From April 2003 to May 2004, Bonnie Werner-Masuda served as the Secretary-Treasurer for a local lodge of the International Association of Machinists and Aerospace Workers (IAM). In her capacity as an officer, Werner-Masuda was granted access to IAM’s secure, proprietary website (“VLodge”) on which she could view IAM’s confidential membership list. In order to obtain a user identification number and password, Werner-Masuda signed a registration agreement which stated that she would not use the information provided through VLodge for any purpose contrary to the IAM constitution.
In August 2004, IAM filed a lawsuit in the U.S. District Court for the District of Maryland against Werner-Masuda and an entity recently created to challenge IAM’s union representation of certain flight attendants. Among other things, IAM claimed that Werner-Masuda used her access to VLodge to identify and recruit IAM members for the purpose of organizing a rival union. To support this claim, IAM alleged that Werner-Masuda’s identification number was used to click on the VLodge member search tool approximately 10,000 times between March and May 2004 in order to search the names and addresses of members in four different IAM local lodges targeted by the defendants. IAM’s complaint stated that this access violated the federal Stored Communications Act (SCA) and the federal Computer Fraud and Abuse Act (CFAA) because it exceeded Werner-Masuda’s authorization under the registration agreement she had signed.
Werner-Masuda and the rival union filed a motion to dismiss these claims, arguing that Werner-Masuda was authorized to access and obtain IAM’s membership list by virtue of her status as an IAM officer. Because both the SCA and the CFAA require that a violator access a computer either without authorization or in excess of authorization, the defendants claimed that Werner-Masuda had not violated either federal statute.
After analyzing the case law and legislative history related to the SCA and the CFAA, the court reasoned that although Werner-Masuda may have breached her registration agreement with IAM by using the information for unauthorized or illegitimate purposes, such a breach does not imply that her access of the information was therefore unauthorized or in excess of her authorization. Therefore, the court granted the defendants’ motion to dismiss the SCA and CFAA claims.
The court explicitly contrasted its holding with Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000). Presented with a fact pattern similar to the present case, the court in Shurgard denied the defendant’s motion to dismiss, finding that the plaintiff’s former employees violated the CFAA because they “lost their authorization” when they became agents of the defendant and accessed the plaintiff’s proprietary information. Id. at 1125.
Not surprisingly, the difference in outcomes between Shurgard and the present case may be attributed to the difference in authorities cited by the two courts. In determining the scope of the CFAA, the court in Shurgard examined the Senate report accompanying Congress’s 1996 amendments to the CFAA, and concluded that the terms of the statute had “broad meaning” and were intended to cover the situation under dispute. Id. at 1129.
But in the present case, the Maryland District Court relied heavily on the 1986 Senate report accompanying the CFAA, as well as a previous ruling in its district that was based primarily on the Senate report accompanying the SCA (Educational Testing Service v. Stanley H. Kaplan, Educational Center., Ltd., 965 F. Supp. 731 (D. Md. 1997)). For this reason, and because the CFAA and the SCA are criminal statutes that must be construed narrowly, the Maryland District Court concluded that Werner-Masuda did not violate the CFAA or the SCA.