Suppose your employer asks you to create a Google account for the company. So you do. You set up everything yourself: Google Drive, Google+, Gmail–the works. You even set the password to your dog’s name. All of Google’s terms and conditions are accepted by you personally when creating the account. You proceed to use the account on behalf of the company, using Google Drive to store hundreds of company documents. Then you leave your job. Is the Google account yours? You created it, so are you free to make whatever use of the account you wish? Can you delete it?
Marcelo Cuellar thought so, but he was wrong. According to papers filed in Estes Forwarding Worldwide v. Cuellar in the Eastern District of Virginia, here are the facts. Cuellar joined Estes Forwarding Worldwide (“EFW”)–a transportation logistics company–in 2010. EFW has developed trade secrets relating to the best transportation solutions for various types of shipments, including information about type of freight, freight dimensions, routing decisions, vendor selection, and so on. It keeps this information in spreadsheets and other electronic documents.
For whatever reason, one of EFW’s customers had certain IT restrictions in place that prohibited EFW from installing its own IT infrastructure on-site at the customer’s location. So that it could share information about shipments from the location, EFW turned to the cloud. Cuellar, “acting on behalf of EFW and in furtherance of
The Google account was used on a daily basis by EFW employees for several years. In 2015, Cuellar left the company and joined a competitor. In 2016, over a year after leaving EFW, he logged in to the Google account he had created several years earlier on behalf of EFW. He downloaded the entire collection of over 1900 spreadsheets, changed the password, and then deleted the account.
EFW did not appreciate this. It sued Cuellar for violation of the Computer Fraud and Abuse Act (“CFAA”), violation of the Stored Communications Act (“SCA”), and other claims.
The CFAA is a fairly lengthy statute setting out a long list of prohibited activity. The court analyzed EFW’s claims under the following three provisions:
- 18 U.S.C. § 1030(a)(2)(C). To successfully state a claim based on a violation of § 1030(a)(2)(C), a plaintiff must allege that the defendant: (1) intentionally (2) accessed a computer (3) without authorization or in such a way that exceeded his authorized access, and (4) obtained information (5) from any “protected computer,” (6) resulting in a loss to one or more persons during any one-year period aggregating at least $5,000 in value.
- 18 U.S.C. § 1030(a)(4). Under this section, a plaintiff must plead that the defendant: (1) knowingly and with the intent to defraud (2) accessed a “protected computer” (3) without authorization or exceeding such authorization that was granted and (4) furthered the intended fraud by obtaining anything of value, (5) causing a loss to one or more persons during any one-year period aggregating at least $5,000 in value.
- 18 U.S.C. § 1030(a)(5)(C). Similarly, a plaintiff seeking to recover under this section must assert that the defendant: (1) intentionally (2) accessed a “protected computer” (3) without authorization, and, as a result of such conduct, (4) caused damage and loss (5) to one or more persons during any one-year period aggregating at least $5,000 in value.
Cuellar argued that he could not be held liable under any of these sections because he did not act “without authorization.” His position was that because he was the one who created the account, it was Google, rather than EFW, who was the source of his authority. In other words, so long as he did not violate Google’s Terms of Use, he did not act “without authorization.” Judge Hudson was not impressed. An employee is authorized to access a computer when the employer approves or sanctions admission to that computer. Although it was Cuellar who created the Google account, he “only did so while acting in the course and scope of his employment and for the benefit of EFW, not for personal use.” Thus, it was EFW who owned the account and had the right to authorize access to it. And clearly, EFW did not authorize Cuellar to go in and steal its proprietary data.
The court noted that the Hoofnagle v. Smyth-Wythe Airport case was different because in that case, the employee created a Yahoo! account that he used for both personal and business purposes. In Hoofnagle, the employee had created the account on his own accord and not at the direction of his employer. In Cuellar’s case, by contrast, the Google account was clearly created as a business account for the benefit of EFW and not a personal account.
Cuellar also argued that because he had created the account on-site at the customer’s location and there were no allegations of internet usage or interstate commerce, he had not accessed a “protected computer” within the meaning of the statute. The court did not find that argument compelling, either. Any computer with Internet access is effectively being used in interstate commerce or communication and is therefore a protected computer. Google Drive is stored in the cloud–the entire account was located exclusively on the Internet. It was therefore entitled to protection under the CFAA as a “protected computer.” The court denied Cuellar’s motion to dismiss the CFAA claim.
The SCA claim was also permitted to go forward, for much of the same reasons. The test for “without authorization” is the same under both the CFAA and the SCA. And the court rejected Cuellar’s argument that the spreadsheets on Google Drive did not qualify as “communication” protected by the SCA. The court noted that Congress has defined “electronic communication” broadly as “any transfer of signs, signals…data, or intelligence of any nature transmitted in whole or in part by a wire…system that affects interstate or foreign commerce.” 18 U.S.C. § 2510(12). Because EFW had alleged that information was transferred from one employee to another via updating the spreadsheet on the shared online account, that definition was satisfied.