If I Had A Hammer
The United States Court of Appeals for the Third Circuit rejected a host of claims by a debt collection firm arising out of alleged computer misuse by two former employees, affirming the conclusions of the district court
AMBRO, Circuit Judge
In the wrong hands, the law becomes a hammer in search of a nail. This is one such case.
While employed with the debt-collection firm National Recovery Agency (NRA), Nicole Durenleau was out sick. She urgently needed a work document, but she had no way to access it. Her friend and colleague, Jamie Badaczewski, logged in to Durenleau’s computer from the office, accessed the document—a spreadsheet with Durenleau’s passwords—and emailed it to Durenleau. She did so with Durenleau’s express permission, but the pair’s actions, including Durenleau’s creation of the spreadsheet, breached workplace computer-use policies.
Separately, over several years, Durenleau altered work files in a manner that credited her for performance bonuses. Evidence shows she did so believing she was eligible for the bonuses.
All the while, the women allege, they were subject to persistent sexual harassment at NRA. (One executive even slapped Durenleau.) They filed internal complaints. Eventually, Durenleau resigned, naming the harassment as the reason, and Badaczewski was fired soon after.
Just weeks later, NRA went on the offensive. It sued the women under federal and state law for computer fraud, theft of trade secrets, civil conspiracy, breach of fiduciary duty, and common-law fraud. The women answered with federal- and-state-law counterclaims for sexual harassment, retaliation, and a hostile work environment.
On cross-motions for summary judgment, the District Court entered judgment for Durenleau and Badaczewski on all claims against them, staying their remaining sexual-harassment claims against NRA pending this appeal.
We affirm the District Court in full. In doing so, we hold for the first time that, (a) by its text and purpose, the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, does not turn these workplace-policy infractions into federal crimes, and (b) passwords that protect proprietary business information are not themselves trade secrets under federal or Pennsylvania law.
Policy against application of federal statute
We add that the policy implications of NRA’s arguments are “breathtaking.” Van Buren, 593 U.S. at 393. Durenleau was at home and needed a password to complete an urgent work assignment—one that, in the words of her CEO, she needed to complete “TODAY!!!” App. 20. She couldn’t retrieve the password, so she asked a colleague, Badaczewski, to log in to NRA’s systems with her credentials and email a helpful document. NRA asks us to make this a federal crime. We refuse. Instead, we affirm the District Court’s rejection of NRA’s claims that the employees “exceed[ed] authorized access.” 18 U.S.C. § 1030(a)(2).
…Indeed, there are many other causes of action—breach of contract, business torts, fraud, negligence, and so on—that provide a remedy for employers when employees grossly transgress computer-use policies. The CFAA is the wrong tool for NRA’s project.
With today’s holding, we mean to turn future litigants to other causes of action so that we do not make “millions of otherwise law-abiding citizens [into] criminals.” Van Buren, 593 U.S. at 394. Accordingly, we affirm the District Court’s grant of summary judgment for Durenleau and Badaczewski on all of NRA’s claims under the CFAA.
Password exposure as “trade secrets”
Before us, NRA does not allege that the passwords were the “product of any special formula or algorithm.” Id. Rather, it misses the point entirely by arguing about the sensitivity and economic value of customer information, which the passwords were not. Those passwords granted access to client databases and other business-use information. But imagine they instead protected a website with pictures of cute puppies or a beloved couple’s wedding registry. (And NRA is assuredly not in the business of chihuahuas or china sets.) Because the revealed content would have no economic value to NRA, there is no serious claim the passwords would either. That is because it is what the passwords protect, not the passwords, that is valuable.
In any event, while the leak of actual trade secrets with independent economic value can endanger a business, NRA immediately remedied the problem by simply changing the passwords. (Query whether Coca-Cola could remedy the leak of its recipe, a quintessential trade secret, merely by changing the ingredients in Coke.) The passwords in the spreadsheet shared by Durenleau and Badaczewski were “numbers and letters,” State Analysis, 621 F. Supp. 2d at 321, that blocked the proprietary information that did have independent economic value: NRA’s business records and customer databases.
Thus no basis to sue for violations of workplace computer use policies
The CFAA does not reach these violations of workplace computer-use policies, the passwords were not trade secrets, and each of NRA’s state-law tort claims flunks a critical element. For these reasons, we affirm the District Court’s judgment for Durenleau and Badaczewski on all of NRA’s claims against them.
State law claims
Based on the employees’ actions to access Durenleau’s computer and email the spreadsheet, NRA sued Durenleau and Badaczewski for civil conspiracy and breach of the common law duty of loyalty. It also sued Durenleau for fraud for her altering of performance-bonus records. We affirm the District Court’s judgment for Durenleau and Badaczewski on each of these state-law counts.
Nope
At its core, the duty of loyalty owed by an employee under Pennsylvania law presumes that “no [wo]man can serve two masters.” Onorato v. Wissahickon Park, Inc., 244 A.2d 22, 25 (Pa. 1968) (citing Matthew 6:24). An employee has a duty not to compete, to look out for the employer’s financial and competitive interests, and not to arrogate the employer’s assets or business opportunities for herself. NRA cannot prove Durenleau and Badaczewski breached their duties, so we affirm.
(Mike Frisch)