In a decision handed down on July 26, 2012 in WEC Carolina Energy Solutions, LLC v. Miller, the United States Court of Appeals for the Fourth Circuit ruled that the Computer Fraud and Abuse Act (“CFAA”), a federal law which primarily consists of criminal penalties directed at computer hackers, does not apply to employees who capture electronic information from computers to which their employers allowed them access in the course of their employment. The ruling is an important victory for all whistleblowers who seek to gather evidence of fraud or other illegal conduct on the part of their employers. While the CFAA is primarily a criminal statute, it allows the victims of computer hacking to privately seek injunctive and monetary relief.
The facts of the Miller case involve allegations of unfair competition rather than whistleblowing. Nonetheless, the decision will have very important implications for whistleblowers gathering data to document fraud. In Miller, an employee of WEC Carolina Energy Solutions, Mike Miller, resigned his post and accepted an offer from a competitor; allegedly, Miller shared WEC proprietary information at the behest of the competitor firm. WEC sued for, inter alia, violating the CFAA. The relevant statutory language states that a CFAA violation occurs when information is taken from a computer “without authorization.” In 2007, the Chicago-based Seventh Circuit held that an employee who erased information on a company laptop prior to returning it breached a duty of loyalty to the employer, terminating the relationship upon which the “authorization” of use of the computer was based. An en banc panel of the Ninth Circuit, however, held just this year that “without authorization” should be interpreted narrowly in a manner consistent with the plain meaning of the statute. According to the Ninth Circuit’s reading, “without authorization” means that the employee did not have permission to use the computer from which the information was taken. With its ruling in Miller, the Fourth Circuit joins the Ninth in adopting the narrower reading of the “without authorization” language of the CFAA.
Whistleblowers in the Ninth and Fourth Circuits are thus able to utilize information obtained from their former employers’ computers so long as they had authorization, without fear of liability under the CFAA. Because fraudulent conduct is highly difficult for investigative authorities to detect, the government often relies on information from whistleblowers in prosecuting fraud claims. Under the qui tam provisions of the False Claims Act (“FCA”), a federal whistleblower statute, private whistleblowers (known as relators) may sue on behalf of the government for fraud. When a relator files an FCA complaint, the government reviews the allegations and may elect to intervene in the litigation. Whether or not the government intervenes, relators may bring their claims privately. If successful, relators stand to recover between 15% and 30% of any final judgment or settlement. Individuals and contractors face FCA liability when they knowingly or recklessly submit false claims for payment to the government or fail to return overpayments from the government. Passage of the Fraud Enforcement and Recovery Act (FERA) in 2009 and the Dodd-Frank Bill and the Patient Protection and Affordable Care Act (PPACA) in 2010 have resulted in major changes to the FCA. Taken together, the recent changes to the law have increased the number of actionable claims under the FCA and strengthened the law’s protections against employer retaliation.