of all the past and current patients at LVRC.
The negotiation regarding Brekka's investment in LVRC broke down mid-September 2003. He stopped working for LVRC and left his LVRC computer at the company as is, without deleting any emails.
On November 2004, LVRC noticed that someone was accessing its website using Brekka's login
. LVRC then sued Brekka in federal court, alleging that he violated the Computer Fraud and Abuse Act
(CFAA) when he emailed LVRC's documents to himself.
, which punishes intentional access to a computer without authorisation to obtain information. Both crimes are defined under 18 U.S.C. §§ 1030(a)(2) and (a)(4). To be successful, LVRC has to show that Brekka acted without authorization
or exceed its authorization
. The district court held that Brekka had authorization when he accessed LVRC's computer to transfer documents. Furthermore, there were no evidence that Brekka agreed to keep LVRC documents confidential, or to return or destroy them. Finally, the district court concluded that LVRC was unable to provide evidence that Brekka logged into the LVRC website after its contract was terminated.
The Nevada district court granted summary judgment
in favour of Brekka; LVRC contested both rulings in its appeal.
in International Airport Centers LLC v. Citrin. However, the Ninth Circuit
found that plain language of the Computer Fraud and Abuse Act
provided no support for such interpretation, and did not follow the Seventh Circuit. More precisely, the Ninth Circuit held that "authorization" depends on "actions taken by the employer" and is orthogonal to the loyalty or duties of the employee (Brekka is this case).
The Ninth Circuit affirmed the ruling of the district court.
will get involved eventually. However, LVRC has not appealed this case further; no reconciliation is expected in the near future.
The CFAA
has been used to sue employees who have used a computer toward unethical goals. After, the Ninth Circuit ruling, such cases will be harder to rest on the CFAA alone. For companies, this ruling highlights the importance of disabling ex-employees' accounts.
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses...
. Specifically, it considers the ability of employees to access and use company data for their own purposes. A district court came to the conclusion that what was legal or illegal for employees to do was decided chiefly by the access policies put in place by the employer, not just federal or state law.
It has been upheld by the Ninth Circuit Court of Appeals
United States Court of Appeals for the Ninth Circuit
The United States Court of Appeals for the Ninth Circuit is a U.S. federal court with appellate jurisdiction over the district courts in the following districts:* District of Alaska* District of Arizona...
. Since it adopted a narrower standard for authorization than the Seventh Circuit
United States Court of Appeals for the Seventh Circuit
The United States Court of Appeals for the Seventh Circuit is a federal court with appellate jurisdiction over the courts in the following districts:* Central District of Illinois* Northern District of Illinois...
did in a similar case, it is likely to be heard by the Supreme Court in the future.
Factual background
LVRC Holdings, LLC (LVRC) operated an addiction treatment center in Nevada. In April 2003, LVRC hired Christopher Brekka. Part of his duties included interacting with LVRC's email provider (Load, Inc.) and conducting Internet marketing programs. When Brekka was hired, he owned and operated EBSN and EBSF, two consulting businesses that provided referrals of potential patients to rehabilitation facilities. LVRC's owner was aware of Brekka's businesses.During his time at LVRC, Brekka commuted between his home state, Florida, and Nevada, where LVRC and his first business were located. His second business is based in Florida. Brekka was assigned a computer at LVRC headquarters. Because of this frequent commute between Florida and Nevada, he emailed documents he obtained or created for his work at LVRC to his own personal computer. LVRC and Brekka had no written employment agreement. LVRC had no internal policy which would prohibit the transfer of LVRC documents to personal computers.
In June 2003, he emailed the administrative password for the LVRC's email system to his personal account. In August 2003, Brekka and LVRC began discussions regarding the possibilities of Brekka investing in an ownership interest in LVRC. At the end of the month, Brekka emailed to his wife and himself a number of documents including a financial statement for the company, LVRC's marketing budget, and admission reports for patients. On September 4, 2003, he emailed a master admission report containing the names of all the past and current patients at LVRC.
The negotiation regarding Brekka's investment in LVRC broke down mid-September 2003. He stopped working for LVRC and left his LVRC computer at the company as is, without deleting any emails.
On November 2004, LVRC noticed that someone was accessing its website using Brekka's login
Login
Login is the method whereby a user obtains access to a computer system.Login may also refer to:*Magazines:** LOGiN, published by Enterbrain** ;login:, published by USENIX* Login, Carmarthenshire, an hamlet in Carmarthenshire...
. LVRC then sued Brekka in federal court, alleging that he violated the Computer Fraud and Abuse Act
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses...
(CFAA) when he emailed LVRC's documents to himself.
District court
In its complaint, LVRC claims that Brekka violated the Computer Fraud and Abuse Act (CFAA)Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses...
, which punishes intentional access to a computer without authorisation to obtain information. Both crimes are defined under 18 U.S.C. §§ 1030(a)(2) and (a)(4). To be successful, LVRC has to show that Brekka acted without authorization
Authorization
Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...
or exceed its authorization
Authorization
Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...
. The district court held that Brekka had authorization when he accessed LVRC's computer to transfer documents. Furthermore, there were no evidence that Brekka agreed to keep LVRC documents confidential, or to return or destroy them. Finally, the district court concluded that LVRC was unable to provide evidence that Brekka logged into the LVRC website after its contract was terminated.
The Nevada district court granted summary judgment
Summary judgment
In law, a summary judgment is a determination made by a court without a full trial. Such a judgment may be issued as to the merits of an entire case, or of specific issues in that case....
in favour of Brekka; LVRC contested both rulings in its appeal.
Court of appeals
LVRC argued that Brekka transferred documents to his computer to further his own interests rather than LVRC's and that such access was "without authorisation". This is in line with the reasoning of the Seventh CircuitUnited States Court of Appeals for the Seventh Circuit
The United States Court of Appeals for the Seventh Circuit is a federal court with appellate jurisdiction over the courts in the following districts:* Central District of Illinois* Northern District of Illinois...
in International Airport Centers LLC v. Citrin. However, the Ninth Circuit
United States Court of Appeals for the Ninth Circuit
The United States Court of Appeals for the Ninth Circuit is a U.S. federal court with appellate jurisdiction over the district courts in the following districts:* District of Alaska* District of Arizona...
found that plain language of the Computer Fraud and Abuse Act
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses...
provided no support for such interpretation, and did not follow the Seventh Circuit. More precisely, the Ninth Circuit held that "authorization" depends on "actions taken by the employer" and is orthogonal to the loyalty or duties of the employee (Brekka is this case).
The Ninth Circuit affirmed the ruling of the district court.
Consequences
The Ninth Circuit interpretation of "authorization" is significantly narrower than the Seventh Circuit's. Given the split between the two high courts, it is likely that the Supreme CourtSupreme Court of the United States
The Supreme Court of the United States is the highest court in the United States. It has ultimate appellate jurisdiction over all state and federal courts, and original jurisdiction over a small range of cases...
will get involved eventually. However, LVRC has not appealed this case further; no reconciliation is expected in the near future.
The CFAA
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses...
has been used to sue employees who have used a computer toward unethical goals. After, the Ninth Circuit ruling, such cases will be harder to rest on the CFAA alone. For companies, this ruling highlights the importance of disabling ex-employees' accounts.