Jump to content

User:Hottelie/LVRC Holdings v. Brekka

From Wikipedia, the free encyclopedia
LVRC Holdings v. Brekka
CourtUnited States Court of Appeals for the Ninth Circuit
Full case name LVRC HOLDINGS LLC v. Christopher BREKKA; Employee Business Solutions Inc.; Carolyn Quain; Stuart Smith; Brad Greenstein; Frank Szabo.
DecidedSeptember 15, 2009
CitationsLVRC Holdings v. Brekka, 518 F.3d 1127 (2009).,
Case history
Prior actionLVRC Holdings v. Brekka ??? Nevada district court
Court membership
Judges sittingM. Margaret McKeown, Sandra Segal Ikuta, and James V. Selna
Case opinions
The district court granted summary judgment in favor of the defendants holding that "authorisation" was not dependent on employees' motives or loyalty. The Court of Appeals affirms.
Keywords
Computer Fraud and Abuse Act (CFAA)

Factual background

[edit]

LVRC Holdings, LLC (LVRC) operated a treatment centre for addicted person, in Nevada. [1] In April 2003, LVRC hired Brekka. Part of his duties included interacting with LVRC's email provider (Load, Inc.) and conducting Internet marketing programs. When Brekka was hired, he owned and operated EBSN and EBSF, two consulting businesses that provided referrals of potential patients to rehabilitation facilities. LVRC's owner was aware of Brekka's businesses.

During his time at LVRC, Brekka commuted between his home state, Florida, and Nevada, where LVRC and his first business were located.[1] His second business is based in Florida. Brekka was assigned a computer at LVRC headquarters. Because of this frequent commute between Florida and Nevada, he emailed documents he obtained or created for his work at LVRC to his own personal computer. LVRC and Brekka had no written employment agreement. LVRC had no internal policy which would prohibit the transfer of LVRC documents to personal computers.

In June 2003, he emailed to his personal account the administrative password for the LVRC's email system.[1] In August 2003, Brekka and LVRC began discussions regarding the possibilities of Brekka investing in an ownership interest in LVRC. At the end of the month, Brekka emailed to his wife and himself a number of documents including a financial statement for the company, LVRC's marketing budget, and admission reports for patients. On September 4, 2003, he emailed a master admission report containing the names of all the past and current patients at LVRC.

The negotiation regarding Brekka's investment in LVRC broke down mid-September 2003.[1] He stopped working for LVRC and left his LVRC computer at the company as is, without deleting any emails.

On November 2004, LVRC noticed that someone was accessing its website using Brekka's login[1]. LVRC then sued Brekka in federal court, alleging that he violated the Computer Fraud and Abuse Act (CFAA) when he emailed LVRC's documents to himself.

Court proceedings

[edit]

District court

[edit]

In its complaint, LVRC claims that Brekka violated the Computer Fraud and Abuse Act (CFAA), which punishes intentional access to a computer without authorisation to obtain information[1]. Both crimes are defined under 18 U.S.C. §§ 1030(a)(2) and (a)(4). To be successful, LVRC has to show that Brekka acted without authorisation or exceed its authorisation. The district court held that Brekka had authorisation when he accessed LVRC's computer to transfer documents. Furthermore, there were no evidence that Brekka agreed to keep LVRC documents confidential, or to return or destroy them. Finally, the district court concluded that LVRC was unable to provide evidence that Brekka logged into the LVRC website after its contract was terminated.

The Nevada district court granted summary judgment in favour of Brekka; LVRC contested both rulings in its appeal[1].

Court of appeals

[edit]

LVRC argued that Brekka transferred documents to his computer to further his own interests rather than LVRC's and that such access was "without authorisation"[1]. This is in line with the reasoning of the Seventh Circuit in International Airport Centers Llc v. Citrin.[2] However, the Ninth Circuit found that plain language of the Computer Fraud and Abuse Act provided not support for such interpretation, and did not follow the Seventh Circuit. [3][4] More precisely, the Ninth Circuit held that "authorisation" depends on "actions taken by the employer" and is orthogonal to the loyalty or duties of the employee (Brekka is this case).[4]

The Ninth Circuit affirmed the ruling of the district court.[1]

Consequences

[edit]

The Ninth Circuit interpretation of "authorisation" is significantly narrower than the Seventh Circuit's. Given the split between the two high courts, it is likely that the Supreme Court will get involved eventually.[3] However, LVRC has not appealed this case further; no reconciliation is expected in the near future.

The CFAA has been used to sue employees who have used a computer toward unethical goals. After, the Ninth Circuit ruling, such cases will be harder to rest on the CFAA alone.[5] For companies, this ruling highlights the importance of disabling ex-employees accounts. [6]

See also

[edit]

References

[edit]
  1. ^ a b c d e f g h i LVRC Holdings v. Brekka, 518 F.3d 1127 (2009).
  2. ^ International Airport Centers Llc v. Citrin, 440 F.3d 418 (2006).
  3. ^ a b Campbell, Dale C.; Muradyan, David (January 27, 2010). "The Seventh And Ninth Circuits Split On What Constitutes "Without Authorization" Within The Meaning Of The Computer Fraud And Abuse Act". The IP Law Blog. Retrieved February 9, 2011.
  4. ^ a b Brenton, Kyle W. (Fall 2009). "Trade Secret Law and The Computer Fraud and Abuse Act: Two Problems and Two Solutions". University of Illinois Journal of Law, Technology & Policy. 2009 (2).,
  5. ^ Cheng, Jacqui (September 18, 2009). "Disloyal employees are not hackers, says court". Ars Technica. Retrieved February 9, 2011.
  6. ^ Johnson, Kurt (February 24, 2010). "LVRC Holdings v. Brekka - Legal Impact of Zombie Accounts". Courion. Retrieved February 9, 2011.
[edit]