TRADE SECRET LAW AND THE COMPUTER FRAUD AND ABUSE ACT:
TWO PROBLEMS AND TWO SOLUTIONS
Kyle W. Brenton
Abstract
As businesses move their confidential information onto computers, sensitive data gains the protection not only of state trade secret law, but also potentially of federal computer misuse statutes. The interaction between those two bodies of law, however, is more problematic than any commentator has yet realized. The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, is a federal criminal statute with a private right of action allowing those who suffer information theft via computer to maintain a civil action against the thief. More and more in recent years, however, employers whose faithless employees misappropriate purported trade secrets have used the CFAA as a basis for employee liability, as well as a way to bootstrap their claims into federal court.
Using the CFAA in this manner creates two problems. First, substantively, since a CFAA claim is much easier to prove than a traditional state-law trade secret misappropriation claim, plaintiffs will be more likely to plead the former. But because the CFAA lacks virtually all of the policy-based protections built into trade secret law, this upsets the delicate balance between employers and employees that trade secret law strikes. Second, jurisdictionally, using the CFAA to establish federal question jurisdiction, then bringing trade secret claims into federal court under supplemental jurisdiction, contravenes the intent of Congress in passing the CFAA and damages core notions of federalism and the relationship between federal and state law.
This Article proposes two solutions to the two problems that arise at the intersection of trade secret law and the Computer Fraud and Abuse Act. First, Congress should act to remove the CFAA’s substantive crime that most closely approximates trade secret misappropriation from the Act’s private right of action, thus removing the threat that the CFAA will disrupt the values underlying substantive trade secret law. Second, judges ruling on motions to dismiss CFAA claims should carefully examine the parties’ contentions and use the discretion granted in 28 U.S.C. § 1367(c) to dismiss state-law trade secret claims. Thus claims in which the CFAA is merely, in the words of one judge, “a federal tail” wagging “a state dog” can be returned where they belong: state court.
TRADE SECRET LAW AND THE COMPUTER FRAUD AND ABUSE ACT:
TWO PROBLEMS AND TWO SOLUTIONS
Kyle W. Brenton*
INTRODUCTION
The recent federal criminal prosecution of a Missouri woman for allegedly causing the suicide of a teenager through fraudulent use of MySpace.com[1] has focused national attention on the Computer Fraud and Abuse Act.[2] The Act was originally passed in order to give the FBI a weapon for prosecuting computer hackers,[3] but the statute has grown far beyond its roots. The presence of a private right of action in the statute[4] has led to the development of a body of civil precedents interpreting the Act broadly, and the prosecution in the Drew case was able to point to those cases in urging the jury to find criminal liability for Drew’s violation of MySpace.com’s Terms of Service.[5] Academics predicted that the statute might be thus misused in the criminal context as early as 2003.[6] But the harm that results from broad interpretations of the Act’s terms is not limited to the criminal arena.
As the American workplace has become more computerized,[7] a broader range of what occurs in that workplace becomes potentially subject to laws regulating computer use. Perhaps nowhere does this phenomenon have a greater impact than in trade secret law. As trade secrets become almost universally stored on computers, they gain the protection not only of common-law and statutory trade secret principles, but also potentially of computer misuse statutes. At first glance this may seem like an unalloyed benefit. America’s robust protection of intellectual property has frequently been cited as one of the great driving forces of our information economy.[8] At least one federal agency has valued America’s intellectual property at over $5 trillion.[9] If some protection for trade secrets is a good thing, the argument runs, more protection should be a great thing.
But this viewpoint overlooks some of the fundamental policies underlying trade secret law, and as more and more plaintiffs argue that the CFAA protects their trade secrets,[10] the relevance of those policies is undercut. The CFAA in the civil context creates two major problems for trade secret law. The first is substantive. The Act provides a means of redress to potential trade secret plaintiffs that lacks virtually all of the policy and procedural safeguards built into trade secret law. A plaintiff in a CFAA case need not prove that the information taken was not generally available, that it gained value from secrecy, or that reasonable steps had been taken to protect it.[11] She need not prove that the defendant used improper means to obtain it.[12] She need prove only that the information was on a computer, that the defendant obtained it through unauthorized access or access exceeding existing authorization, and that she has lost at least $5,000 as a result.[13] After this minimal showing (and under broad “authorization” precedents, the showing required is minimal indeed[14]) she can obtain relief. Thus, in many trade secret misappropriation cases, the CFAA provides a means of recovery that is not circumscribed by the policy-based protections of substantive trade secret law. Because those protections are designed to maintain a balance between employers and employees, the CFAA threatens to disrupt that important equilibruim as well.
The second problem is jurisdictional. In those cases in which the plaintiff can’t obtain full redress for the information theft purely through the CFAA—for instance, cases in which the plaintiff seeks relief from the misappropriator’s new employer—the Act provides a back door into federal court. As long as the plaintiff can make out the barebones showing articulated above against the misappropriator, the supplemental jurisdiction statute[15] provides authority for a federal court to adjudicate any and all state law claims that are part of the same “case or controversy” as the plaintiff’s federal claim.[16] Therefore, the plaintiff’s state law trade secret claim can almost always be heard in federal court, as long as the alleged trade secret was stored on a computer. Thus a class of claims that should properly be adjudicated by state judges in state court find their way into federal court on the back of a statute that requires a much lower showing to establish potential liability.
The problems created by the private right of action in the CFAA—either in trade secret law specifically or more generally—have gone almost entirely unnoticed in the academy.[17] Practitioner publications[18] and blogs,[19] however, have taken note of these new developments, and have generally espoused a positive view of them.[20] But no matter how useful the CFAA may seem to be to attorneys representing corporations, that cannot change the fact that using the Act as a civil remedy for trade secret theft in federal court both undermines the fundamental policies underlying trade secret law[21] and contravenes Congress’ intent in leaving trade secret protection to the states.[22] This Article thus argues that the costs of employing the CFAA in the trade secret arena dramatically outweigh the benefits. Congress should take action to remove the CFAA provision most relevant to trade secret cases[23] from the ambit of the statute’s private right of action, or in the alternative enact a statutory definition of one of the Act’s key terms: authorization. In the absence of congressional action, federal judges presiding over actions in which federal jurisdiction is premised entirely upon the CFAA should closely scrutinize the facts and arguments of the parties, and if state law trade secret claims substantially predominate over a barebones CFAA violation, should decline to hear the state claims under the discretion granted in the supplemental jurisdiction statute.[24]
This Article proceeds in four parts. Part I charts the framework of the Computer Fraud and Abuse Act, then explores the substantial judicial disagreement regarding three of the Act’s key terms: authorization, damage, and loss. Part II delves into substantive trade secret law to explore the elements of a misappropriation cause of action and the policies underlying those elements, and compares the substantive components of trade secret law with the elements and policies of the CFAA. In Part III, the Article points out the difficulties that arise when trade secret cases make their way into federal court appended to CFAA claims. It analyzes the legislative history of the Act to determine whether Congress intended it to apply to trade secret misappropriation, and addresses the harms to fundamental notions of federalism that this kind of use of the CFAA can create. Finally, Part IV proposes two sets of solutions to the two problems created by the CFAA, one legislative and the other judicial. Both Congress and the federal courts should take action to protect state trade secret law and to prevent opportunistic litigants from forum-shopping their way into federal court via the Computer Fraud and Abuse Act.
I. A CFAA PRIMER
The Computer Fraud and Abuse Act establishes seven computer misuse-related activities as substantive crimes. One of those crimes—section 1030(a)(2)(C)—parallels trade secret misappropriation and creates the problems that this Article addresses. To make out a civil CFAA claim, the plaintiff must allege both a violation of one of the Act’s crimes and damage or loss exceeding $5,000. The real story is somewhat more complex, however, first because the statute is very poorly drafted, and second because substantial judicial disagreement exists as to the scope of many of the Act’s key terms. This Part first looks to the Act’s substantive crimes, then to the private right of action and the contested terms therein.
A. Information Theft Under CFAA Section (a)(2)(C)
The common thread woven through almost all of the Act’s substantive crimes is the notion of unauthorized access.[25] The specific contours of that notion will be explored below, but in the broadest possible terms, Congress designed the Act to criminalize computer misuse—that is to say, either wrongful conduct harmful to a computer (such as a denial-of-service attack damaging a computer network), or use of a computer as an instrument of wrongful conduct (such as hacking into a system to steal information).[26] To trigger the Act, the unauthorized access must be of a “protected computer,” which the statute defines as either a computer used by a financial institution or the United States government or a computer “used in or affecting interstate or foreign commerce or communication . . . .”[27] Therefore, the Act applies to the full extent of Congress’ powers under the Commerce Clause, and given the decentralized nature of computer networks and the Internet,[28] it is difficult to imagine a functioning, networked computer that does not fit the Act’s definition.[29]
The Act contains seven substantive criminal prohibitions listed in section (a) of the statute. Two of the crimes apply specifically to activity aimed at the United States government.[30] A second class of crimes address fraud and extortion using computers.[31] The statute ten criminalizes damaging a computer through unauthorized access.[32] But the real action, from a trade secret point of view, lies in subsection (a)(2), which creates three crimes related to the theft of information. Subsections (a)(2)(A) & (B) address information stolen from a financial institution and from the United States government, respectively.[33] But the third is not so limited. Subsection (a)(2)(C) is violated whenever anyone “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.”[34] This subsection puts no qualification on the nature or character of the information taken—it focuses squarely and solely on the actions of the defendant in obtaining it.
Congress recently enlarged the scope of subsection (a)(2)(C). Until September 2008, the subsection read “. . . information from any protected computer if the conduct involved an interstate or foreign communication.”[35] The final clause was dropped as part of the Identity Theft Enforcement and Restitution Act,[36] which also added criminal forfeiture provisions and restitution requirements to the sentencing portions of the Act.[37] The purpose of the amendments was to facilitate prosecution of identity theft, as well as to make it easier for victims to obtain restitution after the successful prosecution of identity thieves.[38] Section 203 of the amendment was entitled “Ensuring Jurisdiction Over the Theft of Sensitive Identity Information,”[39] and while the amendment certainly did that, it likely “ensured jurisdiction” over a whole lot more. According to a press release from sponsor Senator Patrick Leahy’s office, the amendments will “[e]nable prosecution of those who steal personal information from a computer even when the victim’s computer is located in the same state as the thief’s computer. Under current law, federal courts only have jurisdiction if the thief uses an interstate communication to access the victim’s computer.”[40] Not surprisingly, neither the House nor the Senate debated the civil dimensions of this amendment, but removing the interstate communication requirement broadened the CFAA’s scope in the civil arena just as much as (or more than) in the criminal. No cases have yet been reported under the amended version of subsection (a)(2)(C), and so only time will tell what its precise effect will be.
B. The Private Right of Action
Although the CFAA’s substantive crimes define the kinds of behavior prohibited in both the civil and criminal arenas, civil liability under the statute requires an additional showing. The Act’s private right of action appears in subsection (g), and reads, in its entirety:
Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.[41]
Therefore, a violation of any of subsection (a)’s criminal offenses can give rise to civil liability under subsection (g),[42] and any person harmed—a category not confined to the owner of the accessed computer—can sue the violator,[43] but only if the plaintiff can also prove one of the factors in subsection (c)(4)(A)(i), one of the sentencing provisions. Of those six factors, the one most relevant in civil litigation is (c)(4)(A)(i)(I), which applies to conduct which causes “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.”[44] Thus, in addition to the violation of a section (a) criminal prohibition, a CFAA plaintiff must have suffered $5,000 in damages—a kind of amount-in-controversy requirement for the Act..[45]
Surveying all the various subsections together, the elements of the civil CFAA claim most closely paralleling trade secret law are: (1) intentional, unauthorized access or access which exceeds authorization; (2) of a protected computer; (3) through which the violator obtains information; (4) causing $5,000 in loss to one or more persons in a one-year period. Pleading those four simple elements establishes federal subject-matter jurisdiction over the plaintiff’s claim. Proving them by the preponderance of the evidence[46] gives the plaintiff a right to “compensatory damages and injunctive relief or other equitable relief.”[47]
C. Defining Terms: Authorization, Damage, and Loss
Knowing those elements does not end the inquiry, however, because some of the key terms at issue are either not defined by the statute, or are defined in a manner that leaves enough ambiguity for courts to disagree substantially as to their scope. A full exegesis of the nuances of the terms “authorization,” “damage,” and “loss” in the statute is beyond the scope of this Article.[48] But a quick sketch of the judicial disagreement regarding them will give a sense of the CFAA’s potential reach in the civil arena.
1. Authorization
Key to almost every substantive crime in the CFAA is the notion of authorization. All but one of the seven crimes are triggered by “unauthorized access” or use which “exceeds authorized access.”[49] The Act defines the latter term as “to access a computer with authorization and to use such access to obtain or alter information that the accesser is not entitled so to obtain or alter,”[50] but by simply incorporating the undefined term “authorization,” that provision sheds little light on the scope of the statute. Judges interpreting the notion of authorization have divided into two camps: the first apply a legalistic meaning to authorization, and the second focus on the term’s technological sense.
The two leading cases on the legalistic side of the equation are Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc.[51] and International Airport Centers, L.L.C. v. Citrin.[52] Both cases involved the classic “faithless employee” trade secret misappropriation scenario. In Shurgard, after receiving an employment offer from a competitor, the employee emailed confidential information to that competitor while still working for Shurgard.[53] In Citrin, an employee removed sensitive information from his employer-provided laptop in order to start his own company, and then used a secure-erasure program to cover his tracks.[54] Both cases revolved around the question of whether the employees’ use of their employers’ computers was “unauthorized” even when the offenders still had both physical and technological access to those computers as a part of the employment relationship.
Both District Judge Zilly and Circuit Judge Posner answered that question in the affirmative. Rather than consider whether the employees’ access of their computers was authorized in a technological sense, they looked to a legal notion of authorization, as defined by agency law. According to the Restatement (Second) of Agency, “the authority of an agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal.”[55] So, as soon as the employee in Shurgard accepted an offer of employment from a rival; as soon as the employee in Citrin decided to leave IAC and start his own business; as soon as any agent or employee violates her legal duty of loyalty to their employer; their authorization to access their employer’s computer terminates, and any subsequent access can give rise to CFAA liability.
This conception of authorization is quite broad, and in the years since Shurgard and Citrin a number of district courts have questioned it. In International Ass’n of Machinists & Aerospace Workers v. Werner-Masuda,[56] for example, the court rejected both the agency law notion of authorization and the argument that the employee’s illegitimate use of information obtained from a computer could render the access unauthorized. This court looked to the CFAA’s legislative history and found that Congress intended the statute to apply primarily to outside computer hackers, rather than faithless employees.[57] Thus the court held that, despite the fact that Werner-Masuda had accessed her employer’s computers on behalf of a competitor, because “her access had not been revoked” by her employer, the employer could not state a claim for relief under the CFAA.[58]
The CFAA, according to the Werner-Masuda court, does not “prohibit the unauthorized disclosure or use of information, but rather unauthorized access. Nor [do its] terms proscribe authorized access for unauthorized or illegitimate purposes.”[59] This latter interpretive camp—call it the technological school—would therefore find access to be unauthorized only if the accesser did not have physical and/or technological access to the computer; for example, a valid user ID and password.[60] Several other federal district courts around the country have sided with the Werner-Masuda court on this question,[61] but other courts—in the Seventh Circuit in particular—continue to toe the Shurgard/Citrin line.[62]
As long as this split in authority over the scope of the term authorization in the CFAA remains unresolved, the statute may enable claims arising out of a broad range of employee misconduct. As long as a plaintiff in a trade secret case can prove that the employee’s motives in accessing her work-provided computer were less than pure, there remains a colorable argument under Shurgard and Citrin that that access was unauthorized, and thus in violation of federal law.
2. Damage and Loss
Unlike “authorization,” the Act defines both “damage” and “loss,” although it has not always done so.[63] Damage is “any impairment to the integrity or availability of data, a program, a system, or information,”[64] and thus encompasses injury to the computer itself, its software, or the information stored on it. Loss is “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service[.]”[65] While the destruction or deletion of data would almost certainly constitute damage under the Act,[66] two major questions about the scope of damage and loss arise in the trade secret context. First, does the loss of secrecy constitute an “impairment to the integrity . . . of data” such that it counts as damage?[67] And second, does economic damage due to trade secret misappropriation—for example, lost profits—count as loss?
On the damage question, there is some authority that supports the argument that loss of trade secret status constitutes damage under the Act. In the context of copyright infringement, one district court has held that “[w]e see no principled reason . . . why infringement of copyrighted material taken from a computer system would not qualify as impairment of the integrity of the copyrighted information.”[68] In theory, this argument could apply to information protected by trade secret law as well as copyright law—an argument that is particularly attractive if one is thinking in the Citrin legalistic mode. But later cases have called this line of argument strongly into question, and have held that damage, as defined by the statute, is to be looked at from a technological, rather than a legalistic, point of view.[69]
Loss, however, is defined a bit more broadly in the statute than is damage, and thus might accommodate a more functional construction. In Nexans Wires S.A. v. Sark-USA, Inc.,[70] the District Court for the Southern District of New York found that the cost of flying two executives from Germany to New York to investigate an allegation of unauthorized computer access did not constitute “loss,” because the trip was unrelated to the allegedly accessed computers themselves.[71] The court noted that had the record contained evidence that the executives had actually examined one of the computers, it might constitute loss, but that the record actually tended to prove that the purpose of the visit was to discuss the information stolen by the faithless employee, rather than the potential harm to the computer system.[72] Further, the aggrieved company argued that because it had lost two business opportunities due to the faithless employee’s information theft, that lost revenue should be considered loss for the purposes of the jurisdictional requirement.[73] The court, however, held that to constitute loss, any lost revenue must be due to an interruption of service in the computer network, according to the statutory definition.[74] Therefore, while the cost of responding to and remedying a violation of computer security does constitute loss, such actions must be directly connected to the wrongfully accessed computers, and lost profits due to lost information do not count toward the $5,000 jurisdictional threshold.[75]
Judicial constructions of the CFAA are thus internally inconsistent, with some terms being interpreted in a legalistic fashion and others in a technology-centric manner. It seems that the more clearly Congress defines a term and ties it to technology, the more likely a court will follow that dictate; the less clearly the statute ties a term to technology, however, the more likely a court is to expand its meaning to the fullest legalistic definition. The upshot, however, is a statute that applies to employee theft of information from computers in an uncertain fashion. In that ambiguity lurk two major problems for trade secret law.
II. THE SUBSTANTIVE PROBLEM: VIRTUAL REDUNDANCY
The Computer Fraud and Abuse Act creates two significant problems for trade secret law—one substantive and one jurisdictional. This Part examines the first. Many if not most units of information that fit the common law or statutory definition of a trade secret are today stored on computers.[76] Because the CFAA provides a civil cause of action when someone obtains information through unauthorized access to a computer,[77] the Act may apply to a broad range of situations previously covered only by trade secret law. Since the evidentiary requirements and elements of proof of a CFAA (a)(2)(C) claim are far lower than in a traditional trade secret misappropriation claim, there exists a danger that the substantive law of trade secrets will be eclipsed by CFAA litigation.
It will, however, rarely if ever be the case in litigation that a plaintiff will be presented with an either/or choice between a state-law trade secret claim and a CFAA claim. In fact, much of the danger inherent in the CFAA arises from the fact that the two claims will generally be pled together, and thus the plaintiff can get into federal court with what is substantially an exclusively state-law claim, the problem addressed below in Part III.[78] The substantive problem treated in this Part arises not because litigants will choose one body of law over the other; rather, the problem comes to light when the CFAA is enlisted to protect information that trade secret law would hold unprotectable. As addressed below, this undermines the policy goals of trade secret law and threatens the equilibrium that it creates between employer and employee. To lay bare that threat, this Part will first examine the requirements of trade secret protection and compare them to the elements of a CFAA (a)(2)(C) claim, thus putting into stark contrast the policy goals served by each.
A. Substantive Trade Secret Law vs. CFAA (a)(2)(C) Claims
Because trade secret law is entirely a creature of state law, the particular requirements of proving a misappropriation claim will vary from jurisdiction to jurisdiction. But due to the efforts of the American Law Institute and the Uniform Law Commissioners embodied in the Restatements[79] and the Uniform Trade Secret Act (UTSA),[80] there is more similarity from state to state than in other areas of the law.[81] At the broadest level, both the UTSA and the common law focus attention first on the nature and character of the information alleged to be a trade secret, and then on the actions of the individual alleged to have misappropriated that secret. This dual focus reflects the policy compromise at the heart of trade secret law: a balance between a property-based conception of trade secret protection and a misconduct/commercial morality-focused approach.[82]
1. Definition of a Trade Secret
The first question in any trade secret litigation is whether the information taken fulfills the common law or statutory definition of a trade secret.[83] The UTSA defines a trade secret as:
information, including a formula, pattern, compilation, program, device, method, technique, or process that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.[84]
The Restatement (Third) of Unfair Competition definition is similar.[85] This definition builds three important safeguards into the law from the outset. First, the alleged trade secret must derive economic value from the fact that it is secret. This requirement is applied strictly—if an alleged trade secret is valuable only for reasons other than its secrecy it is not protectable on the basis of that value alone.[86] Thus trade secret law protects only that information which gives its holder a competitive advantage based upon its secrecy.[87] Second, the definition excludes information which is “readily ascertainable by proper means” by others. The UTSA thus permits “reverse engineering” of a trade secret from an end product, as long as the allegedly protected information can be ascertained readily and legitimately.[88] Finally, the definition imposes a positive duty on the holders of supposed trade secrets to undertake reasonable precautions to keep their proprietary information secret. The holder of the information need not take every conceivable step to keep it secret, but must do that which—taking into account the value of the information and other circumstances—a reasonable person would do to preserve secrecy.[89]
From the outset, then, a cardinal difference between a UTSA-based trade secret claim and a CFAA-based information theft claim reveals itself. While trade secret law is very much concerned with the nature and character of the information for which protection is sought, under the CFAA as long as what was stolen was information stored on a computer, no further inquiry is necessary.[90] This is even more apparent following the 2008 amendments to the Act, which removed even the minimal requirement that the wrongfully-accessed computer be engaged in “interstate or foreign communication.”[91] While the utter absence of proof requirements related to the information taken has disturbing policy implications, explored below, it also has a dramatic practical effect—proving a CFAA claim becomes far easier than establishing a prima facie case of trade secret status.[92] This disparity in the respective hurdles a plaintiff must clear, therefore, creates an incentive bias toward a CFAA claim and against a trade secret misappropriation claim.
2. Misappropriation Through Improper Means
Once a plaintiff establishes trade secret status, the focus then shifts to the behavior of the defendant. In order to establish liability, the plaintiff must prove that the defendant misappropriated the trade secret at issue.[93] The UTSA defines misappropriation as:
(i) acquisition of a trade secret by a person who knows or has reason to know that the trade secret was acquired by improper means; or
(ii) disclosure or use of a trade secret of another without express or implied consent by a person who
(A) used improper means to acquire knowledge of the trade secret; or
(B) at the time of disclosure or use, knew or had reason to know that his knowledge of the trade secret was
(I) derived from or through a person who had utilized improper means to acquire it;
(II) acquired under circumstances giving rise to a duty to maintain its secrecy or limit its use; or
(III) derived from or through a person who owed a duty to the person seeking relief to maintain its secrecy or limit its use; or
(C) before a material change of his [or her] position, knew or had reason to know that it was a trade secret and that knowledge of it had been acquired by accident or mistake.[94]
Misappropriation thus occurs either when one acquires a trade secret by improper means, or when one discloses or uses a trade secret either acquired by improper means or acquired innocently but with knowledge that it should be protected. “Improper means” include “theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means.”[95] The Comments to the UTSA add that that definition is not a “complete catalogue” of the kinds of behavior that constitute improper means, but that such behavior need not necessarily even be unlawful—merely “improper under the circumstances.”[96] The comments to the Restatement add to the definition the notion that means “inconsistent with accepted principles of public policy” may also be improper.[97]
A CFAA (a)(2)(C) claim also focuses on the character of the defendant’s actions. The CFAA’s analogue to the improper means inquiry is the determination of whether the defendant’s access to the computer was unauthorized or exceeded existing authorization.[98] It is not immediately apparent, however, whether the UTSA’s “improper means” is broader or narrower in scope than the CFAA’s “unauthorized access.” The answer will depend on which of the two schools of thought on authorization wins the day. If authorization is viewed in a purely technological sense, then the scope of proscribed conduct under the CFAA seems narrower than that proscribed by the UTSA; in order to trigger liability, the defendant must either be an outsider to the computer system and hack into it, or bypass a code-based limitation on their authorized access to obtain information exceeding their authorized access.[99] A putative defendant could thus engage in a wide range of behavior that a court might consider “improper under the circumstances,” and yet not violate any technological limits on their access, and thus escape CFAA liability.
If, on the other hand, the Shurgard/Citrin legalistic interpretation of authorization prevails, the breadth of prohibited conduct under the CFAA may approach that of the improper means requirement of the UTSA. If any breach of an employee’s legal duty of loyalty to his or her employer terminates the agency relationship and makes any subsequent computer access unauthorized, more conduct is swept in than just that which, as proscribed in the UTSA, breaches a narrower duty to maintain secrecy. The UTSA definition of improper means certainly reaches a great deal of conduct that is entirely unrelated to the principal/agent relationship—such as theft, electronic espionage, or bribery—but in the context of the employment relationship, the Shurgard/Citrin notion of authorization is at least arguably as broad as or broader than the UTSA’s improper means test.
There remains, however, one type of misappropriation in the UTSA that the CFAA does not encompass: third-party liability. In its definition of misappropriation, the UTSA includes actions by third parties who use or disclose a trade secret, even if they themselves did not acquire it through improper means.[100] The CFAA’s private right of action, in contrast, provides only for “a civil action against the violator,”[101] and so third-party liability of a user of trade secrets stolen from a computer by another is not available.[102] So if a plaintiff wants to sue anyone other than the party that stole the information from her computer, the UTSA (or state common law misappropriation) provides her only recourse.
3. Remedies
The final area of contrast between UTSA and CFAA (a)(2)(C) claims lies in the remedies available. The UTSA provides both for money damages—compensatory,[103] punitive,[104] and attorney’s fees[105]—and injunctive relief to prevent “threatened or actual misappropriation.”[106] Compensatory damages under the UTSA include both the actual loss to the plaintiff and the amount the defendant is unjustly enriched by use of the trade secret that is not captured in the amount of the plaintiff’s actual loss.[107] An injunction may also include the award of so-called “reasonably royalty” damages, which require the defendant to pay the plaintiff an amount that the court determines would have been a reasonable royalty for access to the protected information.[108]
Unsurprisingly given its criminal purpose and roots, the CFAA does not adequately specify the types of remedies available to civil plaintiffs. As noted above, subsection (g) authorizes civil actions “to obtain compensatory damages and injunctive relief or other equitable relief.”[109] The only express limitation on CFAA damages is the mandate that damages in (c)(4)(A)(i)(I) actions—i.e. $5,000 loss actions—are limited to economic damages. As noted above, this limitation does not on its face rule out injunctions or equitable relief for these actions.[110] Case law on this topic offers limited clarity—most reported CFAA cases dealing with damage address whether the plaintiff has adequately pleaded statutory damage and/or loss exceeding the jurisdictional amount,[111] but few cases addresses the propriety of damage awards post-trial.
The question of whether damages for lost profits or loss of business advantage or goodwill are available in civil CFAA actions has generated disagreement in the courts.[112] Both the statute’s text and the thrust of the opinions construing the jurisdictional amount question argue that only costs incurred in responding to a computer security breach should be compensable under the Act. Subsection (g) applies to “[a]ny person who suffers damage or loss by reason of a violation”[113] of the Act, and there seems no reason not to apply the statutory definition of those terms to the question of compensable losses. As explored above,[114] loss is broader than damage, but both require the expenditures at issue to be related to the computer security breach that gave rise to CFAA liability. Therefore, it might be reasonable to assume that only those costs incurred in investigating and responding to a computer security breach are compensable under the CFAA.
But the statute could be read differently. At least one court, relying entirely on a textualist statutory interpretation, has held that lost revenue should be compensable under the CFAA.[115] Because “compensatory damages” are not defined in the statute, the court assumed that Congress intended to adopt the usual legal meaning of that term, which encompasses all compensation necessary to make the plaintiff whole.[116] Further, the lack of a definition for “economic damages” led the court to conclude that use of that term excluded only damages for things like emotional distress or pain and suffering.[117] The court finally held that Congress’ use of the terms “damage” and “loss” in the private right of action (and their associated statutory definitions) applied only to the jurisdictional threshold, and did not limit the types of loss recoverable upon a favorable verdict.[118] “When a defendant copies unauthorized data to gain a competitive advantage,” in the court’s view, “it makes no sense to limit the plaintiff’s recovery when the lost revenue is a direct result of the defendant’s misconduct.”[119]
Therefore, it is impossible to say with certainty what categories of damages will be available in a CFAA case. But even if a court adopts the more restrictive interpretation covering only costs incurred in responding to a breach in information theft cases, injunctive relief may well be of much greater benefit to the plaintiff than any amount of monetary damages. If a company’s trade secrets have been stolen and it has incurred sufficient costs in responding to the breach,[120] an injunction requiring the defendant to return or destroy the stolen information may be all the remedy that the company needs. Therefore, while the CFAA’s damages provisions may not be as expansive as the UTSA’s, the remedies that the CFAA does provide will likely be sufficient for plaintiffs in most cases.
In sum, UTSA trade secret misappropriation and CFAA information-theft do not align precisely. They do, however, overlap in their core areas to a great enough extent that, when potentially protectable information is taken from a computer, a plaintiff might plead either or both in court. The relative ease of establishing a CFAA violation, however, creates a bias against relying upon a traditional trade secret claim. Even if that is the case, though, it remains to be shown why that should make any difference.
B. Trade Secret Law Policy Goals and the CFAA
The pleading and proof requirements of traditional trade secret law are there for a reason. Trade secret law does not exist to impose strict liability for the theft of information. As a matter of policy, trade secret law has two major purposes: to enforce a baseline level of commercial morality by punishing wrongful business conduct and to encourage investment in research by guaranteeing businesses that their confidential information will be protected.[121] Each of the pleading requirements relates in some way to one of those two goals, or both. For instance, the requirement that the plaintiff prove that the information taken fit the definition of a trade secret ensures that defendants are not penalized for using easily ascertainable information that happens to have been discovered first by another party. And requiring only reasonable efforts to maintain secrecy—rather than demanding absolute confidentiality—reduces the costs that companies must spend on security, leaving more funds available for pure research and development.
Trade secret law as it currently exists represents a compromise between two possible ways of protecting confidential business information: protecting information as property or punishing the betrayal of confidence.[122] The latter school conceives of trade secret law as primarily about the enforcement of confidential relationships—if the defendant was in a position of confidence vis-à-vis the plaintiff (such as an employment relationship) and abused that confidence, the defendant should be liable no matter what shape that abuse took.[123] The former school, on the other hand, conceives of the trade secret right as propertarian in nature, and the owner of the protected property is entitled to redress for any kind of trespass by another party.[124] The requirements of proving misappropriation serve both of these interests: the necessity of proving trade secret status ensures that there is a legally recognized property right in the thing being protected, and the improper means inquiry demands that the defendant violate some social norm of confidence.[125]
The CFAA serves none of these policy goals. At first blush, it might appear that the CFAA falls on the property-rights side of the debate. After all, the Act imposes liability for the theft of information in an almost strict manner—as long as the right is interfered with in the proscribed fashion, liability follows. This hearkens back in a sense to the law of trespass, which imposes strict liability for any interference with a possessory right.[126] The application of real property law concepts in cyberspace has a long and somewhat sordid history,[127] and using trespass law to punish online wrongdoing in particular is fraught with difficulty.[128] But a closer examination suggests that the CFAA approach does not truly represent the propertarian view of trade secrets, because even from that perspective, trade secret law’s focus is on proving that the information taken was in fact a trade secret, and thus property.[129] The CFAA, on the other hand, merely assumes that any information on a computer is protectable property, and moves immediately to the character of the defendant’s actions in accessing it.[130]
The key difference between the two bodies of law on a policy level boils down to the requirement of secrecy: a trade secret must have been secret to gain protection, while any information may be protected under the CFAA. Some might see this as a good thing. One could see trade secrets as a cumbersome, archaic body of law with difficult pleading requirements that is best supplanted by a simpler, surer regime of federal information protection, which is precisely what the CFAA’s (a)(2)(C) information-theft crime seems to do. Mark Lemley has argued that the requirement of secrecy, however, constitutes the essential core of trade secret law.[131] On his view, the secrecy requirement serves two policy goals: encouraging controlled disclosure of confidential information to spur innovation and resolve Arrow’s disclosure paradox between negotiating companies[132] and directing “inventors to the form of IP protection that best achieves the goal of society”[133] by channeling inventors between patent law and trade secrecy. But Lemley’s argument is a justification for the existence of trade secrets as against no protection at all; it gives little help in choosing between the current level of trade secret protection and the more absolute information protection offered by the CFAA. Moreover, generalized defenses of trade secret law are of less utility in the CFAA context, because CFAA claims parallel only the “faithless employee” type of traditional misappropriation claim, and so any defense must be similarly limited.
The crux of why trade secret law is better from a normative viewpoint than the CFAA lies in a second compromise embodied in trade secret law; in addition to accommodating both propertarian and morality-based approaches, it also strikes a balance between safeguarding business information and guaranteeing employee mobility.[134] The limitations on the definition of a trade secret ensure that an employer can’t prevent its employees from using, for instance, the skills they have learned on the job when going to work for a competitor or starting their own business, but it can stop them from using specific information that belongs to the employer, even if the employee took part in its creation.[135] According to the Restatement (Third) of Unfair Competition, “[t]here is a strong public interest in preserving the freedom of employees to market their talent and experience in order to earn a livelihood.”[136] Too little protection of business information could create the problem of “employee hold-up,” whereby an employee’s assertion of rights in information drastically raises the cost of a business using it.[137] Too much protection, however, and an employee leaving a firm might be forced out of an entire line of business at great personal cost, for fear of liability for using what they know.[138]
Dan Burk and Brett McDonnell have characterized IP law generally—and trade secret law specifically—as helping to resolve a second variant of Arrow’s disclosure paradox, this one between the firm and the employee.[139] If employees can’t be sure when they leave a firm which information is theirs and which belongs to the employer, they will never be able to compete in the labor market with 100% efficiency.[140] Burk and McDonnell posit that the protections of IP law serve to put employees on notice as to what information can’t be taken with them when they leave a firm.[141] The formal procedures of patent, copyright, and trademark law—alongside the “reasonable means to preserve secrecy” requirement of trade secret law—police the boundary between protected and unprotected information, and allow employees to effectively and efficiently compete in the labor market when they leave a firm without engaging in unfair competition against their former employer.
Concededly, Burk and McDonnell argue that trade secret law, with its less formalistic procedures and extremely wide subject-matter coverage, does not achieve this goal as well as the harder forms of IP.[142] Even if that is the case, however, how much less well would the CFAA police the boundary between employer and employee? At first blush, the statute’s requirement of unauthorized access might provide a very rough-and-ready way to differentiate between the two types of information: if access to the information requires authorization, it’s protected; if not, it’s not. But this argument proves too much: a firm may choose to put a list of the members of its board of directors on a password-protected server, but this does not make that list proprietary information that an employee may not use after leaving the company. And since the CFAA has no analogue to the UTSA’s ready ascertainability defense, a departing employee could indeed eventually be held liable for accessing such information, despite its public character.
But even this marginal value of the unauthorized access requirement as a method of putting employees on notice of what information is protected withers under the Shurgard/Citrin interpretation of the statute. If “access” can be rendered “unauthorized” long after the fact merely by use of the information that a court finds objectionable in the context of a lawsuit, the goal of achieving predictability for either employers or employees must be thrown hopelessly out the window. The CFAA fails utterly at resolving the disclosure paradox between the firm and the employer; under the Shurgard/Citrin interpretation it precludes the problem of employee hold-up by giving the employer the equivalent of a nuclear weapon.
In sum, while the CFAA covers much of the same territory as the UTSA, it does so in a manner that disserves the fundamental policy goals of trade secret protection. It resolves any conflict between the employer and employee in a ham-fisted manner that breaks all ties in favor of property rights and against employee mobility. The CFAA’s information-theft crime thus makes trade secret law virtually redundant.
III. THE JURISDICTIONAL PROBLEM: DIGITAL BOOTSTRAPPING
The second major problem with the CFAA in the trade secret context arises out of the first. Because the two bodies of law overlap, and a CFAA violation is so easy to make out in the context of a trade secret theft, those litigants who still plead a UTSA violation will be able to do so in federal court, even when the parties are not diverse. Under the supplemental jurisdiction statute,[143] a plaintiff who can make out a claim that gives rise to federal question jurisdiction[144] can ask the federal court to exercise subject-matter jurisdiction over state law claims that form “part of the same case or controversy” as the plaintiff’s federal claim.[145] Because the same allegedly wrongful act will frequently give rise to both CFAA and UTSA liability,[146] the plaintiff’s state-law trade secret claims will probably satisfy the initial supplemental jurisdiction requirements. Virtually all of the federal district court cases analyzed in this Article involved both a CFAA claim and a trade secret misappropriation claim, and many of them arose in the posture of a defendant’s motion to dismiss the federal claim and to force the plaintiff to bring the pendant trade secret claim in state court.[147]
There is nothing per se wrong with a litigation strategy that brings a pendant trade secret law claim into federal court on the back of a meritorious CFAA violation. The purpose of supplemental jurisdiction is to promote judicial economy by bringing all claims that form part of the same case or controversy before a single court for resolution.[148] If a CFAA claim is substantial enough to support federal question jurisdiction—and the fact that Congress put a private right of action in the statute argues strongly in the affirmative on that count[149]—why shouldn’t a pendant state-law trade secret claim be heard by the same court? This Part proposes two answers to this question: that such a use of the statute may contravene Congress’ intent and that it might damage key notions of federalism.
A. Congressional Intent
As the courts that have sided against the Shurgard/Citrin interpretation of the CFAA have pointed out, it is not at all clear that Congress intended the statute to sweep as broadly as it has come to in practice.[150] Legislative history on the various relevant portions of the Act is sparse at best, but what is there argues that—at the very least—Congress did not intend the “unauthorized access” provisions of the Act to apply to insiders, but rather to outside hackers. And one piece of evidence arising from the negative implications of the Economic Espionage Act of 1996 strongly argues that Congress did not intend for there to be a federal civil remedy for trade secret theft at all.
The Computer Fraud and Abuse Act was originally passed in 1984, primarily in response to the publication of a number of computer crime studies and an upsurge in media reports of juvenile computer hacking.[151] The Act was substantially amended in 1986, largely in response to criticisms from the Justice Department.[152] Neither the original statute nor the 1986 amended version contained a private right of action—the focus of the statute was originally on empowering law enforcement to prosecute computer hackers who might otherwise escape punishment.[153]
The addition of “exceeds unauthorized access” liability in the 1986 amendments, however, argues against the Shurgard/Citrin interpretation of the statute. Congress added the term “exceeds authorized access” as a basis of liability to replace the prior version’s use of the phrase “or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend.”[154] The reason behind this change was to eliminate “one of the murkier grounds of liability, under which a [person’s] access to computerized data might be legitimate in some circumstances, but criminal in other (not clearly distinguishable) circumstances that might be held to exceed his authorization.”[155] This change argues strongly against the Shurgard/Citrin interpretation of authorization, because that interpretation of authorization requires a court to look specifically at the purpose of the accesser in accessing the information to determine whether that access—as in Citrin—legally terminated the agency relationship. If the agent’s purpose in accessing the information at issue was impure, the agency relationship was terminated and the access was unauthorized.[156] But Congress in 1986 wanted to eliminate such a “murk[y]” ground of criminal liability from the statute. Therefore, the 1986 amendments counsel against a broad, legalistic interpretation of unauthorized access.[157]
The incorporation of the private right of action, unfortunately, did not come with a clear indication of its intended scope. Subsection (g) was originally added to the Act by the Violent Crime Control and Prevention Act of 1994.[158] Because of the omnibus nature of that legislation (the Public Law itself is over 300 pages long), contemporaneous legislative history is difficult to sift through. But four years earlier, the Senate Judiciary Committee approved the amendments that eventually found their way into the 1994 crime legislation, and published a report.[159] The report stresses the need to balance narrow regulation of computer misuse against the threat of over-legislating in a way that stifles legitimate experimentation in computer use.[160] The amendments made two jurisdictional changes to the statute: they added the private right of action and expanded the statute’s general reach beyond “federal interest computers”—to which it had previously been confined—and to all “protected computers” as defined by the current statute.[161] In support of this broadening of the statute’s reach, the report mentions several high-profile and destructive incidents of hacking, virus writing, and worm transmission, and points to America’s scientific and economic reliance upon interstate computer networks.[162]
The Senate Report gives short shrift to the addition of the private right of action to the statute. Other than a brief note that the private right of action is not intended to be used against government whistleblowers, the sum total of discussion of subsection (g) is:
The bill creates a new, civil remedy for those harmed by violations of the Computer Fraud and Abuse Act. This would boost the deterrence of the statute by allowing aggrieved individuals to obtain relief.[163]
Obviously, this sheds little light on Congress’ intent in adding a civil cause of action to the statute. But the language in the remainder of the report pointing to malicious computer hacking as the motivating force behind the statute further argues against a broad scope for the legislation.
The addition of the (a)(2)(C) information theft crime in 1996 also argues against broad liability for unauthorized use of information.[164] The Senate Judiciary Committee Report on the amendments[165] strongly hints that Congress’ intent behind the “unauthorized access-obtains information” crime was to catch outside hackers, rather than faithless employees. When addressing the information theft crime, most of the report simply parrots back the “unauthorized access” language of the statute itself. But at one point, when talking about the sentencing provisions, the report uses some telling language by referring to, “individuals who intentionally break into, or abuse their authority to use a computer and thereby obtain information . . . .”[166] The language used characterizes “exceeding authorized access” users as those who “abuse their authority to use a computer,” but it brands those who would fall under the “unauthorized access” prong as those who “intentionally break into” the computer at issue. This distinction implies that Congress intended the information theft crime to apply to outsiders, and undercuts the Shurgard/Citrin interpretation of the Act’s authorization requirement.
Perhaps the most telling piece of evidence that Congress did not intend the CFAA to apply to trade secret theft arises by negative implication. In 1996, Congress passed the Economic Espionage Act.[167] The Act makes it a federal crime to steal a trade secret related to a product that enters interstate or foreign commerce.[168] Its definition of “trade secret” by and large tracks the UTSA definition.[169] The House Report accompanying its passage notes again and again the great importance of trade secrets to the American economy, going so far as to equate threats to trade secrets with threats to America’s national security.[170] The Act empowers the Attorney General to initiate a civil proceeding to enjoin behavior that violates the statute,[171] so that the trade secret at issue may be protected in advance of the criminal prosecution.[172] And yet, for all that, the Act contains no private right of action, and does not support civil federal question jurisdiction.[173] If ever there had been a moment for Congress to extend the protection of federal law to the civil misappropriation of trade secrets, 1996 was it. Nevertheless, Congress chose not to rise to the bait. This lack of action in a context directly related to trade secret law argues against interpretations of the CFAA that force it to do what the drafters of the Economic Espionage Act chose not to do.
Overall, the legislative history of the CFAA does not categorically answer the question of whether Congress intended the Act to bring trade secret misappropriation claims into federal court on the back of CFAA violations. At best, the CFAA is a haphazard statute, which has been patched up again and again without much regard for its cumulative effects and implications.[174] But viewed as a whole, the legislative history at the very least argues against the Shurgard/Citrin interpretation of the statute, and gives the impression that the Act was intended to be only of modest scope.
B. Federalism Concerns
Allowing trade secret claims into federal court on the back of CFAA claims works one last harm, more theoretical but no less serious. One of the bedrock principles of the United States federal government is that it is one of limited and enumerated powers.[175] The limitations on federal courts laid out in Article III of the Constitution ensure that those courts do not invade the province of state law except when their jurisdictional prerequisites are met.[176] The strictures on federal court subject-matter jurisdiction are so tight that even when a case is patently frivolous on the merits, a federal court may not exercise jurisdiction to dismiss it without first examining its constitutional and statutory power to do so.[177]
The CFAA can provide a valid source of federal question jurisdiction, and when it is invoked by a plaintiff in the manner Congress intended, with sufficient allegations to survive a motion to dismiss, no federalism problem arises. Such a case fits into one of the limited categories in which a federal court may adjudicate a state law claim without offending our notions of federalism. If, on the other hand, a plaintiff pleads a skeleton CFAA claim—perhaps even alleging only Shurgard/Citrin-style unauthorized access—merely for the purpose of getting her trade secret misappropriation claim heard by a federal judge, then the state/federal balance so carefully preserved by the Founders in the Constitution may be threatened.
Implied preemption of state law under the Supremacy Clause[178] implicates similar federalism questions and values. To be clear: this Article does not argue that the CFAA preempts state trade secret law, nor that it should. In passing the CFAA Congress did not explicitly exercise its power under the Supremacy Clause to displace any state law. But the policy issues that arise both in implied preemption and in the nexus between the CFAA and trade secret law counsel courts and legislators to think long and hard about the balance between federal and state power. The basic assumption of courts in implied preemption cases is that “the historic police powers of the States [are] not to be superseded by [a] Federal Act unless that was the clear and manifest purpose of Congress.”[179] The Supreme Court, demonstrating what some have called an attitude of “New Federalism,”[180] has in its most recent implied preemption cases ruled against giving broad preemptive effect to federal statutes in the absence of an explicit preemption provision.[181] Congress in passing the CFAA made no “clear and manifest” statement that it intended in any way to affect state trade secret law. Trade secret law—as an exercise of the state police power—deserves the same presumption of validity and force outside the implied preemption arena, and courts should avoid interpreting the CFAA in a manner that undermines trade secret law’s basic policies.[182]
The Court, in fact, has recognized a canon of statutory construction that instructs courts to avoid interpreting federal statutes in a manner that treads too heavily upon state sovereignty and areas of state regulation.[183] In Gregory v. Ashcroft[184] and BFP v. Resolution Trust Corp.,[185] the Court, in essence, required that Congress, when it intended for a law to impact areas of state sovereignty or traditional state regulation, make a clear statement to that effect.[186] If, as argued above, Congress did not intend for the CFAA to significantly impact state trade secret law, courts could use this canon of statutory construction to police the boundaries between the federal and state spheres.[187]
As it currently exists, the CFAA poses a threat to the federal/state balance every bit as serious as the risk it poses to the balance between the employee and the employer in the substantive area. In order to safeguard federalism in the trade secret context, as well as to serve Congress’ intent and to prevent further burden on the federal court system, the jurisdictional problems the CFAA creates should be resolved—if not by Congress, then by the courts.
IV. TWO SOLUTIONS
The Computer Fraud and Abuse Act—abetted by loose language and overly-broad judicial interpretations—thus creates two significant problems. On the one hand, it occupies much the same space as trade secret law, but without that body of law’s policy-based protections and balancing mechanisms. On the other, it provides an easy way for claims—either entirely based upon the Act or upon a combination of the CFAA and trade secret law—to get into federal court, thus contravening Congress’ intent in passing it and damaging fundamental notions of federalism. This Part proposes two solutions. First, from the legislative side, Congress should amend the CFAA to strip out the information theft crime from the private right of action, or alternatively enact the more restrictive definition of “authorization.” Second, courts considering CFAA-based complaints should take a hard look at the plaintiff’s allegations to determine whether state trade secret law substantially predominates over the CFAA claim, and if so, these courts should dismiss the state law claims.
A. Fixing the Problems Legislatively
If Congress chooses to act to fix the two problems identified in this Article, it could do so in one of two ways. First, and most comprehensively, it could—and should—amend the statute to remove the (a)(2)(C) crime from the ambit of the private right of action. [188] If, however, Congress wishes to take a more modest approach, it could add a statutory definition of the term “authorization” that overturns the Shurgard/Citrin reading of the statute and reins in some of its greatest excesses.
1. Remove (a)(2)(C) from the Private Right of Action
In order to solve the problems set out thus far in this Article, Congress should amend the private right of action in the CFAA to exclude from its ambit the (a)(2)(C) information theft crime. The amended subsection should thus read:
Any person who suffers damage or loss by reason of a violation of this section, other than a violation of subsection (a)(2)(C), may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.
The added language removing (a)(2)(C) crimes appears in italics. This simple legislative action would completely prevent both problems this Article addresses. Without a civil cause of action for information theft from computers, companies whose faithless employees steal trade secrets—whether or not in violation of a legal duty of loyalty and whether or not they had technological access to the computer—will have to turn to the UTSA or common law trade secret misappropriation for relief. And with Congress clearly expressing its intent that (a)(2)(C) does not support federal question jurisdiction, those companies will take their claims where they belong: to state court.[189]
Removing (a)(2)(C) from the private right of action will also help re-focus the CFAA and serve the goals Congress intended in originally passing the statute. Congress initially passed the Act to combat hacking.[190] Subsequent amendments have increased its scope to encompass fraud, the creation of viruses and worms, and intentionally damaging a computer system.[191] Employee misappropriation of trade secrets does not cleanly fit into any of those categories, and removing it from the statute’s scope would it no way do violence to Congress’ intent. And as the Drew prosecution illustrates,[192] having a body of broad civil interpretations of the statute—interpretations adopted in a setting with a lower evidentiary burden and without the rule of lenity—can have worrisome consequences when prosecutors use those cases to further expand the reach of the statute in the criminal realm.[193]
Finally, this legislative approach is not without precedent in the history of the statute itself. When Congress amended the Act in 1994, it added both the private right of action and the (a)(5) computer damage crimes.[194] But that first version of subsection (g) excepted the (a)(5)(B) crimes—in essence, transmission of code in reckless disregard of a substantial risk that it will damage a computer—from the private right of action.[195] In fact, the new language this Article proposes for subsection (g) is modeled on that original version of the private right of action. The 1994 amendment also added to the statute subsection (h), which required the Attorney General and the Secretary of the Treasury to report to Congress on the enforcement of the (a)(5) crimes each of the first three years the statute was in effect.[196] At a minimum, this subsection indicates that Congress was unsure of the effect of the new transmission-based crimes, and so included two safety measures—it excepted them from the private right of action and required annual reports on their enforcement. So an approach that treats some of the substantive crimes differently with respect to civil causes of action is hardly unprecedented.
One consequence of removing (a)(2)(C) crimes from the private right of action, however, is that some plaintiffs harmed by (a)(2)(C) violations will be unable to obtain redress in the civil system. But this is not as serious a possibility as it might first appear. First, trade secret law will remain, and so when truly valuable secret information is stolen from a company in any way—not just through computer access—redress would remain available. If a company cannot prove that the information was a trade secret under the UTSA or common law, then it is simply not information that the law should protect. This is not a problem in trade secret law, so it is difficult to see why it would be a problem from the computer law perspective.
Second, the CFAA’s other computer crimes would remain viable as civil causes of action. So if information was stolen as part of an intentional act of fraud, a company could still sue under subsection (a)(4).[197] If the wrongful access of a company’s computer caused damage, for instance if a departing employee vandalized the company’s servers, the (a)(5) crimes would still provide a civil remedy.[198] If a company faced extortive threats that involved computer damage, they could still sue the perpetrator under (a)(7).[199] One thing that all these remaining crimes have in common is that they are all far more firmly tied to the congressional intent behind the Act—deterring hacking and computer misuse—than the information theft crime. Therefore, excepting (a)(2)(C) from the private right of action should not have a great effect on those meritorious CFAA claims that fall within Congress’ intent in originally passing the statute.
2. Define “Authorization” to Overturn Shurgard/Citrin
If Congress wished to repair some of the problems identified in this Article but did not want to go so far as to remove (a)(2)(C) from the private right of action, it could take a more moderate approach. Many of the greatest problems with the CFAA in the trade secret context stem from the Shurgard/Citrin line of cases that interpret the term “authorization” broadly to encompass improper use of information or access in violation of a legal duty of loyalty.[200] The sounder reading of the statute confines “unauthorized” access to that which bypasses a code-based technological or physical barrier to access of a computer system.[201] By a simple statutory addition, Congress could enshrine this interpretation and bind the courts to it. Such an amendment to subsection (e) of the statute could read:
(13) the term “authorization” means permitted physical access to a computer or code-based technological permission (such as a username and password) to use a computer, either in person or remotely.
This amendment would foreclose the Shurgard/Citrin argument that access that is authorized by a username and password becomes unauthorized as soon as the employee has an impure motive and thus violates a legal duty of loyalty to the employer.
In sum, Congress should take action to curtail broad applications of the CFAA that threaten to displace state trade secret law. Either it should except subsection (a)(2)(C) crimes from the CFAA’s private right of action, or should define authorization to eliminate the Shurgard/Citrin interpretation. By doing so, Congress could help restore the proper balance between state and federal law, between trade secret law and computer misuse statutes.
B. Judicial Solutions to the Problems
If, on the other hand, Congress fails to take action on this issue, it falls to the federal courts to ensure that the CFAA does not overly upset the balance between state and federal law. In order to do so, judges should reject the Shurgard/Citrin interpretation of unauthorized access and carefully examine CFAA-based complaints and exercise discretion to dismiss state-law trade secret claims under the supplemental jurisdiction statute.
1. Reject Shurgard/Citrin
As recounted above,[202] a number of district courts and the Seventh Circuit have embraced a broad, legalistic interpretation of when computer access is unauthorized. This interpretation broadens the scope of unauthorized access beyond just those users who do not have physical or technological access to the computer at issue and encompasses those whose motives for accessing the computer are somehow impure. But some courts have begun to reject that interpretation, and hold that access is only unauthorized when the accessing party has not been granted a user account, or similar code-based permission to use the computer system.[203]
Federal courts considering CFAA-based complaints should reject the Shurgard/Citrin interpretation of the statute, and embrace the technology-centric view of authorization. As noted above, the technological interpretation better comports with the available legislative history and other evidence of Congress’ intent in passing the Act.[204] But rejecting Shurgard/Citrin is also sound policy: doing so will route the most common trade secret-like CFAA claims—faithless employee misconduct claims—out of federal court and back into the state courts. It will also put the burden of maintaining data security on the same party with whom trade secret law places it: the employer. The employer is in the best position to determine who should and should not have access to its computer systems, and so the employer should bear the burden of determining who, for the purposes of the statute, has authorized access. If an employer fails to delete an employee’s user account and that employee uses the account to steal information, the employer shouldn’t be afforded a remedy beyond that already given by trade secret law, simply because the employee used a computer. If courts reject the Shurgard/Citrin interpretation of unauthorized access, they will go a long way toward returning the CFAA to the limited role that Congress intended for it.
As an added justification for rejecting the legalistic interpretation of authorization, courts might look to the in pari materia canon of statutory interpretation in order to avoid creating a conflict between the CFAA and the Economic Espionage Act. As discussed above,[205] the EEA makes trade secret theft a federal crime, but does not include a private right of action. The in pari materia canon instructs courts to interpret federal statutes in harmony with one another.[206] Thus, if the EEA refuses to provide a federal civil remedy for trade secret misappropriation, courts should not interpret the CFAA—a statute far less on-point to trade secret theft than the EEA—to do so.[207]
In short, whether a court chooses to reject the Shurgard/Citrin interpretation outright as a matter of the statute’s text and precedent, or as a consequence of an interpretation that is in harmony with the Economic Espionage Act, courts addressing CFAA violations should hold that access without authorization is only that which bypasses a code-based limitation on access to information in a computer system.
2. Use Supplemental Jurisdiction Discretion to Dismiss Trade Secret Claims
In addition to narrowly interpreting authorization, federal district judges have another very important tool empowering them to police the federal-state balance: the supplemental jurisdiction statute’s discretionary dismissal provisions. Section 1367(c) reads:
The district courts may decline to exercise supplemental jurisdiction over a claim under subsection (a) if:
(1) the claim raises a novel or complex issue of State law;
(2) the claim substantially predominates over the claim or claims over which the district court has original jurisdiction;
(3) the district court has dismissed all claims over which it has original jurisdiction; or
(4) in exceptional circumstances, there are other compelling reasons for declining jurisdiction.[208]
At the outset, if and when a court does dismiss a CFAA claim that is the sole basis for federal jurisdiction in an action, it should immediately dismiss the remaining trade secret claims under subsection (c)(3).[209] But even prior to dismissal, district courts must bear in mind that “pendant jurisdiction is a doctrine of discretion, and not of plaintiff’s right.”[210]
If the trade secret issue in a case is particularly thorny, courts should decline to exercise jurisdiction over it under 1367(c)(1). Most garden-variety state law claims—tort claims, contract disputes, etc.—will not raise novel issues of state law.[211] Trade secret law must constantly evolve to keep up with advancements in technology,[212] however, and that evolution should take place in state, rather than federal, courts. So if the factual questions underlying the trade secret issue in a CFAA-based case—or the application of trade secret law itself to those facts—are novel with respect to the state law, the federal court should dismiss the state law claims. Under section 1367, declining jurisdiction due to “exceptional circumstances” is warranted when supported by judicial economy, convenience, fairness to the parties, and whether all the claims would be expected to be tried together.[213] Such determinations must obviously be made on a case-by-case basis, but a judge should not shy away from declining to rule on complicated issues of trade secret misappropriation merely because the plaintiff has made out a bare-bones CFAA (a)(2)(C) claim for information theft.[214]
Finally, 1367(c)(2) gives judges leave to decline jurisdiction when pendant state law claims substantially predominate over federal claims granting subject-matter jurisdiction.[215] A state-law claim may substantially predominate over a federal one “in terms of proof, of the scope of the issues raised, or of the comprehensiveness of the remedy sought.”[216] A district court should dismiss under 1367(c)(2) when “a state claim constitutes the real body of the case, to which the federal claim is only an appendage—only where permitting litigation of all claims in the district court can accurately be described as allowing a federal tail to wag what is in substance a state dog.”[217] At least one federal court of appeals has found substantial predomination where a complex and important state-law regulatory scheme addresses the same conduct as a simpler, more straightforward federal statute.[218]
One federal district court, when confronted with a case involving a CFAA claim joined to at least nine state-law claims arising out of an employment relationship removed to federal court, elected to exercise 1367(c)(2) discretion to return the state claims to state court, but retain the CFAA claim in federal court.[219] The court first recognized that it had valid supplemental jurisdiction over the state-law claims based on 1367(a).[220] It noted, however, that the slim evidence required to prove the CFAA claim was dwarfed by the scope of the issues and proof required for the state claims, which included breach of contract and fiduciary duty, fraud, conversion, and a number of other theories.[221] Because of this evidentiary predomination, as well as to avoid unnecessarily deciding contested issues of state law,[222] the court exercised its discretion to remand the state claims to state court, while retaining jurisdiction over the federal CFAA claim.[223]
Section 1367(c)(2) provides a perfect vehicle for judges to smoke out cases in which the CFAA is nothing more than a federal computer-abuse tail wagging a state trade secret dog. As laid out above, the proof required in a CFAA (a)(2)(C) claim will almost always be significantly simpler and more straightforward than in a trade secret claim.[224] A trade secret law claim raises far more involved public policy issues and questions of commercial morality than does a CFAA information theft claim.[225] And the remedies provided for in the UTSA are both more certain and more comprehensive than the underdeveloped remedy provisions in CFAA subsection (g).[226] Therefore, in many cases, a judge may have—under section 1367(c)(2)—the discretion to sever state law trade secret claims from federal civil suits under the CFAA.
Both Congress and the courts have the power to fix some or all of the problems that arise when trade secret law meets the CFAA. The legislative solutions are cleaner, surer, and will result in substantially less litigation. But Congress moves slowly. In the absence of legislative action, courts must bear the burden of policing the boundaries between computer misuse and trade secret misappropriation, and their discretion under the supplemental jurisdiction statute provides them the perfect tool with which to do so.
CONCLUSION
Over the years, trade secret law has proven both resourceful and flexible as it has been called upon to deal with the ever-increasing pace of technological development in American society. But with the passage of the Computer Fraud and Abuse Act in 1984, the addition of a private right of action in 1994, and the broadening of the information theft crime in 2008, technology may have finally overtaken it.
The CFAA creates two major problems for trade secret law, one substantive and one jurisdictional. Both could be solved either by Congress amending the statute to except the information theft crime from the private right of action, or by federal judges declining to exercise supplemental jurisdiction over state law trade secret claims appended to CFAA claims.
* Law Clerk to the Honorable David M. Ebel, U.S. Court of Appeals for the Tenth Circuit, 2009-2010; J.D., University of Minnesota Law School; M.F.A., American Repertory Theatre/Moscow Art Theatre School Institute for Advanced Theatre Training at Harvard University; B.A., Vanderbilt University. The author thanks William McGeveran, Orin Kerr, Jeffrey P. Justman, Randall Kahnke, Kerry Bundy, and, as always, Amy Brenton. © Kyle W. Brenton, 2009.
[1] See United States v. Drew, No. 08-00582 (C.D. Cal. May 15, 2008); Jennifer Steinhauer, Verdict in MySpace Suicide Case, N.Y. Times, Nov. 27, 2008, at A25 (“A federal jury here issued what legal experts said was the country’s first cyberbullying verdict on Wednesday, convicting a Missouri woman of three misdemeanor charges of computer fraud for her involvement in creating a phony account on MySpace to trick a teenager, who later committed suicide.”).
[2] 18 U.S.C. § 1030. This Article will refer to the Computer Fraud and Abuse Act throughout as either “the CFAA” or “the Act.”
[3] See Dodd S. Griffith, Note, The Computer Fraud and Abuse Act of 1986: A Measured Response to a Growing Problem, 43 Vand. L. Rev. 460–61 (1990).
[4] 18 U.S.C. § 1030(g).
[5] See The MySpace Suicide Indictment—And Why It Should Be Dismissed, posting of Orin S. Kerr to The Volokh Conspiracy, http://volokh.com/posts/1210889188.shtml (May 15, 2008 18:06).
[6] See Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596 (2003).
[7] See, e.g., U.S. Dept’t of Comm., A Nation Online: How Americans Are Expanding Their Use of the Internet 59–66 (2002) available at http://www.ntia.doc.gov/ntiahome/dn/Nation_Online.pdf; U.S. Dep’t of Lab., Generating Productivity Growth: A Review of the Role of Workplace Practices and Computers (1996); Timothy F. Bresnahan et al., Information Technology, Workplace Organization, and the Demand for Skilled Labor: Firm-Level Evidence, 117 Q.J. Econ. 339 (2002); Seumas Miller & John Weckert, Privacy, the Workplace, and the Internet, 28 J. Bus. Ethics 255 (2000); David Hakken, Computing and Social Change: New Technology and Workplace Transformation, 1980–1990, 22 Ann. Rev. of Anthropology 107 (1993).
[8] See, e.g., Press Release, Administration’s Annual IP Report: IP Related Prosecutions Up, Focus on Health and Safety Redoubled, U.S. Dep’t of Commerce, Feb. 11, 2008, at 1, available at http://www.stopfakes.gov/pdf/NIPLECC_Report_Press_Release.pdf (quoting Bush Administration Secretary of Commerce Gutierrez as saying “[c]reativity and innovation are the lifeblood of the American economy, and intellectual property protection is vital to ensure our economic health now and for the future.”).
[9] See id. at 2.
[10] See infra Part I.A.
[11] See infra Part II.A.1.
[12] See id.
[13] See 18 U.S.C. § 1030(a)(2)(C); (g); infra Part I.
[14] See infra Part I.B.
[15] 28 U.S.C. § 1367
[16] Id.
[17] One notable exception is Dan E. Lawrence, Comment, Just Add Plaintiff: The Seventh Circuit’s Recipe for Instant Liability Under the Computer Fraud and Abuse Act, 46 Washburn L.J. 223 (2006). Lawrence’s Comment is a critical evaluation of Judge Posner’s construction of the term “transmission” in the Act in International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006). For more about Citrin, see infra Part I.C.1. The Act’s civil dimensions have also been explored in the employment and labor law context. See Richard Warner, The Employer’s New Weapon: Employee Liability Under the Computer Fraud and Abuse Act, 12 Employee Rts. & Employment Pol’y J. 11 (2008). Finally, one commentator has noted the use of the CFAA in the trade secret context in an article arguing that Congress should add a private right of action to the Economic Espionage Act of 1996 (of which see more infra Part II.B.1.). See R. Mark Halligan, Protection of U.S. Trade Secret Assets: Critical Amendments to the Economic Espionage Act of 1996, 7 John Marshall Rev. of Intellectual Prop. L. 656, 673–75 (2008).
[18] See, e.g., Michael R. Levinson & Christopher E. Paetsch, The Computer Fraud and Abuse Act: A Powerful New Way to Protect Information, 20 No. 3 IP L. Newsletter 24 (2002) (“The CFAA has already been applied broadly enough to suggest that it will become a mainstay of civil litigation over information misuse. . . . [It] may have started as a defense against hackers, but it will end up being used much more broadly.”).
[19] See, e.g., R. Mark Halligan & Deanna R. Swits, Trade Secrets Litigation in the U.S. Federal Courts Using the CFAA, posting to The Trade Secrets Vault, available at http://www.tradesecretsblog.info/2008/04/trade_secrets_litigation_in_th.html (Apr. 29, 2008, 21:49) (noting “the increasingly common practice of litigating trade secret disputes in the U.S. federal courts in conjunction with claims under the U.S. Computer Fraud and Abuse Act”); CFAA Provides Federal Jurisdiction in Employment Matters Involving Theft of Computerized Data, Fulcrum Inquiry, http://www.fulcruminquiry.com/Theft_of_Computer_Data.htm (May 2006) (“Because CFAA’s focus is not on the information or type of data stolen but instead on abuse of a computer system to obtain that information, employers can bring CFAA claims without proving the information wrongfully accessed was a trade secret, constituted confidential or proprietary information, or breached an employment, confidentiality, or noncompete agreement.”).
[20] See, e.g., Levinson & Paetsch, supra note 18.
[21] See infra Part II.A.2.
[22] See infra Part II.B.1.
[23] 18 U.S.C. § 1030(a)(2)(C), establishing liability for obtaining information through unauthorized access of a computer. See infra Part I.A.
[24] See 28 U.S.C. § 1367(c); infra Part III.B.2.
[25] Most of those prohibitions are also triggered by “access exceeding authorization,” a concept addressed infra in Part I.B.
[26] See generally Kerr, supra note 6.
[27] 18 U.S.C. § 1030(e)(2)(B). The definition goes on to include computers outside the United States affecting U.S. commerce, but although troubling, an analysis of the extraterritorial application of the statute is beyond the scope of this Article. See Carrie Greenplate, Comment, Of Protection and Sovereignty: Applying the Computer Fraud and Abuse Act Extraterritorially to Protect Embedded Software Outsourced to China, 57 Amer. U. L. Rev. 129 (2007)
[28] The use of any Internet-based program—such as accessing a web site via a browser or sending an email—is guaranteed to have an effect in at least one other state, given the fact that the servers that make up the Internet are disseminated all over the world, and the server that hosts any given user’s email account is very likely to be in a different state than that user. See generally Internet, Wikipedia: The Free Encyclopedia, available at http://en.wikipedia.org/wiki/Internet (last visited Dec. 15, 2008).
[29] See Patrick Patterson Custom Homes, Inc. v. Bach, 586 F. Supp. 2d 1026, 1032 (N.D. Ill. 2008) (“[A] computer that provides access to worldwide communications through applications accessible through the internet qualifies as a protected computer.”).
[30] Subsection (a)(1) prohibits unauthorized access to a computer whereby the accesser obtains classified information with the intent to injure the United States. This subsection is aimed at cyber-espionage, and subsection (d)(2) of the Act reserves primary authority for the investigation of violations of (a)(1) to the FBI. Second, subsection (a)(3) of the statute prohibits unauthorized access to any nonpublic United States government computer.
[31] Subsection (a)(4) prohibits unauthorized access of a protected computer in furtherance of intentional fraud, when the accessor obtains anything of value, other than the use of the computer itself. It is not at all uncommon to find this subsection pleaded alongside the more problematic (from a trade secret perspective) information theft provision in trade secret misappropriation cases. See, e.g., Garelli Wong & Assocs., Inc. v. Nichols, 551 F. Supp. 2d 704 (N.D. Ill. 2008). However, because this subsection requires a more rigorous showing than the information theft provision—(a)(4) requires that a plaintiff prove both intent to defraud and the value of the computer use, while (a)(2)(C) imposes no such burden—this Article will focus on the latter. The remaining fraud-like provisions are (a)(6), which bans trafficking in passwords “though which a computer may be accessed without authorization,” and (a)(7), which criminalizes the extortion of money via threats to damage or steal information from a computer.
[32] Subsection (a)(5)(A) prohibits the transmission of “a program, information, code, or command” that intentionally causes damage to a protected computer. Subsection (a)(5)(B) penalizes intentional unauthorized access that recklessly causes damage to the computer, and subsection (a)(5)(C) prohibits intentional unauthorized access that—regardless of the accesser’s intent—causes damage and loss, as defined by the statute.
[33] See 18 U.S.C. § 1030(a)(2)(A) & (B).
[34] 18 U.S.C. § 1030(a)(2)(C).
[35] 18 U.S.C. § 1030(a)(2)(C) (2001 ver.) (emphasis added).
[36] Pub. L. 110-326, 112 Stat. 3560, Title II, § 203 (2008). The full provision was entitled the Former Vice President Protection Act, as the identity theft provisions that had been passed by the Senate were added to a bill that the House had already approved.
[37] See 18 U.S.C. § 1030(i) & (j).
[38] See Brian Krebs, New Federal Law Targets ID Theft, Cybercrime, posting to Security Fix, Wash. Post Online, http://voices.washingtonpost.com/securityfix/2008/10/new_federal_law_targets_id_the.html (Oct. 1, 2008, 16:33).
[39] See Pub. L. 110-326, 112 Stat. 3560, Title II, § 203 (2008).
[40] Press Release, Office of Senator Patrick Leahy, Leahy-Authored Anti-Cybercrime Provisions Set to Become Law, available at http://leahy.senate.gov/press/200809/091508b.html (Sept. 15, 2008).
[41] 18 U.S.C. § 1030(g).
[42] See Theofel v. Farey-Jones, 359 F.3d 1066, 1078 n.5 (9th Cir. 2004) (“Defendants argue that subsection (a)(5)(A) prescribes the Act’s only civil offenses. But subsection (g) applies to any violation of ‘this section’ and, while the offense must involve one of the five factors in (a)(5)(B), it need not be one of the three offenses in (a)(5)(A).”) (referring to prior version numbering).
[43] See id. at 1078 (“Individuals other than the computer’s owner may be proximately harmed by unauthorized access, particularly if they have rights to data stored on it.”).
[44] The remaining factors apply to impairment of medical diagnosis and treatment (subclause II), physical injury to a person (subclause III), public health or safety threats (subclause IV), damage to U.S. government computers (subclause V), and conduct that damages 10 or more computers during a 1-year period (subclause VI).
[45] Cf. 28 U.S.C. § 1332(a).
[46] See Diamond Power Int’l, Inc. v. Davidson, 540 F. Supp. 2d 1322, 1341 n.17 (N.D. Ga. 2007) (“[T]he plaintiff would have to prove, by a preponderance of the evidence, the same elements required to prove a criminal violation of the CFAA to recover in a civil action.”).
[47] 18 U.S.C. § 1030(g). It is worth pointing out that the Act’s private right of action limits damages in (c)(4)(A)(i)(I) cases—i.e. $5,000 loss cases—to economic damages. On the face of the subsection, however, that limitation does not limit injunctive or equitable relief, since it limits only damages, and not all remedies. One could, perhaps, argue that (c)(4)(A)(i)(I) actions do not allow for injunctive or other equitable relief, but if that argument has been made in court, it has not made it to any reported case, and the plain statutory language weighs against it.
[48] Indeed, an entire Article has been written about some of these terms. See Kerr, supra note 6.
[49] See supra Part I.A.
[50] 18 U.S.C. § 1030(e)(6).
[51] 119 F. Supp. 2d 1121 (W.D. Wa. 2000)
[52] 440 F.3d 418 (7th Cir. 2006).
[53] See Shurgard, 119 F. Supp. 2d at 1123
[54] See Citrin, 440 F.3d at 419. Citrin’s installation and use of this program, according to Judge Posner, constituted damage to the computer, and so IAC also brought a claim under the CFAA’s computer-damage crimes, in subsection (a)(5). See id.
[55] Restatement (Second) of Agency § 112 (1958) (quoted in Shurgard, 119 F. Supp. 2d at 1125).
[56] 390 F. Supp. 2d 479 (D. Md. 2005).
[57] See id. at 495–96 (citing S. Rep. No. 101-544, at 4–5 (1990) (noting that the private right of action was added to the CFAA to help combat computer transmission of viruses and worms) & S. Rep. No. 99-432, at 4, 1986 U.S.C.C.A.N. 2479, 2482 (noting that “the CFAA was not intended to be a ‘sweeping . . . [Federal] statute,’ but rather ‘aimed at deterring and punishing certain “high-tech” crimes’”)).
[58] Werner-Masuda, 390 F. Supp. 2d at 499.
[59] Id.
[60] See Kerr, supra note 6, at 1648–60. This interpretation of the statute also arguably better accommodates the second kind of prohibited access: access exceeding authorization. According to the technology-focused view, when a company segments the data on its computers and gives an employee legitimate access to some, but not all of that information, and the employee uses their account to gain information not cleared for their account, that access “exceeds authorization.” See, e.g., Diamond Power Int’l, Inc. v. Davidson, 540 F. Supp. 2d 1322, 1343 (N.D. Ga. 2007). The legalistic school can only account for the distinction between unauthorized access and access that exceeds existing authorization by calling it “paper thin . . . but not quite invisible” and closely parsing the intended use of the information vis-à-vis the terms of the employment agreement. Int’l Airport Ctrs. L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006).
[61] See, e.g., Lockheed Martin Corp. v. Speed, 81 U.S.P.Q.2d 1669, 2006 WL 2683058 (M.D. Fla. 2006); Diamond Power Int’l, Inc. v. Davidson, 540 F. Supp. 2d 1322 (N.D. Ga. 2007); Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008); U.S. Bioservices Corp. v. Lugo, No. 08-2432-JWL, ___ F. Supp. 2d ____, 2009 WL 151577 (D. Kan. Jan. 21, 2009); Lasco Foods, Inc. v. Hall & Shaw Sales, Marketing, and Consulting LLC, No. 4:08CV01683, 2009 WL 151687 (E.D. Mo. Jan. 22, 2009); Bridal Expo, Inc. v. Van Florenstein, No. CIV-A 4:08-CV03777, 2009 WL 255862 (S.D. Tex. Feb. 3, 2009).
[62] See, e.g., Calyon v. Mizuho Securities, Inc., No. 07 Civ. 2241 (RO), 2007 WL 2618658 (S.D.N.Y. Sept. 5, 2007); Sam’s Wines & Liquors, Inc. v. Hartig, No. 08 C 570, 2008 WL 4394962 (N.D. Ill. Sept. 24, 2008); TEKSystems, Inc. v. Modis, Inc., No. 08 C 5476, 2008 WL 5155720 (N.D. Ill. Dec. 5, 2008).
[63] The definition of “damage” was added to the statute in 1996—two years after the private right of action was added. See Pub. L. 104-294, 110 Stat. 3491 (1996). The definition of “loss” was added in 2001 as part of the USA Patriot Act, Pub. L. 107-56, 115 Stat. 366 (2001).
[64] 18 U.S.C. § 1030(e)(8).
[65] 18 U.S.C. § 1030(e)(11).
[66] See, e.g., B&B Microscopes v. Armogida, 532 F. Supp. 2d 744, 758 (W.D. Pa. 2007) (finding that deletion that makes data unavailable to the plaintiff is damage within the statutory definition).
[67] Of course, as noted above a subsection (a)(2)(C) violation does not require statutory damage, and the private right of action requires only “damage or loss,” so this question is not essential in the (a)(2)(C) context. If, however, loss of trade secret status is considered statutory damage, then misappropriators could also face liability under the (a)(5) damage-based offenses, and so the question merits some discussion here.
[68] George S. May International Co. v. Hostetler, No. 04 C 1606, 2004 WL 1197395 (N.D. Ill. May 28, 2004); see also Therapeutic Research Facility v. NBTY, Inc., 488 F. Supp. 2d 991, 996 (E.D. Cal. 2007) (holding that unauthorized access plus disclosure “may constitute an impairment to the integrity of data or information even though no data was physically changed or erased”) (internal quotation marks omitted).
[69] See, e.g., Garelli Wong & Assocs., Inc. v. Nichols, 551 F. Supp. 2d 704, 710 (N.D. Ill. 2008) (“Though Garelli Wong would like us to believe that [the CFAA applies] to cases where a trade secret has been misappropriated through the use of a computer, we do not believe that such conduct alone can show ‘impairment to the integrity or availability of data, a program, a system, or information.’”).
[70] 319 F. Supp. 2d 468 (S.D.N.Y. 2004).
[71] Id. at 476–77.
[72] Id.
[73] Id. at 477.
[74] Id.
[75] That such expenditures do not count toward the jurisdictional threshold, however, does not answer the question of whether they might nonetheless be compensable under the Act. That question is addressed infra Part II.A.3.
[76] See generally sources cited supra note 7.
[77] See supra Part I.A.
[78] See infra Part III.
[79] Misappropriation of trade secrets was included in the original Restatement of Torts. See Restatement of Torts §§ 757–59 (1939). When the ALI began work on the second Restatement of Torts, the decision was made to abandon trade secrets, because it had become a species of law separate from pure tort law. See James Pooley, Trade Secrets § 2.02[1] (1998). In 1995, the reporters of the unfair competition Restatement added a section addressing trade secret law. See Restatement (Third) of Unfair Competition §§ 39–45 (1995).
[80] Forty-five states, the District of Columbia, and the U.S. Virgin Islands have adopted some version of the UTSA. See A Few Facts About the Uniform Trade Secrets Act, Nat’l Conf. of Comm’rs on Unif. State L., http://www.nccusl.org/Update/uniformact_factsheets/uniformacts-fs-utsa.asp (last visited Dec. 16, 2008). There are two versions of the Act: the original 1979 version and the 1985 amended version. Both versions are still in use in various states, but the differences between them are not material to this Article.
[81] But see Christopher Rebel J. Pace, The Case for a Federal Trade Secrets Act, 8 Harv. J. L. & Tech. 427, 442–48 (1995) (arguing that variations in the states’ trade secret regimes require a uniform federal law of trade secret misappropriation).
[82] See Pooley, supra note 79, at § 1.02[8].
[83] See, e.g., Electro-Craft Corp. v. Controlled Motion, Inc., 322 N.W.2d 890, 897 (Minn. 1983) (“Without a proven trade secret there can be no action for misappropriation, even if defendants’ actions were wrongful.”).
[84] Unif. Trade Secrets Act § 1(4).
[85] See Pooley, supra note 79, at § 2.04[2].
[86] See, e.g., Buffets, Inc. v. Klinke, 73 F.3d 965, 968–69 (9th Cir. 1996) (affirming summary judgment where plaintiff failed to prove that their recipes gained any economic value from their secrecy).
[87] See Pooley, supra note 79, at § 4.05.
[88] See Jonathan J. Lerner, Nicholas Stevens, & Richard T. Welch, The Strange Defense of Reverse Engineerability in Trade Secret Cases, and Gaps in the Law of Unfair Competition, 250-FEB N.J. Lawyer 20, 21 (2008).
[89] See E.I. DuPont deNemours & Co. v. Christopher, 431 F.2d 1012, 1016 (5th Cir. 1970) (“[W]e need not require the discoverer of a trade secret to guard against the unanticipated, the undetectable, or the unpreventable methods of espionage now available . . . .”).
[90] See William Lynch Schaller, Jumping Ship: Legal Issues Related to Employee Mobility in High Technology Industries, 17 Lab. Lawyer 25, 85–86 (2001) (“[The CFAA] could prove especially potent, as the federal statute at issue in Shurgard Storage Centers appears to apply to any information, not just trade secrets.”).
[91] See supra note 36 and accompanying text.
[92] See Paul S. Chan & John K. Rubiner, Access Denied: Claims Brought Under the CFAA Have a Less Daunting Burden of Proof than That Required by the Trade Secrets Act, 28-FEB Los Angeles Lawyer 22 (2006) (“[A] plaintiff suing under the CFAA is frequently in control of all facts needed to establish the violation.”).
[93] See Pooley, supra note 79, at § 2.03[3].
[94] Unif. Trade Secrets Act § 1(2).
[95] Id. at § 1(1).
[96] Id. at cmt. (citing E.I. DuPont deNemours & Co. v. Christopher, 431 F.2d 1012 (5th Cir. 1970) (affirming liability where defendant engaged in otherwise legal aerial photography of competitor’s plant while it was under construction)).
[97] Restatement (Third) of Unfair Competition § 43, cmt. c.
[98] See supra Part I.C.1.
[99] See supra notes 56–62 and accompanying text.
[100] See Unif. Trade Secrets Act § 1(1)(ii).
[101] 18 U.S.C. § 1030(g) (emphasis added).
[102] See, e.g., Calence, LLC v. Dimension Data Holdings, No. C06-0262RSM, 2007 WL 1549495, at *6 (W.D. Wash., May 24, 2007) (granting summary judgment in favor of new employer in the absence of evidence that defendant directed faithless employee to access plaintiff’s system and take information); Butera & Andrews v. Int’l Bus. Mach. Corp., 456 F. Supp. 2d 104, 113 (D.D.C. 2006) (dismissing claim against new employer in the absence of a showing of intentional conduct on the part of the employer); Role Models Am., Inc. v. Jones, 305 F. Supp. 2d 564, 567–68 (D. Md. 2004) (dismissing claim where violator was not acting as an agent of defendant new employer). But see Contract Assocs. Office Interiors, Inc. v. Ruiter, No. CIV S-07-0334 WBS EFB, 2008 WL 2225702, at *2 (E.D. Cal., May 29, 2008) (denying summary judgment on CFAA claim against new employer where a genuine issue of material fact existed as to whether faithless employee was acting as an agent of the new employer when she violated the Act).
[103] See Unif. Trade Secrets Act § 3(a).
[104] See id. at § 3(b). Punitive damages are limited to double the amount of compensatory damages. See id.
[105] See id. at § 4.
[106] Id. at § 2(a).
[107] See id. at § 3(a).
[108] See id. at § 2(b).
[109] 18 U.S.C. § 1030(g).
[110] See supra note 47.
[111] See, e.g., Garelli Wong & Assocs., Inc. v. Nichols, 551 F. Supp. 2d 704, 709–11 (N.D. Ill. 2008).
[112] Compare Nexans Wires S.A. v. Sark-USA, Inc., 166 F. App’x 559, 562–63 (2d Cir. 2006) (requiring economic loss to stem directly from an interruption in service to be compensable under the CFAA) with Creative Computing v. GetLoaded.com LLC, 386 F.3d 930, 935 (9th Cir. 2004) (holding that damages for loss of business and business goodwill are compensable as “economic damages” under the statute).
[113] 18 U.S.C. § 1030(g) (emphasis added).
[114] See supra Part I.C.2.
[115] See Frees, Inc. v. McMillan, No. 05-1979, 2007 WL 2264457, at *4–6 (W.D. La. Aug. 6, 2007).
[116] See id. at *5. The court noted that by using the term “compensatory damages,” Congress excluded exemplary or punitive damages from the scope of the statute. See id.
[117] See id.
[118] See id. at *6.
[119] Id.
[120] And in most companies, the bill to clean up a security breach will very likely surpass $5,000 quickly. See Chan & Rubiner, supra note 92 (noting that the cost of remediation will almost always be greater than the jurisdictional amount).
[121] See Pooley, supra note 79, at § 1.02.
[122] See generally id. at § 1.02[8].
[123] See, e.g., Servo Corp. v. General Electric Corp., 393 F.2d 551, 555 (4th Cir. 1968) (“The gravamen in a trade secrets case is a breach of confidence, rather than an infringement of a property right . . . .”).
[124] See, e.g., Peabody v. Norfolk, 98 Mass. 452, 458 (1868) (“[If one] invents or discovers, and keeps secret, a process of manufacture, . . . he has a property in it, which a court of chancery will protect . . . .”).
[125] See supra Part II.A.1.
[126] See Restatement (Second) of Torts § 158.
[127] See Patricia L. Bellia, Paul Schiff Berman, & David G. Post, Cyberlaw: Problems of Policy and Jurisprudence in the Information Age 27–47 (2d ed. 2003).
[128] See generally Dan L. Burk, The Trouble with Trespass, 4 J. of Small & Emerging Bus. L. 27 (2000).
[129] See, e.g., Chicago Lock Co. v. Fanberg, 676 F.2d 400, 404 (9th Cir. 1982) (“The starting point in every case of this sort is . . . whether, in fact, there was a trade secret to be misappropriated.”).
[130] See supra notes 90–92 and accompanying text.
[131] See Mark A. Lemley, The Surprising Virtues of Treading Trade Secrets as IP Rights, 61 Stan. L. Rev. 311, 342–48 (2008).
[132] By, for example, assuring companies that they may share sensitive information while negotiating with other firms without that information losing its protected character. This use of trade secret law resolves Kenneth Arrow’s disclosure paradox, whereby the seller of secret information can never obtain its full value, because the buyer cannot be assured of the information’s value without disclosure, and disclosure destroys that value. See id. at 336–37.
[133] Id. at 341.
[134] See Pooley, supra note 79, at § 1.02 [6].
[135] See id.
[136] Restatement (Third) of Unfair Competition, § 42, cmt. b.
[137] See Dan L. Burk, Intellectual Property and the Firm, 71 U. Chi. L. Rev. 3, 9 (2004).
[138] See Katherine V.W. Stone, Knowledge at Work: Disputes Over the Ownership of Human Capital in the Changing Workplace, 34 Conn. L. Rev. 721, 742 (2002).
[139] See Dan L. Burk & Brett H. McDonnell, The Goldilocks Hypothesis: Balancing Intellectual Property Rights at the Boundary of the Firm, 2007 U. Ill. L. Rev. 575, 592 (2007).
[140] See id.
[141] See id.
[142] See Burk & McDonnell, supra note 139, at 592–93; Burk, supra note 137, at 9–11.
[143] 28 U.S.C. § 1367.
[144] 28 U.S.C. § 1331.
[145] 28 U.S.C. § 1367(a).
[146] See supra Part II.A.1.
[147] See, e.g., Garelli Wong & Assocs., Inc. v. Nichols, 551 F. Supp. 2d 704, 711 (N.D. Ill. 2008) (dismissing CFAA claim and pendant state law claims); Int’l Assoc. of Machinists & Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 499–500 (D. Md. 2005) (same).
[148] See United Mine Workers of Amer. v. Gibbs, 383 U.S. 715, 725 (1966).
[149] Cf. Merrell Dow Pharm., Inc. v. Thompson, 478 U.S. 804, 812 (1986) (rejecting claim that the Food Drug & Cosmetic Act could support federal question jurisdiction, in part due to the lack of a private right of action in the statute).
[150] See supra notes 56–61 and accompanying text.
[151] See Griffith, supra note 3, at 459–60.
[152] See id. at 474.
[153] See id. at 473.
[154] S. Rep. No. 99-432, at 9, 1986 U.S.C.C.A.N. 2479, 2486 (1986).
[155] Id. at 21, 1986 U.S.C.C.A.N. at 2494–95.
[156] See supra notes 51–55 and accompanying text.
[157] See Int’l Assn. of Machinists & Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 499 n.12 (D. Md. 2005).
[158] Pub. L. 103-322, 108 Stat. 2097, Title XXIX, § 290001 (1994). Significantly, this original version of subsection (g) specifically excepted what was then subsection (a)(5)(B) crimes—the transmission-based crimes—from the scope of the private right of action. See id. The 1994 amendments added those (a)(5)(B) crimes for the first time.
[159] The Computer Abuse Amendments of 1990, S. Rep. 101-544 (1990).
[160] Id.
[161] See id.
[162] See id.
[163] Id.
[164] Pub. L. 104-94, 110 Stat. 3488, § 201 (1996).
[165] The National Information Infrastructure Protection Act of 1995, S. Rep. 104-357 (1996).
[166] Id. at 8.
[167] 18 U.S.C. §§ 1831 et seq.
[168] 18 U.S.C. § 1832.
[169] 18 U.S.C. § 1839(3).
[170] H.R. Rep. 104-788, at 4, 1996 U.S.C.C.A.N. 4021, 4022–23 (1996).
[171] 18 U.S.C. § 1836.
[172] See H.R. Rep. 104-788, at 4, 1996 U.S.C.C.A.N. 4021, 4022 (1996).
[173] See, e.g., Pisani v. VanIderstine, No. CA 07 187S, 2007 WL 2319844, at *3 (D.R.I. Aug. 9, 2007) (“[A] private citizen has no federal cause of action for trade secret misappropriation under the Economic Espionage Act.”).
[174] Witness, as a case in point, the 2008 amendments. Congress removed the interstate communication requirement from (a)(2)(C) without for a moment considering what effect that might have on civil cases under the Act. See supra notes 36–40 and accompanying text.
[175] See Marbury v. Madison, 1 Cranch (5 U.S.) 137 (1803).
[176] See U.S. Const. art III, § 2; Mansfield, Coldwater & Lake Mich. Ry. Co. v. Swan, 111 U.S. 379 (1884).
[177] See Steel Co. v. Citizens for a Better Environment, 523 U.S. 83 (1998).
[178] U.S. Const. art. VI, cl. 2.
[179] Rice v. Santa Fe Elevator Corp., 331 U.S. 218, 230 (1947).
[180] See Allison H. Eid, Preemption and the Federalism Five, 37 Rutgers L.J. 1, 7–8 (2005) (arguing, pre-Altria and Wyeth, that the new federalism had not yet reached the area of preemption).
[181] See Wyeth v. Levine, 129 S. Ct. 1187 (2009) (rejecting argument that state-law failure-to-warn tort claims were preempted by FDA labeling requirements); Altria Group, Inc. v. Good, 129 S. Ct. 538 (2008) (denying preemptive effect to the Federal Cigarette Labeling and Advertising Act). It is notable, however, that in both the recent preemption decisions the Justices in the majority were not the “Federalism Five” identified in Eid, supra note 180.
[182] See supra notes 121–142 and accompanying text.
[183] See Felix Frankfurter, Some Reflections on the Reading of Statutes, 47 Colum. L. Rev. 527, 540 (1947) (“[W]hen the Federal Government . . . radically readjusts the balance of state and national authority, those charged with the duty of legislating [should be] reasonably explicit . . . .”).
[184] 501 U.S. 452 (1991).
[185] 511 U.S. 531 (1994).
[186] See Phillip P. Frickey, Revisiting the Revival of Theory in Statutory Interpretation: A Lecture in Honor of Irving Younger, 84 Minn. L. Rev. 199, 211–12 (1999). Concededly, a core element of Justice O’Connor’s opinion in Gregory was that applying the ADEA to state-court judges would impinge on “the heart of representative government,” an area that trade secret law likely does not lie within. Gregory, 501 U.S. at 463. But Justice Scalia’s extension of the federalism canon in BFP brings it far closer to the realm of ordinary tort law—the Justice argued that “the essential sovereign interest in the security and stability of title to land” sufficed to invoke the canon. BFP, 511 U.S. at 545 n.8. See also Rapanos v. United States, 547 U.S. 715, 737 (2006) (plurality op. of Scalia, J.) (citing BFP to reject a broad interpretation of the Clean Water Act).
[187] See Jenna Bednar & William N. Eskridge, Jr., Steadying the Court’s “Unsteady Path”: A Theory of Judicial Enforcement of Federalism, 68 S. Cal. L. Rev. 1447, 1458–60 (1995) (noting that while the Court’s opinions in Gregory and BFP don’t necessarily require courts to police the boundary, the cases’ logic implicitly permits them to do so).
[188] Before diving in, however, a brief digression may be in order. As the Lori Drew prosecution mentioned at the beginning of this Article reveals, the interaction between the civil justice system and the CFAA has the potential to create many more—and possibly greater—problems than just the two examined in this Article. In a perfect world, the true solution to all of these problems may be to scrap the private right of action from the Act altogether. At the very least, a credible argument could be made that the private right of action is more trouble than it is worth. That argument, however, is for another day and another Article. This one shall continue with a tight focus on solving the problems that the CFAA creates for trade secret law.
[189] That is, of course, assuming that they cannot fulfill the requirements of the diversity jurisdiction statute. See 28 U.S.C. § 1332. Diversity jurisdiction cases, however, implicate a host of different federalism-based policy concerns, and those issues are beyond the scope of this Article. See, e.g., David Marcus, Erie, the Class Action Fairness Act, and Some Federalism Implications of Diversity Jurisdiction, 48 Wm. & Mary L. Rev. 1247 (2007).
[190] See supra note 151 and accompanying text.
[191] See supra notes 154–159 and accompanying text.
[192] See supra note 1 and accompanying text.
[193] See Kerr, supra note 6, at 1598–99.
[194] See supra note 158 and accompanying text.
[195] See 18 U.S.C. § 1030(g) (1994 ver.).
[196] See 18 U.S.C. § 1030(h) (1994 ver.).
[197] See supra Part I.A.
[198] See id.
[199] See id.
[200] See supra notes 51–62 and accompanying text.
[201] See Kerr, supra note 6, at 1648–60.
[202] See supra Part I.C.1.
[203] See supra notes 56–62 and accompanying text.
[204] See supra notes 150–174 and accompanying text.
[205] See supra notes 167–173 and accompanying text.
[206] See William N. Eskridge, Public Values in Statutory Interpretation, 137 U. Pa. L. Rev. 1007, 1039–40 (1989) (“Where a federal law is similar to (in pari material with) another federal law, the Court will presumptively interpret the former law consistently with the other . . . .”). I am indebted to Orin Kerr for pointing out this avenue for solving the problem.
[207] While the in pari materia canon most often applies in circumstances in which statutes actually incorporate language similar or identical to other statutes, see Eskridge, supra note 206, courts have applied its spirit where the objects of two statutes are similar. See, e.g.. Dowling v. United States, 473 U.S. 207, 217–18 (1985) (refusing to apply the National Stolen Property Act to copyright infringement because of the difference between tangible property and the intangible rights created by Copyright Act); United States v. LaMacchia, 871 F. Supp. 535, 544–45 (D. Mass. 1994) (dismissing wire fraud indictment for posting copyright-protected software online for download, where the Copyright Act would not have imposed criminal liability).
[208] 28 U.S.C. § 1367(c).
[209] See, e.g., Garelli Wong & Assocs., Inc. v. Nichols, 551 F. Supp. 2d 704, 711 (N.D. Ill. 2008) (dismissing pendant state law claims after dismissing CFAA claim); Int’l Ass’n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 500 (D. Md. 2005) (same).
[210] United Mine Workers of Amer. v. Gibbs, 383 U.S. 715, 726 (1966)
[211] See Parker v. Scrap Metal Processors, Inc., 468 F.3d 733, 743–44 (11th Cir. 2006).
[212] See Pooley, supra note 79, at § 1.02[1]. Trade secret law is particularly well-suited to keep pace with technology, as opposed to other areas of law. Cf. Kyle W. Brenton, Note, BONGHiTS4JESUS.com? Scrutinizing Public School Authority over Student Cyberspeech Through the Lens of Personal Jurisdiction, 92 Minn. L. Rev. 1206 (2008).
[213] See Parker, 468 F.3d at 745–47.
[214] Additionally, if a case is pending in state court involving the same factual situation and issues as a federal CFAA claim, a court may consider dismissing the action based on the abstention doctrine of Colorado River Water Conservation Dist. v. United States, 424 U.S. 800 (1976). See, e.g., H&R Block Tax Services, Inc. v. Rivera-Alicea, 570 F. Supp. 2d 255, 265–69 (D.P.R. 2008) (dismissing CFAA claim under Colorado River where a parallel claim was pending in the Puerto Rico Commonwealth Court).
[215] 28 U.S.C. § 1367(c)(2).
[216] See Gibbs, 383 U.S. at 726–27 (laying out federal common law factors that have been interpreted as applying to later supplemental jurisdiction statute).
[217] Borough of W. Mifflin v. Lancaster, 45 F.3d 780, 789 (3d Cir. 1995) (quoting in part Gibbs, 383 U.S. at 727) (internal quotation marks omitted).
[218] See De Ascenscio v. Tyson Foods, Inc., 342 F.3d 301, 310 (3d Cir. 2003) (reversing district court grant of class certification over state-law wage regulation issue, where plaintiffs based federal jurisdiction on the Fair Labor Standards Act).
[219] See Contemporary Services Corp. v. Hartmann, No. 08-02967 AHM (JWJx), 2008 WL 3049891, at *5 (C.D. Cal. Aug. 4, 2008).
[220] See id. at *2.
[221] See id. at *3–4.
[222] Cf. Gibbs, 383 U.S. at 726 (“Needless decisions of state law should be avoided both as a matter of comity and to promote justice between the parties, by procuring for them a surer-footed reading of applicable law.”).
[223] See Contemporary Services, 2008 WL 3049891, at *5.
[224] See supra notes 79–101 and accompanying text.
[225] See supra notes 121–129 and accompanying text.
[226] See supra notes 103–120 and accompanying text.