Case: Estes Forwarding Worldwide LLC v. Cuellar, (E.D. Va. Mar. 09, 2017)

Holding: The U.S. District Court for the Eastern District of Virginia denied former employee’s motion to dismiss finding that employer sufficiently plead facts to assert violations of Computer Fraud and Abuse Act and the Stored Communications Act.

Employment Counsel: State and Federal laws protect computer and other electronically stored information from unauthorized computer access.  Employers must establish, maintain, and monitor employee access to such electronic databases and ensure that at termination of employment, access is terminated.  Further, employment agreements should specifically identify post-employment restrictions to any employment related electronically stored information. Finally, there are numerous state and federal laws protecting trade secrets and electronically stored information.  Employers should be aware of such laws and utilize them to protect their confidential information.

Case Summary:  In 2010, Marcelo Cuellar, the defendant, began working for the plaintiff, Estes Forwarding Worldwide LLC (“EFW”) in its San Francisco operations unit.  As part of his employment, Cuellar created a Google Drive account (“the account”) that he and other EFW employees used to record daily company transactions.  EFW considered these recordings to be trade secrets. In February 2015, EFW fired Cuellar. He subsequently went to work for a competitor. However, a year after his termination, Cuellar accessed the EFW account, downloaded information from it, and changed its password. Google notified EFW about the unauthorized access, which then prompted EFW to pursue a costly investigation to discover the identity of the unauthorized user.

Upon discovering that the user was Cuellar, EFW filed a complaint against him alleging eight (8) causes of action, including: (1) breach of contract (confidentiality agreement); (2) violations of the Computer Fraud and Abuse Act (“CFAA”); (3) violation of the Defend Trade Secrets Act of 2016; (4) violation of the Stored Communications Act; (5) misappropriation of trade secrets pursuant to VA Code Ann. §§59.1-336; (6) violation of Virginia Computer Crimes Act; and (7) seeking preliminary and permanent injunction.

Cueller filed a motion to dismiss challenging the CFAA and SCA causes of action.  

The court held that in order to establish that Cuellar violated the CFAA and the SCA, EFW had to show that Cuellar’s use of the Google account that he helped create was unauthorized or exceeded his authorization. Cuellar argued that his access to the account was authorized because when a person provides personal information to create an account with Google, it is the service provider, not the employer, who grants authorization for account access. The court, however, pointed out that Cuellar created the account while “acting in the course and scope of his employment and for the benefit of EFW, not for personal use.”  It then pointed to the Fourth Circuit’s reasoning that a person “exceeds authorized access” when “he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access.” Since the account was not Cuellar’s personal account, but rather created in the scope of his employment and used for EFW’s benefit, the court reasoned that Cuellar’s access to it post-employment was unauthorized.

For additional information about unauthorized computer access, and about this case or other employment law matters, please contact Merritt Green at mgreen@gcpc.com or (703)556-6505.  Mr. Green leads General Counsel, P.C.’s Employment Law Practice and has been representing employers (and occasionally employees) for over 19 years.