Warren Terzian LLP

View Original

Does accessing your ex-company email account violate computer fraud law?

Say you quit your job. And the day after your employment ends, you log into your ex-company email account and forward some emails to your personal account.

Have you violated the Computer Fraud and Abuse Act? 

What about the California Comprehensive Computer Data Access and Fraud Act?

This law is something I've published on. Essentially, I explained how the California law might not cover this based on a nuanced parsing of the law.

A Central District of California decision chimes in on this. 

Luviano v. Multi Cable, Inc. (2016 WL 11220483) involves essentially this question. An employee left his job. But before his former employer terminated his email credentials, the former employee downloaded thousands of emails.

The court found both laws weren't violated.

With both laws, the key is whether the former employee had the former employer's authorization (CFAA) or permission (CDAFA). 

Computer Fraud and Abuse Act

Under the federal law, the court concluded that “‘without authorization’ . . . is based on whether an employer ‘terminate[d] an employee’s authorization to access a computer’ . . . .” Not just “whether an employer terminated an employee . . . .”

Terminating an employee alone isn’t enough to remove authorization to access email. Removing authorization requires something more.

Like revoking access credentials.

Or maybe possibly instructing the former employee not to access it.

But firing the employee alone isn’t enough for this court.

California Comprehensive Computer Data Access and Fraud Act

As for the California law, the court found that “without permission” requires “circumventing ‘technical or code-based barriers.’” 

That's doesn't happen when you just enter your login credentials.

California and Federal Laws

The court also implied some broader points for both laws.

Even if the access was unauthorized or unpermitted, there was no showing that the former employer’s computer system was harmed or impaired. Which the court said was a requirement under the CFAA. 

But it’s also a requirement under the CDAFA (Penal Code § 502(e)(1)).

The court also appeared generally skeptical. These emails were likely all sent or received by the former employee. 

And the former employee could access his company email from his personal cellphone and computer. This “may” have resulted in archiving these emails to his personal devices.

Which makes it hard claiming that these emails were “stolen.”